fuse-overlayfs/tests/unpriv.sh

#!/bin/sh

set -ex

test $(id -u) -gt 0

rm -rf unpriv-test
mkdir unpriv-test

cd unpriv-test

mkdir lower upper workdir merged

touch lower/a lower/b
chmod 444 lower/a lower/b

fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=workdir merged

rm -f merged/a
chmod 406 merged/b

test \! -e merged/a
test $(stat --printf=%a merged/b) -eq 406
test $(stat --printf=%a upper/b) -eq 406
if [ ${FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT:-0} -eq 1 ]; then
    test -e upper/.wh.a
else
    test -c upper/a
fi

fusermount -u merged || [ $? -eq "${EXPECT_UMOUNT_STATUS:-0}" ]

# xattr_permissions=2
rm -rf lower upper workdir merged
mkdir lower upper workdir merged

touch upper/file
unshare -r setcap cap_net_admin+ep upper/file

fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=workdir,xattr_permissions=2 merged

# Ensure the security xattr namespace is isolated.
test "$(unshare -r getcap merged/file)" = ''
unshare -r setcap cap_net_admin+ep merged/file
test "$(unshare -r getcap merged/file)" = 'merged/file cap_net_admin=ep'

# Ensure UID is preserved with chgrp.
podman unshare chgrp 1 merged/file
test $(podman unshare stat -c %u:%g merged/file) = 0:1

# Ensure UID and GID are preserved with chmod.
chmod 600 merged/file
test $(podman unshare stat -c %u:%g merged/file) = 0:1

fusermount -u merged || [ $? -eq "${EXPECT_UMOUNT_STATUS:-0}" ]