mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-21 18:03:41 +03:00
test-execute: also tests under the condition that unshare() is filtered
This is mainly for testing 1beab8b0d0ff2d7d1436b52d4a0c3d56dc908962.
This commit is contained in:
Yu Watanabe
Zbigniew Jędrzejewski-Szmek
parent
7bcf8123c0
commit
b7172f3471
@ -28,6 +28,8 @@
|
||||
#include "util.h"
|
||||
#include "virt.h"
|
||||
|
||||
static bool can_unshare = true;
|
||||
|
||||
typedef void (*test_function_t)(Manager *m);
|
||||
|
||||
static void check(Manager *m, Unit *unit, int status_expected, int code_expected) {
|
||||
@ -156,7 +158,7 @@ static void test_exec_bindpaths(Manager *m) {
|
||||
assert_se(mkdir_p("/tmp/test-exec-bindpaths", 0755) >= 0);
|
||||
assert_se(mkdir_p("/tmp/test-exec-bindreadonlypaths", 0755) >= 0);
|
||||
|
||||
test(m, "exec-bindpaths.service", 0, CLD_EXITED);
|
||||
test(m, "exec-bindpaths.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
|
||||
(void) rm_rf("/tmp/test-exec-bindpaths", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
(void) rm_rf("/tmp/test-exec-bindreadonlypaths", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
@ -227,7 +229,7 @@ static void test_exec_ignoresigpipe(Manager *m) {
|
||||
static void test_exec_privatetmp(Manager *m) {
|
||||
assert_se(touch("/tmp/test-exec_privatetmp") >= 0);
|
||||
|
||||
test(m, "exec-privatetmp-yes.service", 0, CLD_EXITED);
|
||||
test(m, "exec-privatetmp-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-privatetmp-no.service", 0, CLD_EXITED);
|
||||
|
||||
unlink("/tmp/test-exec_privatetmp");
|
||||
@ -245,9 +247,9 @@ static void test_exec_privatedevices(Manager *m) {
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-privatedevices-yes.service", 0, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-no.service", 0, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-disabled-by-prefix.service", 0, CLD_EXITED);
|
||||
test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
|
||||
/* We use capsh to test if the capabilities are
|
||||
* properly set, so be sure that it exists */
|
||||
@ -283,21 +285,21 @@ static void test_exec_protectkernelmodules(Manager *m) {
|
||||
|
||||
test(m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED);
|
||||
test(m, "exec-protectkernelmodules-yes-capabilities.service", 0, CLD_EXITED);
|
||||
test(m, "exec-protectkernelmodules-yes-mount-propagation.service", 0, CLD_EXITED);
|
||||
test(m, "exec-protectkernelmodules-yes-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_readonlypaths(Manager *m) {
|
||||
|
||||
test(m, "exec-readonlypaths-simple.service", 0, CLD_EXITED);
|
||||
test(m, "exec-readonlypaths-simple.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
|
||||
if (path_is_read_only_fs("/var") > 0) {
|
||||
log_notice("Directory /var is readonly, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-readonlypaths.service", 0, CLD_EXITED);
|
||||
test(m, "exec-readonlypaths-mount-propagation.service", 0, CLD_EXITED);
|
||||
test(m, "exec-readonlypaths-with-bindpaths.service", 0, CLD_EXITED);
|
||||
test(m, "exec-readonlypaths.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-readonlypaths-with-bindpaths.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-readonlypaths-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_readwritepaths(Manager *m) {
|
||||
@ -307,7 +309,7 @@ static void test_exec_readwritepaths(Manager *m) {
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-readwritepaths-mount-propagation.service", 0, CLD_EXITED);
|
||||
test(m, "exec-readwritepaths-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_inaccessiblepaths(Manager *m) {
|
||||
@ -317,22 +319,22 @@ static void test_exec_inaccessiblepaths(Manager *m) {
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-inaccessiblepaths-proc.service", 0, CLD_EXITED);
|
||||
test(m, "exec-inaccessiblepaths-proc.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
|
||||
if (path_is_read_only_fs("/") > 0) {
|
||||
log_notice("Root directory is readonly, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED);
|
||||
test(m, "exec-inaccessiblepaths-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_temporaryfilesystem(Manager *m) {
|
||||
|
||||
test(m, "exec-temporaryfilesystem-options.service", 0, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-ro.service", 0, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-rw.service", 0, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-usr.service", 0, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-options.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-ro.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-rw.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-temporaryfilesystem-usr.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_systemcallfilter(Manager *m) {
|
||||
@ -387,13 +389,13 @@ static void test_exec_restrictnamespaces(Manager *m) {
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-restrictnamespaces-no.service", 0, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-no.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-yes.service", 1, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-mnt.service", 0, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-mnt.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-mnt-blacklist.service", 1, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-merge-and.service", 0, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-merge-or.service", 0, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-merge-all.service", 0, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-merge-and.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-merge-or.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(m, "exec-restrictnamespaces-merge-all.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -462,14 +464,15 @@ static void test_exec_supplementarygroups(Manager *m) {
|
||||
}
|
||||
|
||||
static void test_exec_dynamicuser(Manager *m) {
|
||||
test(m, "exec-dynamicuser-fixeduser.service", 0, CLD_EXITED);
|
||||
|
||||
test(m, "exec-dynamicuser-fixeduser.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
if (check_user_has_group_with_same_name("adm"))
|
||||
test(m, "exec-dynamicuser-fixeduser-adm.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-fixeduser-adm.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
if (check_user_has_group_with_same_name("games"))
|
||||
test(m, "exec-dynamicuser-fixeduser-games.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-supplementarygroups.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-statedir.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-fixeduser-games.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-supplementarygroups.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-statedir.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
|
||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
@ -477,7 +480,7 @@ static void test_exec_dynamicuser(Manager *m) {
|
||||
(void) rm_rf("/var/lib/private/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
|
||||
test(m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-statedir-migrate-step2.service", 0, CLD_EXITED);
|
||||
test(m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
|
||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
@ -635,7 +638,7 @@ static void test_exec_privatenetwork(Manager *m) {
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-privatenetwork-yes.service", 0, CLD_EXITED);
|
||||
test(m, "exec-privatenetwork-yes.service", can_unshare ? 0 : EXIT_NETWORK, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_oomscoreadjust(Manager *m) {
|
||||
@ -705,6 +708,7 @@ static int run_tests(UnitFileScope scope, const test_function_t *tests) {
|
||||
int main(int argc, char *argv[]) {
|
||||
_cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
|
||||
_cleanup_free_ char *test_execute_path = NULL;
|
||||
_cleanup_hashmap_free_ Hashmap *s = NULL;
|
||||
static const test_function_t user_tests[] = {
|
||||
test_exec_basic,
|
||||
test_exec_ambientcapabilities,
|
||||
@ -777,9 +781,37 @@ int main(int argc, char *argv[]) {
|
||||
assert_se(unsetenv("VAR2") == 0);
|
||||
assert_se(unsetenv("VAR3") == 0);
|
||||
|
||||
r = run_tests(UNIT_FILE_USER, user_tests);
|
||||
if (r != 0)
|
||||
return r;
|
||||
|
||||
r = run_tests(UNIT_FILE_SYSTEM, system_tests);
|
||||
if (r != 0)
|
||||
return r;
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
/* The following tests are for 1beab8b0d0ff2d7d1436b52d4a0c3d56dc908962. */
|
||||
if (!is_seccomp_available()) {
|
||||
log_notice("Seccomp not available, skipping unshare() filtered tests.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
r = seccomp_syscall_resolve_name("unshare");
|
||||
assert_se(r != __NR_SCMP_ERROR);
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(r + 1), INT_TO_PTR(-1)) >= 0);
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EOPNOTSUPP), true) >= 0);
|
||||
assert_se(unshare(CLONE_NEWNS) < 0);
|
||||
assert_se(errno == EOPNOTSUPP);
|
||||
|
||||
can_unshare = false;
|
||||
|
||||
r = run_tests(UNIT_FILE_USER, user_tests);
|
||||
if (r != 0)
|
||||
return r;
|
||||
|
||||
return run_tests(UNIT_FILE_SYSTEM, system_tests);
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
Description=Test for UMask
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "600"'
|
||||
ExecStart=/bin/sh -x -c 'rm /tmp/test-exec-umask; touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "600"'
|
||||
Type=oneshot
|
||||
UMask=0177
|
||||
PrivateTmp=yes
|
||||
|
||||
@ -2,6 +2,6 @@
|
||||
Description=Test for UMask default
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "644"'
|
||||
ExecStart=/bin/sh -x -c 'rm /tmp/test-exec-umask; touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "644"'
|
||||
Type=oneshot
|
||||
PrivateTmp=yes
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user