2020-03-04 12:35:06 +03:00
#!/usr/bin/env bash
2021-10-17 19:13:06 +03:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2021-04-09 20:39:41 +03:00
set -eux
2019-11-13 21:32:24 +03:00
set -o pipefail
systemd-analyze log-level debug
runas( ) {
declare userid = $1
shift
2021-04-09 20:56:12 +03:00
# shellcheck disable=SC2016
2020-01-03 20:25:51 +03:00
su " $userid " -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh " $@ "
2019-11-13 21:32:24 +03:00
}
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-private-users \
2019-11-13 21:32:24 +03:00
-p PrivateUsers = yes -P echo hello
2022-03-09 05:08:15 +03:00
runas testuser systemctl --user log-level debug
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-private-tmp-innerfile \
2019-11-13 21:32:24 +03:00
-p PrivateUsers = yes -p PrivateTmp = yes \
-P touch /tmp/innerfile.txt
# File should not exist outside the job's tmp directory.
test ! -e /tmp/innerfile.txt
touch /tmp/outerfile.txt
# File should not appear in unit's private tmp.
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-private-tmp-outerfile \
2019-11-13 21:32:24 +03:00
-p PrivateUsers = yes -p PrivateTmp = yes \
-P test ! -e /tmp/outerfile.txt
# Confirm that creating a file in home works
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-unprotected-home \
2020-01-03 20:27:14 +03:00
-P touch /home/testuser/works.txt
test -e /home/testuser/works.txt
2019-11-13 21:32:24 +03:00
# Confirm that creating a file in home is blocked under read-only
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-protect-home-read-only \
2019-11-13 21:32:24 +03:00
-p PrivateUsers = yes -p ProtectHome = read-only \
-P bash -c '
2021-04-08 10:45:28 +03:00
test -e /home/testuser/works.txt || exit 10
touch /home/testuser/blocked.txt && exit 11
' \
&& { echo 'unexpected success' ; exit 1; }
2020-01-03 20:27:14 +03:00
test ! -e /home/testuser/blocked.txt
2019-11-13 21:32:24 +03:00
# Check that tmpfs hides the whole directory
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-protect-home-tmpfs \
2019-11-13 21:32:24 +03:00
-p PrivateUsers = yes -p ProtectHome = tmpfs \
2020-01-03 20:27:14 +03:00
-P test ! -e /home/testuser
2019-11-13 21:32:24 +03:00
2019-11-20 01:24:52 +03:00
# Confirm that home, /root, and /run/user are inaccessible under "yes"
2021-04-09 20:56:12 +03:00
# shellcheck disable=SC2016
2020-05-26 13:57:29 +03:00
runas testuser systemd-run --wait --user --unit= test-protect-home-yes \
2019-11-20 01:24:52 +03:00
-p PrivateUsers = yes -p ProtectHome = yes \
-P bash -c '
test " $( stat -c %a /home) " = "0"
test " $( stat -c %a /root) " = "0"
test " $( stat -c %a /run/user) " = "0"
'
2019-11-13 21:32:24 +03:00
# Confirm we cannot change groups because we only have one mapping in the user
# namespace (no CAP_SETGID in the parent namespace to write the additional
# mapping of the user supplied group and thus cannot change groups to an
# unmapped group ID)
2021-04-08 10:45:28 +03:00
runas testuser systemd-run --wait --user --unit= test-group-fail \
2019-11-13 21:32:24 +03:00
-p PrivateUsers = yes -p Group = daemon \
2021-04-08 10:45:28 +03:00
-P true \
&& { echo 'unexpected success' ; exit 1; }
2019-11-13 21:32:24 +03:00
2022-03-09 05:07:34 +03:00
# Check that with a new user namespace we can bind mount
# files and use a different root directory
runas testuser systemd-run --wait --user --unit= test-bind-mount \
