1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-09 01:18:19 +03:00
Commit Graph

41 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
63403f07b0 tests: use relative paths in ExecStart= and friends
We want to retain *some* of the full paths in order to test more code paths.
But the default should be to use the command name only. This makes the tests
less visually cluttered.
2024-01-09 11:14:16 +01:00
Yu Watanabe
abf0ccc1c6 analyze-verify: verify all executables
ExecStart= and friends for .service and .socket can be specified
multiple times.
This also checks all commands for .mount and .swap, not only for the
current control command.
2023-12-20 23:56:16 +09:00
Yu Watanabe
5183976cea TEST-65-ANALYZE: only mount /usr if necessary
Follow-up for 8f764b32ea.

Otherwise, we fail to umount several directories on shutdown.
---
[   15.684430] systemd[1]: Failed unmounting tmp-root-proc.mount.
[   15.689379] systemd[1]: Failed unmounting tmp-root-run.mount.
[   15.710572] systemd[1]: Failed unmounting tmp-root-sys-fs-cgroup.mount.
[   15.913953] systemd[1]: Failed unmounting tmp-root-dev.mount.
[   15.924603] systemd[1]: Failed unmounting tmp-root-sys.mount.
[   15.938207] systemd[1]: Failed unmounting tmp-root.mount.
[   15.952395] systemd[1]: Failed unmounting tmp.mount.
2023-12-20 23:56:16 +09:00
Richard Maw
8f764b32ea test: Create analyze chroot with --rbind
The systemd-analyze integration test also tests chroots.
It builds its chroot by bind-mounting /,
but since /usr might be a separate mountpoint
it should create the chroot with --rbind.
2023-12-13 13:35:04 +00:00
Yu Watanabe
9d51ab7830 test: add test cases for issue #30357 2023-12-11 15:12:42 +09:00
Lennart Poettering
fb8cc599ed analyze: add "architectures" verb that lists all known architectures 2023-12-06 22:18:14 +01:00
Peter Hutterer
4f7a629e6c analyze: handle CAP_BPF support 2023-11-01 10:25:59 +00:00
Luca Boccassi
7470e161cf
Merge pull request #29553 from keszybz/analyze-cat-config-tldr
analyze/cat-config: add switch to print only "interesting" parts of conffiles
2023-10-25 09:53:19 +01:00
Zbigniew Jędrzejewski-Szmek
063c838206 analyze/cat-config: add switch to print only "interesting" parts of config files
When looking at configuration, often a user wants to suppress the comments and
just look at the parts that actually configure something, roughly equivalent to
  systemd-analyze cat-config … | rg -v '^(#|;|$)
This switch implements this natively, skipping lines that start with a comment
character or only contain whitespace.

For formats that have section headers, section headers are skipped, if only
followed by stuff that would be skipped. (The last section header is printed
when we're about to print some actual output.)

Note that the caller doesn't know if the format has headers or not. We do format
type detection in pretty-print.c. So the caller only specifies tldr=true|false, and
conf_files_cat() figures out if the format has headers and whether those should
be handled specially.

The comments that show the file name are always printed, even if all of the file
is suppressed.

This is a partial answer to the discussions in
https://github.com/systemd/systemd/pull/28919,
https://github.com/systemd/systemd/pull/29248. If the default config is shown in
config files, the user can conveniently use '--tldr' to show the relevant parts.
2023-10-24 15:59:34 +02:00
Lennart Poettering
7693661a84 run: output invocation ID when starting service and scope units 2023-10-16 14:30:11 +02:00
Maanya Goenka
f660c7fa56 fix: do not check/verify slice units if recursive errors are to be ignored
Before this fix, when recursive-errors was set to 'no' during a systemd-analyze
verification, the parent slice was checked regardless. The 'no' setting means that,
only the specified unit should be looked at and verified and errors in the slices should be
ignored. This commit fixes that issue.

