mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-28 11:55:23 +03:00
Merge pull request #8341 from yuwata/test-execute-ambient
test-execute: check capabilities before runnig tests
This commit is contained in:
commit
de5fbba9e2
@ -24,6 +24,7 @@
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include "capability-util.h"
|
||||
#include "cpu-set-util.h"
|
||||
#include "errno-list.h"
|
||||
#include "fileio.h"
|
||||
@ -248,7 +249,7 @@ static void test_exec_privatedevices(Manager *m) {
|
||||
* properly set, so be sure that it exists */
|
||||
r = find_binary("capsh", NULL);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
|
||||
log_notice_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -272,7 +273,7 @@ static void test_exec_protectkernelmodules(Manager *m) {
|
||||
|
||||
r = find_binary("capsh", NULL);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
|
||||
log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -382,12 +383,12 @@ static void test_exec_systemcallfilter_system(Manager *m) {
|
||||
test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
|
||||
|
||||
if (!check_nobody_user_and_group()) {
|
||||
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
|
||||
log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
|
||||
log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -399,12 +400,12 @@ static void test_exec_user(Manager *m) {
|
||||
test(m, "exec-user.service", 0, CLD_EXITED);
|
||||
|
||||
if (!check_nobody_user_and_group()) {
|
||||
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
|
||||
log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
|
||||
log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -415,12 +416,12 @@ static void test_exec_group(Manager *m) {
|
||||
test(m, "exec-group.service", 0, CLD_EXITED);
|
||||
|
||||
if (!check_nobody_user_and_group()) {
|
||||
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) {
|
||||
log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
|
||||
log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -511,12 +512,12 @@ static void test_exec_runtimedirectory(Manager *m) {
|
||||
test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
|
||||
|
||||
if (!check_nobody_user_and_group()) {
|
||||
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) {
|
||||
log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
|
||||
log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -528,7 +529,14 @@ static void test_exec_capabilityboundingset(Manager *m) {
|
||||
|
||||
r = find_binary("capsh", NULL);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
|
||||
log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
if (have_effective_cap(CAP_CHOWN) <= 0 ||
|
||||
have_effective_cap(CAP_FOWNER) <= 0 ||
|
||||
have_effective_cap(CAP_KILL) <= 0) {
|
||||
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -538,7 +546,7 @@ static void test_exec_capabilityboundingset(Manager *m) {
|
||||
test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_capabilityambientset(Manager *m) {
|
||||
static void test_exec_ambientcapabilities(Manager *m) {
|
||||
int r;
|
||||
|
||||
/* Check if the kernel has support for ambient capabilities. Run
|
||||
@ -547,25 +555,31 @@ static void test_exec_capabilityambientset(Manager *m) {
|
||||
* in the first place for the tests. */
|
||||
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
|
||||
if (r < 0 && IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) {
|
||||
log_error("Skipping %s, the kernel does not support ambient capabilities", __func__);
|
||||
log_notice("Skipping %s, the kernel does not support ambient capabilities", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
|
||||
test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
|
||||
if (have_effective_cap(CAP_CHOWN) <= 0 ||
|
||||
have_effective_cap(CAP_NET_RAW) <= 0) {
|
||||
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
|
||||
test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);
|
||||
|
||||
if (!check_nobody_user_and_group()) {
|
||||
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
|
||||
log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
|
||||
log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-capabilityambientset-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
|
||||
test(m, "exec-capabilityambientset-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
|
||||
test(m, "exec-ambientcapabilities-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
|
||||
test(m, "exec-ambientcapabilities-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
|
||||
}
|
||||
|
||||
static void test_exec_privatenetwork(Manager *m) {
|
||||
@ -573,7 +587,7 @@ static void test_exec_privatenetwork(Manager *m) {
|
||||
|
||||
r = find_binary("ip", NULL);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Skipping %s, could not find ip binary: %m", __func__);
|
||||
log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -633,8 +647,8 @@ static int run_tests(UnitFileScope scope, const test_function_t *tests) {
|
||||
int main(int argc, char *argv[]) {
|
||||
_cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
|
||||
static const test_function_t user_tests[] = {
|
||||
test_exec_ambientcapabilities,
|
||||
test_exec_bindpaths,
|
||||
test_exec_capabilityambientset,
|
||||
test_exec_capabilityboundingset,
|
||||
test_exec_cpuaffinity,
|
||||
test_exec_environment,
|
||||
|
@ -45,13 +45,13 @@ test_data_files = '''
|
||||
sockets.target
|
||||
son.service
|
||||
sysinit.target
|
||||
test-execute/exec-ambientcapabilities-merge-nfsnobody.service
|
||||
test-execute/exec-ambientcapabilities-merge-nobody.service
|
||||
test-execute/exec-ambientcapabilities-merge.service
|
||||
test-execute/exec-ambientcapabilities-nfsnobody.service
|
||||
test-execute/exec-ambientcapabilities-nobody.service
|
||||
test-execute/exec-ambientcapabilities.service
|
||||
test-execute/exec-bindpaths.service
|
||||
test-execute/exec-capabilityambientset-merge-nfsnobody.service
|
||||
test-execute/exec-capabilityambientset-merge-nobody.service
|
||||
test-execute/exec-capabilityambientset-merge.service
|
||||
test-execute/exec-capabilityambientset-nfsnobody.service
|
||||
test-execute/exec-capabilityambientset-nobody.service
|
||||
test-execute/exec-capabilityambientset.service
|
||||
test-execute/exec-capabilityboundingset-invert.service
|
||||
test-execute/exec-capabilityboundingset-merge.service
|
||||
test-execute/exec-capabilityboundingset-reset.service
|
||||
|
@ -2,8 +2,8 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nfsnobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN
|
||||
AmbientCapabilities=CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_RAW
|
@ -2,8 +2,8 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN
|
||||
AmbientCapabilities=CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_RAW
|
@ -2,8 +2,8 @@
|
||||
Description=Test for AmbientCapabilities (daemon)
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=daemon
|
||||
AmbientCapabilities=CAP_NET_ADMIN
|
||||
AmbientCapabilities=CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_RAW
|
@ -2,7 +2,7 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nfsnobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
||||
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
@ -2,7 +2,7 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
||||
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
@ -2,7 +2,7 @@
|
||||
Description=Test for AmbientCapabilities (daemon)
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=daemon
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
||||
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
Loading…
Reference in New Issue
Block a user