-p PrivateUsers = yes -p BindPaths = /dev/null:/etc/os-release \
test ! -s /etc/os-release
2022-03-13 00:16:32 +03:00
runas testuser systemd-run --wait --user --unit= test-read-write \
-p PrivateUsers = yes -p ReadOnlyPaths = / \
-p ReadWritePaths = "/var /run /tmp" \
-p NoExecPaths = / -p ExecPaths = /usr \
test ! -w /etc/os-release
runas testuser systemd-run --wait --user --unit= test-caps \
-p PrivateUsers = yes -p AmbientCapabilities = CAP_SYS_ADMIN \
-p CapabilityBoundingSet = CAP_SYS_ADMIN \
test -s /etc/os-release
runas testuser systemd-run --wait --user --unit= test-devices \
-p PrivateUsers = yes -p PrivateDevices = yes -p PrivateIPC = yes \
sh -c "ls -1 /dev/ | wc -l | grep -q -F 18"
# Same check as test/test-execute/exec-privatenetwork-yes.service
runas testuser systemd-run --wait --user --unit= test-network \
-p PrivateUsers = yes -p PrivateNetwork = yes \
/bin/sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
runas testuser systemd-run --wait --user --unit= test-hostname \
-p PrivateUsers = yes -p ProtectHostname = yes \
hostnamectl hostname foo \
&& { echo 'unexpected success' ; exit 1; }
runas testuser systemd-run --wait --user --unit= test-clock \
-p PrivateUsers = yes -p ProtectClock = yes \
timedatectl set-time "2012-10-30 18:17:16" \
&& { echo 'unexpected success' ; exit 1; }
runas testuser systemd-run --wait --user --unit= test-kernel-tunable \
-p PrivateUsers = yes -p ProtectKernelTunables = yes \
sh -c "echo 0 > /proc/sys/user/max_user_namespaces" \
&& { echo 'unexpected success' ; exit 1; }
runas testuser systemd-run --wait --user --unit= test-kernel-mod \
-p PrivateUsers = yes -p ProtectKernelModules = yes \
sh -c "modprobe -r overlay && modprobe overlay" \
&& { echo 'unexpected success' ; exit 1; }
if sysctl kernel.dmesg_restrict= 0; then
runas testuser systemd-run --wait --user --unit= test-kernel-log \
-p PrivateUsers = yes -p ProtectKernelLogs = yes -p LogNamespace = yes \
dmesg \
&& { echo 'unexpected success' ; exit 1; }
fi
2022-03-09 05:07:34 +03:00
unsquashfs -no-xattrs -d /tmp/img /usr/share/minimal_0.raw
runas testuser systemd-run --wait --user --unit= test-root-dir \
-p PrivateUsers = yes -p RootDirectory = /tmp/img \
grep MARKER = 1 /etc/os-release
mkdir /tmp/img_bind
mount --bind /tmp/img /tmp/img_bind
runas testuser systemd-run --wait --user --unit= test-root-dir-bind \
2022-03-13 00:16:32 +03:00
-p PrivateUsers = yes -p RootDirectory = /tmp/img_bind -p MountFlags = private \
2022-03-09 05:07:34 +03:00
grep MARKER = 1 /etc/os-release
2022-03-13 00:16:32 +03:00
umount /tmp/img_bind
2022-03-10 04:30:08 +03:00
# Unprivileged overlayfs was added to Linux 5.11, so try to detect it first
mkdir -p /tmp/a /tmp/b /tmp/c
if unshare --mount --user --map-root-user mount -t overlay overlay /tmp/c -o lowerdir = /tmp/a:/tmp/b; then
unsquashfs -no-xattrs -d /tmp/app2 /usr/share/app1.raw
runas testuser systemd-run --wait --user --unit= test-extension-dir \
-p PrivateUsers = yes -p ExtensionDirectories = /tmp/app2 \
-p TemporaryFileSystem = /run -p RootDirectory = /tmp/img \
-p MountAPIVFS = yes \
grep PORTABLE_PREFIXES = app1 /usr/lib/extension-release.d/extension-release.app2
fi
2019-11-13 21:32:24 +03:00
systemd-analyze log-level info
2021-04-08 01:09:55 +03:00
echo OK >/testok
2019-11-13 21:32:24 +03:00
exit 0