shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-10-28 11:55:23 +03:00
Code

Merge pull request #8341 from yuwata/test-execute-ambient

Browse Source 
test-execute: check capabilities before runnig tests
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2018-03-05 17:45:28 +01:00 committed by GitHub
commit de5fbba9e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 53 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
src/test/test-execute.c
View File

@ -24,6 +24,7 @@
#include <sys/prctl.h>
#include <sys/types.h>
#include "capability-util.h"
#include "cpu-set-util.h"
#include "errno-list.h"
#include "fileio.h"
@ -248,7 +249,7 @@ static void test_exec_privatedevices(Manager *m) {
* properly set, so be sure that it exists */
r = find_binary("capsh", NULL);
if (r < 0) {
log_error_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
log_notice_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
return;
}
@ -272,7 +273,7 @@ static void test_exec_protectkernelmodules(Manager *m) {
r = find_binary("capsh", NULL);
if (r < 0) {
log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
return;
}
@ -382,12 +383,12 @@ static void test_exec_systemcallfilter_system(Manager *m) {
test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
if (!check_nobody_user_and_group()) {
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
return;
}
if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
return;
}
@ -399,12 +400,12 @@ static void test_exec_user(Manager *m) {
test(m, "exec-user.service", 0, CLD_EXITED);
if (!check_nobody_user_and_group()) {
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
return;
}
if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
return;
}
@ -415,12 +416,12 @@ static void test_exec_group(Manager *m) {
test(m, "exec-group.service", 0, CLD_EXITED);
if (!check_nobody_user_and_group()) {
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
return;
}
if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) {
log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
return;
}
@ -511,12 +512,12 @@ static void test_exec_runtimedirectory(Manager *m) {
test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
if (!check_nobody_user_and_group()) {
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
return;
}
if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) {
log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
return;
}
@ -528,7 +529,14 @@ static void test_exec_capabilityboundingset(Manager *m) {
r = find_binary("capsh", NULL);
if (r < 0) {
log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
return;
}
if (have_effective_cap(CAP_CHOWN) <= 0 ||
have_effective_cap(CAP_FOWNER) <= 0 ||
have_effective_cap(CAP_KILL) <= 0) {
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
return;
}
@ -538,7 +546,7 @@ static void test_exec_capabilityboundingset(Manager *m) {
test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED);
}
static void test_exec_capabilityambientset(Manager *m) {
static void test_exec_ambientcapabilities(Manager *m) {
int r;
/* Check if the kernel has support for ambient capabilities. Run
@ -547,25 +555,31 @@ static void test_exec_capabilityambientset(Manager *m) {
* in the first place for the tests. */
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
if (r < 0 && IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) {
log_error("Skipping %s, the kernel does not support ambient capabilities", __func__);
log_notice("Skipping %s, the kernel does not support ambient capabilities", __func__);
return;
}
test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
if (have_effective_cap(CAP_CHOWN) <= 0 ||
have_effective_cap(CAP_NET_RAW) <= 0) {
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
return;
}
test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);
if (!check_nobody_user_and_group()) {
log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
return;
}
if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
return;
}
test(m, "exec-capabilityambientset-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
test(m, "exec-capabilityambientset-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
test(m, "exec-ambientcapabilities-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
test(m, "exec-ambientcapabilities-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
}
static void test_exec_privatenetwork(Manager *m) {
@ -573,7 +587,7 @@ static void test_exec_privatenetwork(Manager *m) {
r = find_binary("ip", NULL);
if (r < 0) {
log_error_errno(r, "Skipping %s, could not find ip binary: %m", __func__);
log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__);
return;
}
@ -633,8 +647,8 @@ static int run_tests(UnitFileScope scope, const test_function_t *tests) {
int main(int argc, char *argv[]) {
_cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
static const test_function_t user_tests[] = {
test_exec_ambientcapabilities,
test_exec_bindpaths,
test_exec_capabilityambientset,
test_exec_capabilityboundingset,
test_exec_cpuaffinity,
test_exec_environment,

12
test/meson.build
View File

@ -45,13 +45,13 @@ test_data_files = '''
sockets.target
son.service
sysinit.target
test-execute/exec-ambientcapabilities-merge-nfsnobody.service
test-execute/exec-ambientcapabilities-merge-nobody.service
test-execute/exec-ambientcapabilities-merge.service
test-execute/exec-ambientcapabilities-nfsnobody.service
test-execute/exec-ambientcapabilities-nobody.service
test-execute/exec-ambientcapabilities.service
test-execute/exec-bindpaths.service
test-execute/exec-capabilityambientset-merge-nfsnobody.service
test-execute/exec-capabilityambientset-merge-nobody.service
test-execute/exec-capabilityambientset-merge.service
test-execute/exec-capabilityambientset-nfsnobody.service
test-execute/exec-capabilityambientset-nobody.service
test-execute/exec-capabilityambientset.service
test-execute/exec-capabilityboundingset-invert.service
test-execute/exec-capabilityboundingset-merge.service
test-execute/exec-capabilityboundingset-reset.service

4
test/test-execute/exec-capabilityambientset-merge-nfsnobody.service → test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service
View File

@ -2,8 +2,8 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nfsnobody
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_CHOWN
AmbientCapabilities=CAP_NET_RAW

4
test/test-execute/exec-capabilityambientset-merge-nobody.service → test/test-execute/exec-ambientcapabilities-merge-nobody.service
View File

@ -2,8 +2,8 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nobody
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_CHOWN
AmbientCapabilities=CAP_NET_RAW

4
test/test-execute/exec-capabilityambientset-merge.service → test/test-execute/exec-ambientcapabilities-merge.service
View File

@ -2,8 +2,8 @@
Description=Test for AmbientCapabilities (daemon)
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=daemon
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_CHOWN
AmbientCapabilities=CAP_NET_RAW

4
test/test-execute/exec-capabilityambientset-nfsnobody.service → test/test-execute/exec-ambientcapabilities-nfsnobody.service
View File

@ -2,7 +2,7 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nfsnobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW

4
test/test-execute/exec-capabilityambientset-nobody.service → test/test-execute/exec-ambientcapabilities-nobody.service
View File

@ -2,7 +2,7 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW

4
test/test-execute/exec-capabilityambientset.service → test/test-execute/exec-ambientcapabilities.service
View File

@ -2,7 +2,7 @@
Description=Test for AmbientCapabilities (daemon)
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=daemon
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW