3 files changed, 120 insertions, 5 deletions
diff --git a/tests/containers.scm b/tests/containers.scm
index 1e915d517e..6edea9631d 100644
--- a/tests/containers.scm
+++ b/tests/containers.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
-;;; Copyright © 2016, 2017, 2019, 2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016-2017, 2019, 2023, 2025 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -111,6 +111,26 @@
      #:namespaces '(user mnt))))
 
 (skip-if-unsupported)
+(test-equal "call-with-container, mnt namespace, locked mounts"
+  EINVAL
+  ;; umount(2) fails with EINVAL when targeting a mount point that is
+  ;; "locked".
+  (status:exit-val
+   (call-with-container (list (file-system
+                                (device "none")
+                                (mount-point "/testing")
+                                (type "tmpfs")
+                                (check? #f)))
+     (lambda ()
+       (primitive-exit (catch 'system-error
+                         (lambda ()
+                           (umount "/testing")
+                           0)
+                         (lambda args
+                           (system-error-errno args)))))
+     #:namespaces '(user mnt))))
+
+(skip-if-unsupported)
 (test-equal "call-with-container, mnt namespace, wrong bind mount"
   `(system-error ,ENOENT)
   ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
@@ -169,7 +189,8 @@
      #:namespaces '(user mnt))))
 
 (skip-if-unsupported)
-(test-assert "container-excursion"
+(test-equal "container-excursion"
+  0
   (call-with-temporary-directory
    (lambda (root)
      ;; Two pipes: One for the container to signal that the test can begin,
@@ -193,7 +214,11 @@
                    (readlink (string-append "/proc/" pid "/ns/" ns)))
                  '("user" "ipc" "uts" "net" "pid" "mnt"))))
 
-        (let* ((pid (run-container root '() %namespaces 1 container))
+        (let* ((pid (run-container root '() %namespaces 1 container
+                                   ;; Do not lock mounts so the user namespace
+                                   ;; appears to be the same seen from inside
+                                   ;; and from outside.
+                                   #:lock-mounts? #f))
                (container-namespaces (namespaces pid))
                (result
                 (begin
@@ -213,7 +238,7 @@
           (write 'done end-out)
           (close end-out)
           (waitpid pid)
-          (zero? result)))))))
+          result))))))
 
 (skip-if-unsupported)
 (test-equal "container-excursion, same namespaces"
diff --git a/tests/ld-wrapper.scm b/tests/ld-wrapper.scm
new file mode 100644
index 0000000000..58958a8d0c
--- /dev/null
+++ b/tests/ld-wrapper.scm
@@ -0,0 +1,56 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2025 Maxim Cournoyer <maxim@guixotic.coop>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(use-modules (guix tests)
+             (srfi srfi-26)
+             (srfi srfi-64))
+
+(define %project-root
+  (dirname (dirname (canonicalize-path (or (current-filename))))))
+
+;;; Load the ld-wrapper module and expose some internals, for white-box
+;;; testing.
+(load (string-append %project-root "/gnu/packages/ld-wrapper.in"))
+(define ld-wrapper-module (resolve-module '(gnu build-support ld-wrapper)))
+(define library-files-linked (module-ref ld-wrapper-module 'library-files-linked))
+
+(define %dummy-library-prefix "/gnu/store/...-dummy-0.0.0/lib")
+
+(test-begin "ld-wrapper")
+
+(define lugaru-link-arguments
+  '("-Wall" "-Wextra" "-Wno-parentheses" "-pedantic" "--std=gnu++11" "-O2" "-g"
+    "-DNDEBUG" "-rdynamic" "-Wl,--dependency-file=CMakeFiles/lugaru.dir/link.d"
+    "CMakeFiles/lugaru.dir/Source/main.cpp.o"
+    "CMakeFiles/lugaru.dir/Source/Animation/Animation.cpp.o"
+    "-o" "lugaru" "-lopenal" "-lpng" "-ljpeg" "-lz" "-lSDL2"
+    "-lGL" "-lGLU" "-lvorbisfile" "-logg"))
+
+(define lugaru-link-libraries
+  (map (cut string-append "lib" <> ".so")
+       '("openal" "png" "jpeg" "z" "SDL2" "GL" "GLU" "vorbisfile" "ogg")))
+
+(test-equal "library files linked"
+  (map (cut string-append %dummy-library-prefix "/" <>)
+       lugaru-link-libraries)
+  (mock ((guile) search-path
+         (lambda (_ library)
+           (string-append %dummy-library-prefix "/" library)))
+        (library-files-linked lugaru-link-arguments "dummy:library:path")))
+
+(test-end)
diff --git a/tests/syscalls.scm b/tests/syscalls.scm
index 879c3e4f25..a0483e68f0 100644
--- a/tests/syscalls.scm
+++ b/tests/syscalls.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2020 Simon South <simon@simonsouth.net>
 ;;; Copyright © 2020 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2025 Maxim Cournoyer <maxim@guixotic.coop>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -29,7 +30,8 @@
   #:use-module (srfi srfi-71)
   #:use-module (system foreign)
   #:use-module ((ice-9 ftw) #:select (scandir))
-  #:use-module (ice-9 match))
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 threads))
 
 ;; Test the (guix build syscalls) module, although there's not much that can
 ;; actually be tested without being root.
@@ -158,6 +160,38 @@
     (lambda args
       (system-error-errno args))))
 
+(define child-thunk
+  (lambda ()
+    (gc)                                ;spawn GC threads
+    (primitive-exit
+     (catch 'system-error
+       (lambda ()
+         (unshare CLONE_THREAD)
+         0)                             ;no error
+       (lambda args
+         (system-error-errno args))))))
+
+(define parent-proc
+  (lambda (pid)
+    (match (waitpid pid)
+       ((_ . status)
+        (status:exit-val status)))))
+
+(unless perform-container-tests?
+  (test-skip 1))
+(test-equal "clone and unshare triggers EINVAL"
+  EINVAL
+  (match (clone (logior CLONE_NEWUSER SIGCHLD))
+    (0   (child-thunk))
+    (pid (parent-proc pid))))
+
+(unless perform-container-tests?
+  (test-skip 1))
+(test-equal "safe-clone and unshare succeeds"
+  0
+  (safe-clone (logior CLONE_NEWUSER SIGCHLD)
+              child-thunk parent-proc))
+
 (unless perform-container-tests?
   (test-skip 1))
 (test-assert "setns"