shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-24 14:50:17 +03:00
Code

Add tests and documentation for all remaining sandboxing in user manager

Browse Source
This commit is contained in:
Luca Boccassi 2022-03-12 21:16:32 +00:00 committed by Lennart Poettering
parent 4355c04fef
commit 1219bd4306
3 changed files with 88 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
man/system-or-user-ns.xml Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1-or-later
-->
<refsect1>
<para id="singular">This option is only available for system services, or for services running in per-user
instances of the service manager when unprivileged user namespaces are available.</para>
<para id="plural">These options are only available for system services, or for services running in per-user
instances of the service manager when unprivileged user namespaces are available.</para>
</refsect1>

42
man/systemd.exec.xml
View File

@ -143,7 +143,9 @@
<title>Mounting logging sockets into root environment</title>
<programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting>
</example></listitem>
</example>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -480,7 +482,9 @@
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para>Note that usage from user units requires overlayfs support in unprivileged user namespaces,
which was first introduced in kernel v5.11.</para></listitem>
which was first introduced in kernel v5.11.</para>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -625,7 +629,7 @@
<refsect1>
<title>Capabilities</title>
<xi:include href="system-only.xml" xpointer="plural"/>
<xi:include href="system-or-user-ns.xml" xpointer="plural"/>
<variablelist class='unit-directives'>
@ -1254,7 +1258,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all cases. In
general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1508,7 +1512,7 @@ NoExecPaths=/
ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
</programlisting></para>
<xi:include href="system-only.xml" xpointer="plural"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="plural"/></listitem>
</varlistentry>
<varlistentry>
@ -1533,7 +1537,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
then the invoked processes by the unit cannot see any files or directories under <filename>/var/</filename> except for
<filename>/var/lib/systemd</filename> or its contents.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1561,7 +1565,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
available), and the unit should be written in a way that does not solely rely on this setting for
security.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1595,7 +1599,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
namespaces are not available), and the unit should be written in a way that does not solely rely on
this setting for security.</para>
<xi:include href="system-only.xml" xpointer="singular"/>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/>
<para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname>
setting might be used instead. See
@ -1629,7 +1633,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other
services.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1648,7 +1652,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<para>When this option is used on a socket unit any sockets bound on behalf of this unit will be
bound within the specified network namespace.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1679,7 +1683,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
not available), and the unit should be written in a way that does not solely rely on this setting for
security.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1695,7 +1699,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<varname>IPCNamespacePath=</varname> configured, as otherwise the network namespace of those
units is reused.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1749,7 +1753,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
capability (e.g. services for which <varname>User=</varname> is set),
<varname>NoNewPrivileges=yes</varname> is implied.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1766,7 +1770,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
doesn't have the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services for which
<varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1790,7 +1794,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
inaccessible. If <varname>ProtectKernelTunables=</varname> is set,
<varname>MountAPIVFS=yes</varname> is implied.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1811,7 +1815,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
but the unit doesn't have the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services for
which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -1830,7 +1834,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
capability (e.g. services for which <varname>User=</varname> is set),
<varname>NoNewPrivileges=yes</varname> is implied.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -2134,7 +2138,7 @@ RestrictNamespaces=~cgroup net</programlisting>
option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are
used.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
@ -2164,7 +2168,7 @@ RestrictNamespaces=~cgroup net</programlisting>
<para>Usually, it is best to leave this setting unmodified, and use higher level file system namespacing
options instead, in particular <varname>PrivateMounts=</varname>, see above.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
<xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem>
</varlistentry>
</variablelist>

52
test/units/testsuite-43.sh
View File

@ -74,6 +74,53 @@ runas testuser systemd-run --wait --user --unit=test-bind-mount \
-p PrivateUsers=yes -p BindPaths=/dev/null:/etc/os-release \
test ! -s /etc/os-release
runas testuser systemd-run --wait --user --unit=test-read-write \
-p PrivateUsers=yes -p ReadOnlyPaths=/ \
-p ReadWritePaths="/var /run /tmp" \
-p NoExecPaths=/ -p ExecPaths=/usr \
test ! -w /etc/os-release
runas testuser systemd-run --wait --user --unit=test-caps \
-p PrivateUsers=yes -p AmbientCapabilities=CAP_SYS_ADMIN \
-p CapabilityBoundingSet=CAP_SYS_ADMIN \
test -s /etc/os-release
runas testuser systemd-run --wait --user --unit=test-devices \
-p PrivateUsers=yes -p PrivateDevices=yes -p PrivateIPC=yes \
sh -c "ls -1 /dev/ | wc -l | grep -q -F 18"
# Same check as test/test-execute/exec-privatenetwork-yes.service
runas testuser systemd-run --wait --user --unit=test-network \
-p PrivateUsers=yes -p PrivateNetwork=yes \
/bin/sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
runas testuser systemd-run --wait --user --unit=test-hostname \
-p PrivateUsers=yes -p ProtectHostname=yes \
hostnamectl hostname foo \
&& { echo 'unexpected success'; exit 1; }
runas testuser systemd-run --wait --user --unit=test-clock \
-p PrivateUsers=yes -p ProtectClock=yes \
timedatectl set-time "2012-10-30 18:17:16" \
&& { echo 'unexpected success'; exit 1; }
runas testuser systemd-run --wait --user --unit=test-kernel-tunable \
-p PrivateUsers=yes -p ProtectKernelTunables=yes \
sh -c "echo 0 > /proc/sys/user/max_user_namespaces" \
&& { echo 'unexpected success'; exit 1; }
runas testuser systemd-run --wait --user --unit=test-kernel-mod \
-p PrivateUsers=yes -p ProtectKernelModules=yes \
sh -c "modprobe -r overlay && modprobe overlay" \
&& { echo 'unexpected success'; exit 1; }
if sysctl kernel.dmesg_restrict=0; then
runas testuser systemd-run --wait --user --unit=test-kernel-log \
-p PrivateUsers=yes -p ProtectKernelLogs=yes -p LogNamespace=yes \
dmesg \
&& { echo 'unexpected success'; exit 1; }
fi
unsquashfs -no-xattrs -d /tmp/img /usr/share/minimal_0.raw
runas testuser systemd-run --wait --user --unit=test-root-dir \
-p PrivateUsers=yes -p RootDirectory=/tmp/img \
@ -82,8 +129,9 @@ runas testuser systemd-run --wait --user --unit=test-root-dir \
mkdir /tmp/img_bind
mount --bind /tmp/img /tmp/img_bind
runas testuser systemd-run --wait --user --unit=test-root-dir-bind \
-p PrivateUsers=yes -p RootDirectory=/tmp/img_bind \
-p PrivateUsers=yes -p RootDirectory=/tmp/img_bind -p MountFlags=private \
grep MARKER=1 /etc/os-release
umount /tmp/img_bind
# Unprivileged overlayfs was added to Linux 5.11, so try to detect it first
mkdir -p /tmp/a /tmp/b /tmp/c
@ -96,8 +144,6 @@ if unshare --mount --user --map-root-user mount -t overlay overlay /tmp/c -o low
grep PORTABLE_PREFIXES=app1 /usr/lib/extension-release.d/extension-release.app2
fi
umount /tmp/img_bind
systemd-analyze log-level info
echo OK >/testok