shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-08-23 05:49:52 +03:00
Code Activity

test: add a couple of tests for RestrictFileSystems=

Browse Source
This commit is contained in:
Frantisek Sumsal
2023-11-24 16:00:15 +01:00
parent 2d042c75ff
commit 4a43c2b3a1
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
test/units/testsuite-07.exec-context.sh
View File

@ -4,6 +4,9 @@
set -eux set -eux
set -o pipefail set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
# Make sure the unit's exec context matches its configuration # Make sure the unit's exec context matches its configuration
# See: https://github.com/systemd/systemd/pull/29552 # See: https://github.com/systemd/systemd/pull/29552
@ -284,6 +287,34 @@ systemd-run --wait --pipe "${ARGUMENTS[@]}" \
ulimit -R || exit 0; ulimit -R || exit 0;
: RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];' : RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];'
# RestrictFileSystems=
#
# Note: running instrumented binaries requires at least /proc to be accessible, so let's
# skip the test when we're running under sanitizers
if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then
ROOTFS="$(df --output=fstype /usr/bin | sed --quiet 2p)"
systemd-run --wait --pipe -p RestrictFileSystems="" ls /
systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls /
(! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc)
(! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /)
systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc
systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc
systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup
systemd-run --wait --pipe -p RestrictFileSystems="~" ls /
systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /
systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /
(! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /)
(! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc)
(! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc)
(! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc)
(! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys)
systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /
(! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc)
(! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev)
(! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys)
fi
# Ensure that clean-up codepaths work correctly if activation ultimately fails # Ensure that clean-up codepaths work correctly if activation ultimately fails
touch /run/not-a-directory touch /run/not-a-directory
mkdir /tmp/root mkdir /tmp/root

19
test/units/util.sh
View File

@ -197,3 +197,22 @@ openssl_supports_kdf() {
# but let's do that when/if the need arises # but let's do that when/if the need arises
openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf" openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
} }
kernel_supports_lsm() {
local lsm="${1:?}"
local items item
if [[ ! -e /sys/kernel/security/lsm ]]; then
echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported"
return 1
fi
mapfile -t -d, items </sys/kernel/security/lsm
for item in "${items[@]}"; do
if [[ "$item" == "$lsm" ]]; then
return 0
fi
done
return 1
}