]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
d8c9d3a4 | 2 | |
806aea38 | 3 | #include <fcntl.h> |
613b411c | 4 | #include <sys/socket.h> |
ca78ad1d | 5 | #include <sys/stat.h> |
d8c9d3a4 | 6 | |
b5efdb8a | 7 | #include "alloc-util.h" |
3ffd4af2 | 8 | #include "fd-util.h" |
d8c9d3a4 | 9 | #include "namespace.h" |
0b452006 | 10 | #include "process-util.h" |
07630cea | 11 | #include "string-util.h" |
317bb217 | 12 | #include "tests.h" |
806aea38 | 13 | #include "user-util.h" |
07630cea | 14 | #include "util.h" |
806aea38 | 15 | #include "virt.h" |
d8c9d3a4 ZJS |
16 | |
17 | static void test_tmpdir(const char *id, const char *A, const char *B) { | |
18 | _cleanup_free_ char *a, *b; | |
613b411c LP |
19 | struct stat x, y; |
20 | char *c, *d; | |
d8c9d3a4 | 21 | |
613b411c LP |
22 | assert_se(setup_tmp_dirs(id, &a, &b) == 0); |
23 | assert_se(startswith(a, A)); | |
24 | assert_se(startswith(b, B)); | |
d8c9d3a4 | 25 | |
613b411c LP |
26 | assert_se(stat(a, &x) >= 0); |
27 | assert_se(stat(b, &y) >= 0); | |
d8c9d3a4 | 28 | |
613b411c LP |
29 | assert_se(S_ISDIR(x.st_mode)); |
30 | assert_se(S_ISDIR(y.st_mode)); | |
d8c9d3a4 | 31 | |
613b411c LP |
32 | assert_se((x.st_mode & 01777) == 0700); |
33 | assert_se((y.st_mode & 01777) == 0700); | |
34 | ||
63c372cb LP |
35 | c = strjoina(a, "/tmp"); |
36 | d = strjoina(b, "/tmp"); | |
613b411c LP |
37 | |
38 | assert_se(stat(c, &x) >= 0); | |
39 | assert_se(stat(d, &y) >= 0); | |
40 | ||
41 | assert_se(S_ISDIR(x.st_mode)); | |
42 | assert_se(S_ISDIR(y.st_mode)); | |
43 | ||
44 | assert_se((x.st_mode & 01777) == 01777); | |
45 | assert_se((y.st_mode & 01777) == 01777); | |
46 | ||
47 | assert_se(rmdir(c) >= 0); | |
48 | assert_se(rmdir(d) >= 0); | |
49 | ||
50 | assert_se(rmdir(a) >= 0); | |
51 | assert_se(rmdir(b) >= 0); | |
52 | } | |
53 | ||
806aea38 | 54 | static void test_netns(void) { |
3d94f76c | 55 | _cleanup_close_pair_ int s[2] = { -1, -1 }; |
613b411c LP |
56 | pid_t pid1, pid2, pid3; |
57 | int r, n = 0; | |
58 | siginfo_t si; | |
59 | ||
806aea38 KK |
60 | if (geteuid() > 0) { |
61 | (void) log_tests_skipped("not root"); | |
62 | return; | |
63 | } | |
613b411c LP |
64 | |
65 | assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0); | |
66 | ||
67 | pid1 = fork(); | |
68 | assert_se(pid1 >= 0); | |
69 | ||
70 | if (pid1 == 0) { | |
71 | r = setup_netns(s); | |
72 | assert_se(r >= 0); | |
73 | _exit(r); | |
74 | } | |
75 | ||
76 | pid2 = fork(); | |
77 | assert_se(pid2 >= 0); | |
78 | ||
79 | if (pid2 == 0) { | |
80 | r = setup_netns(s); | |
81 | assert_se(r >= 0); | |
82 | exit(r); | |
83 | } | |
84 | ||
85 | pid3 = fork(); | |
86 | assert_se(pid3 >= 0); | |
87 | ||
88 | if (pid3 == 0) { | |
89 | r = setup_netns(s); | |
90 | assert_se(r >= 0); | |
91 | exit(r); | |
92 | } | |
93 | ||
94 | r = wait_for_terminate(pid1, &si); | |
95 | assert_se(r >= 0); | |
96 | assert_se(si.si_code == CLD_EXITED); | |
97 | n += si.si_status; | |
98 | ||
99 | r = wait_for_terminate(pid2, &si); | |
100 | assert_se(r >= 0); | |
101 | assert_se(si.si_code == CLD_EXITED); | |
