mirror of
https://github.com/systemd/systemd.git
synced 2024-10-31 16:21:26 +03:00
Merge pull request #19800 from poettering/podman-test
make our testsuite pass in a podman container with default privs
This commit is contained in:
commit
8d8053c2fe
@ -159,9 +159,15 @@ static void test_drop_privileges_fail(void) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void test_drop_privileges(void) {
|
static void test_drop_privileges(void) {
|
||||||
|
fork_test(test_drop_privileges_fail);
|
||||||
|
|
||||||
|
if (have_effective_cap(CAP_NET_RAW) == 0) /* The remaining two tests only work if we have CAP_NET_RAW
|
||||||
|
* in the first place. If we are run in some restricted
|
||||||
|
* container environment we might not. */
|
||||||
|
return;
|
||||||
|
|
||||||
fork_test(test_drop_privileges_keep_net_raw);
|
fork_test(test_drop_privileges_keep_net_raw);
|
||||||
fork_test(test_drop_privileges_dontkeep_net_raw);
|
fork_test(test_drop_privileges_dontkeep_net_raw);
|
||||||
fork_test(test_drop_privileges_fail);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_have_effective_cap(void) {
|
static void test_have_effective_cap(void) {
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
#include "tests.h"
|
#include "tests.h"
|
||||||
|
|
||||||
static int here = 0, here2 = 0, here3 = 0;
|
static int here = 0, here2 = 0, here3 = 0;
|
||||||
void *ignore_stdout_args[] = {&here, &here2, &here3};
|
static void *ignore_stdout_args[] = { &here, &here2, &here3 };
|
||||||
|
|
||||||
/* noop handlers, just check that arguments are passed correctly */
|
/* noop handlers, just check that arguments are passed correctly */
|
||||||
static int ignore_stdout_func(int fd, void *arg) {
|
static int ignore_stdout_func(int fd, void *arg) {
|
||||||
|
@ -924,8 +924,8 @@ int main(int argc, char *argv[]) {
|
|||||||
can_unshare = have_namespaces();
|
can_unshare = have_namespaces();
|
||||||
|
|
||||||
/* It is needed otherwise cgroup creation fails */
|
/* It is needed otherwise cgroup creation fails */
|
||||||
if (getuid() != 0)
|
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0)
|
||||||
return log_tests_skipped("not root");
|
return log_tests_skipped("not privileged");
|
||||||
|
|
||||||
r = enter_cgroup_subroot(NULL);
|
r = enter_cgroup_subroot(NULL);
|
||||||
if (r == -ENOMEDIUM)
|
if (r == -ENOMEDIUM)
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
#include <sys/statvfs.h>
|
#include <sys/statvfs.h>
|
||||||
|
|
||||||
#include "alloc-util.h"
|
#include "alloc-util.h"
|
||||||
|
#include "capability-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "mount-util.h"
|
#include "mount-util.h"
|
||||||
@ -75,8 +76,8 @@ static void test_bind_remount_recursive(void) {
|
|||||||
_cleanup_free_ char *subdir = NULL;
|
_cleanup_free_ char *subdir = NULL;
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
if (geteuid() != 0) {
|
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) {
|
||||||
(void) log_tests_skipped("not running as root");
|
(void) log_tests_skipped("not running privileged");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -128,8 +129,8 @@ static void test_bind_remount_recursive(void) {
|
|||||||
static void test_bind_remount_one(void) {
|
static void test_bind_remount_one(void) {
|
||||||
pid_t pid;
|
pid_t pid;
|
||||||
|
|
||||||
if (geteuid() != 0) {
|
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) {
|
||||||
(void) log_tests_skipped("not running as root");
|
(void) log_tests_skipped("not running privileged");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -15,6 +15,7 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "alloc-util.h"
|
#include "alloc-util.h"
|
||||||
|
#include "capability-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "macro.h"
|
#include "macro.h"
|
||||||
@ -41,6 +42,10 @@
|
|||||||
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
|
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
static bool have_seccomp_privs(void) {
|
||||||
|
return geteuid() == 0 && have_effective_cap(CAP_SYS_ADMIN) > 0; /* If we are root but CAP_SYS_ADMIN we can't do caps (unless we also do NNP) */
|
||||||
|
}
|
||||||
|
|
||||||
static void test_parse_syscall_and_errno(void) {
|
static void test_parse_syscall_and_errno(void) {
|
||||||
_cleanup_free_ char *n = NULL;
|
_cleanup_free_ char *n = NULL;
|
||||||
int e;
|
int e;
|
||||||
@ -168,8 +173,8 @@ static void test_filter_sets(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -303,8 +308,8 @@ static void test_restrict_namespace(void) {
|
|||||||
log_notice("Seccomp not available, skipping remaining tests in %s", __func__);
|
log_notice("Seccomp not available, skipping remaining tests in %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping remaining tests in %s", __func__);
|
log_notice("Not privileged, skipping remaining tests in %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -373,8 +378,8 @@ static void test_protect_sysctl(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -426,8 +431,8 @@ static void test_protect_syslog(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -468,8 +473,8 @@ static void test_restrict_address_families(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -557,8 +562,8 @@ static void test_restrict_realtime(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -604,8 +609,8 @@ static void test_memory_deny_write_execute_mmap(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#if HAVE_VALGRIND_VALGRIND_H
|
#if HAVE_VALGRIND_VALGRIND_H
|
||||||
@ -674,8 +679,8 @@ static void test_memory_deny_write_execute_shmat(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#if HAVE_VALGRIND_VALGRIND_H
|
#if HAVE_VALGRIND_VALGRIND_H
|
||||||
@ -739,8 +744,8 @@ static void test_restrict_archs(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -779,8 +784,8 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -877,8 +882,8 @@ static void test_lock_personality(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -941,8 +946,8 @@ static void test_restrict_suid_sgid(void) {
|
|||||||
log_notice("Seccomp not available, skipping %s", __func__);
|
log_notice("Seccomp not available, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (geteuid() != 0) {
|
if (!have_seccomp_privs()) {
|
||||||
log_notice("Not root, skipping %s", __func__);
|
log_notice("Not privileged, skipping %s", __func__);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user