Example:

Say we have a sample.service file:

[Unit]
Description=Sample Service

[Service]
ExecStart=/bin/echo "a"
Slice=support.slice

Before Change:

systemd-analyze verify --recursive-errors=no maanya/sample.service
Assertion 'u' failed at src/core/unit.c:153, function unit_has_name(). Aborting.
Aborted (core dumped)

After Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
{No errors}
2023-09-28 23:32:02 +01:00
Frantisek Sumsal
07268394d6 test: unify /testok & /failed handling
And drop it where not necessary.
2023-07-12 16:03:40 +02:00
Lennart Poettering
f70c90f5ca analyze: add new "pcrs" verb
It shows the PCRs we know about along with their name strings and
current values.
2023-06-28 16:50:50 +02:00
Luca Boccassi
d936595672 manager: restrict Dump*() to privileged callers or ratelimit
Dump*() methods can take quite some time due to the amount of data to
serialize, so they can potentially stall the manager. Make them
privileged, as they are debugging tools anyway. Use a new 'dump'
capability for polkit, and the 'reload' capability for SELinux, as
that's also non-destructive but slow.

If the caller is not privileged, allow it but rate limited to 10 calls
every 10 minutes.
2023-05-19 15:18:23 +01:00
Frantisek Sumsal
cb153b4fe9 test: rename assert.sh to util.sh
So we can extend it with additional utility functions without making it
confusing.

No functional change.
2023-05-16 22:43:52 +02:00
Zbigniew Jędrzejewski-Szmek
128db0aa00 test: drop uses of "&& { echo 'unexpected success'; exit 1; }"
Brief is sweet.
2023-04-24 21:58:35 +02:00
Frantisek Sumsal
f7f5657ece test: add a couple of basic sanity tests for the security verb 2023-04-16 09:21:13 +02:00
Lennart Poettering
3af48a86d9
Merge pull request #25608 from poettering/dissect-moar
dissect: add dissection policies
2023-04-12 13:46:08 +02:00
Yu Watanabe
1538136911 test: systemd-analyze blame should succeed now 2023-04-10 05:34:30 +09:00
Lennart Poettering
a62e12dad1 analyze: add 'image-policy' tool for analyzing image dissection policies 2023-04-05 20:51:31 +02:00
Luca Boccassi
f50535afad analyze: add 'malloc' verb to dump malloc_info()
Gets the memory state of the manager:

root@image:~# systemd-analyze malloc
<malloc version=1>
<heap nr=0>
<sizes>
  <size from=33 to=33 total=396 count=12/>
  <unsorted from=20385 to=20385 total=20385 count=1/>
</sizes>
<total type=fast count=0 size=0/>
<total type=rest count=14 size=36589/>
<system type=current size=1691648/>
<system type=max size=1839104/>
<aspace type=total size=1691648/>
<aspace type=mprotect size=1691648/>
</heap>
<total type=fast count=0 size=0/>
<total type=rest count=14 size=36589/>
<total type=mmap count=0 size=0/>
<system type=current size=1691648/>
<system type=max size=1839104/>
<aspace type=total size=1691648/>
<aspace type=mprotect size=1691648/>
</malloc>
2023-02-23 18:59:06 +00:00
joshuazivkovic
a23be57de3 systemd-analyze: Add --json=, --table and -no-legend tests for plot 2023-01-18 14:33:08 +00:00
Zbigniew Jędrzejewski-Szmek
a7eed3eca3 TEST-65: check cat-config operation in chroot
This verifies the fix in 2075b6dd39.
2022-12-07 12:38:10 +01:00
Frantisek Sumsal
8b1879bcd0 test: cover a couple of previously missed analyze code paths 2022-11-03 11:33:13 +01:00
Frantisek Sumsal
926d95cd4c test: cover legacy/deprecated systemd-analyze verbs
They're no longer documented since 26e1e97345 but still work.
2022-11-03 11:26:08 +01:00
Frantisek Sumsal
6c83054c01 test: add a sanity coverage for systemd-analyze verbs 2022-11-03 06:25:51 +09:00
Yu Watanabe
cf906beaef test: add syscall filter tests for analyze security 2022-06-17 12:45:45 +09:00
Luca Boccassi
6a59dfa108 analyze security: print DeviceAllow list
Many sandboxing options add implicit DeviceAllow rules, which might be confusing
for users running systemd-analyze security and not expecting it.
Print the list.

Fixes https://github.com/systemd/systemd/issues/23185
2022-05-01 13:43:01 +09:00
Luca Boccassi
444d9abd06 analyze: fix crash with online security check
1449b0f8a9 fixed seccomp arch check for the offline case,
but broke it for the normal case, as when coming from D-Bus the
list of seccomp architectures is already converted to string.