102 | n += si.si_status; | |
103 | ||
104 | r = wait_for_terminate(pid3, &si); | |
105 | assert_se(r >= 0); | |
106 | assert_se(si.si_code == CLD_EXITED); | |
107 | n += si.si_status; | |
108 | ||
109 | assert_se(n == 1); | |
806aea38 KK |
110 | } |
111 | ||
112 | static void test_protect_kernel_logs(void) { | |
113 | int r; | |
114 | pid_t pid; | |
115 | static const NamespaceInfo ns_info = { | |
116 | .protect_kernel_logs = true, | |
117 | }; | |
118 | ||
119 | if (geteuid() > 0) { | |
120 | (void) log_tests_skipped("not root"); | |
121 | return; | |
122 | } | |
123 | ||
124 | /* In a container we likely don't have access to /dev/kmsg */ | |
125 | if (detect_container() > 0) { | |
126 | (void) log_tests_skipped("in container"); | |
127 | return; | |
128 | } | |
129 | ||
130 | ||
131 | pid = fork(); | |
132 | assert_se(pid >= 0); | |
133 | ||
134 | if (pid == 0) { | |
135 | _cleanup_close_ int fd = -1; | |
136 | ||
137 | fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC); | |
138 | assert_se(fd > 0); | |
139 | ||
140 | r = setup_namespace(NULL, | |
141 | NULL, | |
142 | &ns_info, | |
143 | NULL, | |
144 | NULL, | |
145 | NULL, | |
146 | NULL, | |
147 | NULL, 0, | |
148 | NULL, 0, | |
149 | NULL, | |
150 | NULL, | |
151 | PROTECT_HOME_NO, | |
152 | PROTECT_SYSTEM_NO, | |
153 | 0, | |
154 | 0, | |
155 | NULL); | |
156 | assert_se(r == 0); | |
157 | ||
158 | assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0); | |
159 | assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0); | |
160 | assert_se(errno == EACCES); | |
161 | ||
162 | _exit(EXIT_SUCCESS); | |
163 | } | |
164 | ||
165 | assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS); | |
d8c9d3a4 ZJS |
166 | } |
167 | ||
168 | int main(int argc, char *argv[]) { | |
6b46ea73 LP |
169 | sd_id128_t bid; |
170 | char boot_id[SD_ID128_STRING_MAX]; | |
171 | _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL, *zz = NULL; | |
d8c9d3a4 | 172 | |
6d7c4033 | 173 | test_setup_logging(LOG_INFO); |
d2528deb | 174 | |
5f00dc4d LP |
175 | if (!have_namespaces()) { |
176 | log_tests_skipped("Don't have namespace support"); | |
177 | return EXIT_TEST_SKIP; | |
178 | } | |
179 | ||
6b46ea73 LP |
180 | assert_se(sd_id128_get_boot(&bid) >= 0); |
181 | sd_id128_to_string(bid, boot_id); | |
182 | ||
605405c6 ZJS |
183 | x = strjoin("/tmp/systemd-private-", boot_id, "-abcd.service-"); |
184 | y = strjoin("/var/tmp/systemd-private-", boot_id, "-abcd.service-"); | |
6b46ea73 LP |
185 | assert_se(x && y); |
186 | ||
187 | test_tmpdir("abcd.service", x, y); | |
188 | ||
605405c6 ZJS |
189 | z = strjoin("/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-"); |
190 | zz = strjoin("/var/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-"); | |
6b46ea73 LP |
191 | |
192 | assert_se(z && zz); | |
193 | ||
194 | test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz); | |
d8c9d3a4 | 195 | |
806aea38 KK |
196 | test_netns(); |
197 | test_protect_kernel_logs(); | |
198 | ||
199 | return EXIT_SUCCESS; | |
d8c9d3a4 | 200 | } |