#!/usr/bin/env bats

load helpers

function teardown() {
	teardown_bundle
}

function setup() {
	requires root cgroups_v2 systemd

	setup_busybox

	# chown test temp dir to allow host user to read it
	chown 100000 "$ROOT"

	# chown rootfs to allow host user to mkdir mount points
	chown 100000 "$ROOT"/bundle/rootfs

	set_cgroups_path

	# configure a user namespace
	update_config '   .linux.namespaces += [{"type": "user"}]
			| .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}]
			| .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}]
			'
}

@test "runc exec (cgroup v2, ro cgroupfs, new cgroupns) does not chown cgroup" {
	runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
	[ "$status" -eq 0 ]

	runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
	[ "$status" -eq 0 ]
	[ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user
}

@test "runc exec (cgroup v2, rw cgroupfs, inherit cgroupns) does not chown cgroup" {
	set_cgroup_mount_writable

	# inherit cgroup namespace (remove cgroup from namespaces list)
	update_config '.linux.namespaces |= map(select(.type != "cgroup"))'

	runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
	[ "$status" -eq 0 ]

	runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
	[ "$status" -eq 0 ]
	[ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user
}

@test "runc exec (cgroup v2, rw cgroupfs, new cgroupns) does chown cgroup" {
	set_cgroup_mount_writable

	runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
	[ "$status" -eq 0 ]

	runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
	[ "$status" -eq 0 ]
	[ "$output" = "root" ] # /sys/fs/cgroup owned by root (of user namespace)
}