Fixes https://github.com/systemd/systemd/issues/23224
2022-05-01 11:47:44 +09:00
Luca Boccassi
1449b0f8a9 analyze: fix offline check for 'native' syscall architecture
Enum values are stored in the set, not strings
2022-04-01 10:42:48 +01:00
Zbigniew Jędrzejewski-Szmek
ec1574cd8e
Merge pull request #21454 from bluca/inspect_elf
analyze: add inspect-elf verb to parse package metadata
2021-12-06 12:45:25 +01:00
Luca Boccassi
cb94244406 test: run commands with debug level logs in TEST-65-ANALYZE 2021-12-01 12:06:36 +00:00
Luca Boccassi
917e655457 analyze: add inspect-elf verb to parse package metadata
Parses and prints package metadata from executables, libraries and core files

$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverityb /bin/bash --json=off --no-pager
__________________________
           path: /tmp/core
        elfType: coredump
elfArchitecture: AMD x86-64

    module name: /tmp/crash
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: b33541096a09c29a0ba4ec5c69364a2711b7c269

    module name: /usr/lib/x86_64-linux-gnu/libc-2.31.so
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: 54eef5ce96cf37cb175b0d93186836ca1caf470c

    module name: /usr/lib/x86_64-linux-gnu/ld-2.31.so
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: 32438eb3b034da54caf58c7a65446639f7cfe274
__________________________________________________________________
           path: /home/luca/git/systemd/../fsverity-utils/fsverity
        elfType: executable
elfArchitecture: AMD x86-64

           type: deb
           name: fsverity-utils
        version: 1.3-1
   architecture: amd64
             os: debian
   debugInfoUrl: https://debuginfod.debian.net
        buildId: 05b899e6ee0d3653e20458719b202ed3ca8d566f
_________________________
           path: /bin/bash
        elfType: executable
elfArchitecture: AMD x86-64

        buildId: 4fef260f60e257d2dbd4126bf8add83837aea190
$
$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverity /bin/bash /tmp/core.test-condition.1000.f9b9a84a9fd1482c9702d6afa6f6934b.37640.1637083078000000 --json=pretty --no-pager
{
	"elfType" : "coredump",
	"elfArchitecture" : "AMD x86-64",
	"/home/bluca/git/fsverity-utils/fsverity" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
	},
	"/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88"
	}
}
{
	"elfType" : "executable",
	"elfArchitecture" : "AMD x86-64",
	"/home/bluca/git/systemd/../fsverity-utils/fsverity" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
	}
}
{
	"elfType" : "executable",
	"elfArchitecture" : "AMD x86-64",
	"/bin/bash" : {
		"buildId" : "3313b4cb119dcce16927a9b6cc61dcd97dfc4d59"
	}
}
{
	"elfType" : "coredump",
	"elfArchitecture" : "AMD x86-64"
}
2021-11-30 23:14:07 +00:00
Luca Boccassi
0446921131 analyze: add --profile switch to security verb
Allows to pass a portable profile when doing offline analysis of
units. Especially useful for analyzing portable images, since a
lot of the security-relevant settings in those cases come from
the profiles, but they are not shipped in the portable images.
2021-11-26 18:17:26 +00:00
Albert Brox
da845dabf5 implement aliasing for systemd-analyze verify 2021-11-08 12:08:23 +00:00
Luca Boccassi
82100ef486 analyze: allow a custom policy to skip a check with weight=0
In some cases an offline analysis should ignore some fields, for example
a portable service in an image will never list RootImage/RootDirectory, as
they are added at runtime, and thus can be skipped.
2021-11-05 22:37:34 +00:00
Luca Boccassi
d54017e8f7 analyze: fix typos in test policy 2021-11-04 19:22:28 +00:00
Dimitri Papadopoulos
ba669952b2 Typos found by codespell 2021-10-20 22:20:18 +09:00
Zbigniew Jędrzejewski-Szmek
7b3cec95db tests: add spdx headers to scripts and Makefiles 2021-10-18 09:04:45 +02:00
Anita Zhang
14bb729534 basic/unit-file: don't filter out names starting with dot
Fixes #20859
Reverts 3796bdc55d
2021-09-29 14:42:13 +02:00
Luca Boccassi
7728f6aa81 test: rename TEST-63-ANALYZE to solve conflict
Two PRs adding TEST-63-* were merged more or less at the
same time, and we missed the conflict.
2021-09-08 10:12:03 +09:00