#!/bin/sh
set -eu

cleanup() {
    echo ""
    if [ "${FAIL}" = "1" ]; then
        echo "Test failed"
        exit 1
    fi

    echo "Test passed"
    exit 0
}

FAIL=1
trap cleanup EXIT HUP INT TERM

# Install test dependencies
apt-get remove --purge cloud-init --yes
apt-get install --yes curl

# Install Incus
curl -sL https://pkgs.zabbly.com/get/incus-daily | sh

# Configure Incus
incus admin init --auto

# Test
set -x

incus launch images:ubuntu/20.04 c1
sleep 10
incus exec c1 -- apt-get install --no-install-recommends --yes attr fuse2fs

## setxattr
incus exec c1 -- touch xattr-test
! incus exec c1 -- setfattr -n trusted.overlay.opaque -v y xattr-test || false
incus config set c1 security.syscalls.intercept.setxattr true
incus restart c1 -f
incus exec c1 -- setfattr -n trusted.overlay.opaque -v y xattr-test
[ "$(getfattr --only-values --absolute-names -n trusted.overlay.opaque /var/lib/incus/containers/c1/rootfs/root/xattr-test)" = "y" ]

## mknod
! incus exec c1 -- mknod mknod-test c 1 3 || false
incus config set c1 security.syscalls.intercept.mknod true
incus restart c1 -f

## Relative path
incus exec c1 -- mknod mknod-test c 1 3

## Absolute path on tmpfs
incus exec c1 -- mknod /dev/mknod-test c 1 3

## Absolute path on rootfs
incus exec c1 -- mknod /root/mknod-test1 c 1 3

## bpf (needs 5.9 or higher)
incus config set c1 security.syscalls.intercept.bpf=true security.syscalls.intercept.bpf.devices=true
incus restart c1 -f

## mount
truncate -s 10G loop.img
LOOP=$(losetup -f --show loop.img)
incus config device add c1 loop unix-block source="${LOOP}" path=/dev/sda
incus exec c1 -- mkfs.ext4 /dev/sda
! incus exec c1 -- mount /dev/sda /mnt || false
incus config set c1 security.syscalls.intercept.mount=true

incus config set c1 security.syscalls.intercept.mount.allowed=ext4
incus restart c1 -f
incus exec c1 -- mount /dev/sda /mnt
[ "$(incus exec c1 -- stat --format=%u:%g /mnt)" = "65534:65534" ]
incus exec c1 -- umount /mnt

incus config set c1 security.syscalls.intercept.mount.shift=true
incus exec c1 -- mount /dev/sda /mnt
[ "$(incus exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ]
incus exec c1 -- umount /mnt

incus config unset c1 security.syscalls.intercept.mount.allowed
incus config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs
incus restart c1 -f

incus exec c1 -- mount /dev/sda /mnt
[ "$(incus exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ]
incus exec c1 -- umount /mnt

FAIL=0
