core: don't downgrade multi-state settings to boolean

Protect{Home,System,Proc,Subset}= are not booleans, so make sure we use the intended value instead of just true/false. See: https://github.com/systemd/systemd/pull/29552 Follow-up to: 79d956d
2025-02-04 21:47:31 +03:00 · 2023-10-14 19:25:28 +02:00 · 2023-10-14 19:25:28 +02:00 · abcf59970d
commit abcf59970d
parent da638eb4c9
2 changed files with 75 additions and 4 deletions
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -3163,10 +3163,10 @@ static int apply_mount_namespace(
                /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
                .mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),

-                .protect_home = needs_sandboxing && context->protect_home,
-                .protect_system = needs_sandboxing && context->protect_system,
-                .protect_proc = needs_sandboxing && context->protect_proc,
-                .proc_subset = needs_sandboxing && context->proc_subset,
+                .protect_home = needs_sandboxing ? context->protect_home : false,
+                .protect_system = needs_sandboxing ? context->protect_system : false,
+                .protect_proc = needs_sandboxing ? context->protect_proc : false,
+                .proc_subset = needs_sandboxing ? context->proc_subset : false,
        };

        r = setup_namespace(&parameters, error_path);
--- a/test/units/testsuite-07.exec-context.sh
+++ b/test/units/testsuite-07.exec-context.sh
@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# Make sure the unit's exec context matches its configuration
+# See: https://github.com/systemd/systemd/pull/29552
+
+# Even though hidepid= was introduced in kernel 3.3, we support only
+# the post 5.8 implementation that allows us to apply the option per-instance,
+# instead of the whole namespace. To distinguish between these two implementations
+# lets check if we can mount procfs with a named value (e.g. hidepid=off), since
+# support for this was introduced in the same commit as the per-instance stuff
+proc_supports_option() {
+    local option="${1:?}"
+    local proc_tmp ec
+
+    proc_tmp="$(mktemp -d)"
+    mount -t proc -o "$option" proc "$proc_tmp" && ec=0 || ec=$?
+    mountpoint -q "$proc_tmp" && umount -q "$proc_tmp"
+    rm -rf "$proc_tmp"
+
+    return $ec
+}
+
+systemd-run --wait --pipe -p ProtectSystem=yes \
+    bash -xec "test ! -w /usr; test ! -w /boot; test -w /etc; test -w /var"
+systemd-run --wait --pipe -p ProtectSystem=full \
+    bash -xec "test ! -w /usr; test ! -w /boot; test ! -w /etc; test -w /var"
+systemd-run --wait --pipe -p ProtectSystem=strict \
+    bash -xec "test ! -w /; test ! -w /etc; test ! -w /var; test -w /dev; test -w /proc"
+systemd-run --wait --pipe -p ProtectSystem=no \
+    bash -xec "test -w /; test -w /etc; test -w /var; test -w /dev; test -w /proc"
+
+MARK="$(mktemp /root/.exec-context.XXX)"
+systemd-run --wait --pipe -p ProtectHome=yes \
+    bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK"
+systemd-run --wait --pipe -p ProtectHome=read-only \
+    bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test -e $MARK"
+systemd-run --wait --pipe -p ProtectHome=tmpfs \
+    bash -xec "test -w /home; test -w /root; test -w /run/user; test ! -e $MARK"
+systemd-run --wait --pipe -p ProtectHome=no \
+    bash -xec "test -w /home; test -w /root; test -w /run/user; test -e $MARK"
+rm -f "$MARK"
+
+if proc_supports_option "hidepid=off"; then
+    systemd-run --wait --pipe -p ProtectProc=noaccess -p User=testuser \
+        bash -xec 'test -e /proc/1; test ! -r /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=invisible -p User=testuser \
+        bash -xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=ptraceable -p User=testuser \
+        bash -xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=ptraceable -p User=testuser -p AmbientCapabilities=CAP_SYS_PTRACE \
+        bash -xec 'test -r /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=default -p User=testuser \
+        bash -xec 'test -r /proc/1; test -r /proc/$$$$/comm'
+fi
+
+if proc_supports_option "subset=pid"; then
+    systemd-run --wait --pipe -p ProcSubset=pid -p User=testuser \
+        bash -xec "test -r /proc/1/comm; test ! -e /proc/cpuinfo"
+    systemd-run --wait --pipe -p ProcSubset=all -p User=testuser \
+        bash -xec "test -r /proc/1/comm; test -r /proc/cpuinfo"
+fi
+
+if ! systemd-detect-virt -cq; then
+    systemd-run --wait --pipe -p ProtectKernelLogs=yes -p User=testuser \
+        bash -xec "test ! -r /dev/kmsg"
+    systemd-run --wait --pipe -p ProtectKernelLogs=no -p User=testuser \
+        bash -xec "test -r /dev/kmsg"
+fi