[thirdparty/systemd.git] / src / test / test-namespace.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "namespace.h"
#include "process-util.h"
#include "string-util.h"
#include "tests.h"
#include "user-util.h"
#include "util.h"
#include "virt.h"

static void test_namespace_cleanup_tmpdir(void) {
        {
                _cleanup_(namespace_cleanup_tmpdirp) char *dir;
                assert_se(dir = strdup(RUN_SYSTEMD_EMPTY));
        }

        {
                _cleanup_(namespace_cleanup_tmpdirp) char *dir;
                assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX"));
                assert_se(mkdtemp(dir));
        }
}

static void test_tmpdir(const char *id, const char *A, const char *B) {
        _cleanup_free_ char *a, *b;
        struct stat x, y;
        char *c, *d;

        assert_se(setup_tmp_dirs(id, &a, &b) == 0);

        assert_se(stat(a, &x) >= 0);
        assert_se(stat(b, &y) >= 0);

        assert_se(S_ISDIR(x.st_mode));
        assert_se(S_ISDIR(y.st_mode));

        if (!streq(a, RUN_SYSTEMD_EMPTY)) {
                assert_se(startswith(a, A));
                assert_se((x.st_mode & 01777) == 0700);
                c = strjoina(a, "/tmp");
                assert_se(stat(c, &x) >= 0);
                assert_se(S_ISDIR(x.st_mode));
                assert_se(FLAGS_SET(x.st_mode, 01777));
                assert_se(rmdir(c) >= 0);
                assert_se(rmdir(a) >= 0);
        }

        if (!streq(b, RUN_SYSTEMD_EMPTY)) {
                assert_se(startswith(b, B));
                assert_se((y.st_mode & 01777) == 0700);
                d = strjoina(b, "/tmp");
                assert_se(stat(d, &y) >= 0);
                assert_se(S_ISDIR(y.st_mode));
                assert_se(FLAGS_SET(y.st_mode, 01777));
                assert_se(rmdir(d) >= 0);
                assert_se(rmdir(b) >= 0);
        }
}

static void test_netns(void) {
        _cleanup_close_pair_ int s[2] = { -1, -1 };
        pid_t pid1, pid2, pid3;
        int r, n = 0;
        siginfo_t si;

        if (geteuid() > 0) {
                (void) log_tests_skipped("not root");
                return;
        }

        assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);

        pid1 = fork();
        assert_se(pid1 >= 0);

        if (pid1 == 0) {
                r = setup_netns(s);
                assert_se(r >= 0);
                _exit(r);
        }

        pid2 = fork();
        assert_se(pid2 >= 0);

        if (pid2 == 0) {
                r = setup_netns(s);
                assert_se(r >= 0);
                exit(r);
        }

        pid3 = fork();
        assert_se(pid3 >= 0);

        if (pid3 == 0) {
                r = setup_netns(s);
                assert_se(r >= 0);
                exit(r);
        }

        r = wait_for_terminate(pid1, &si);
        assert_se(r >= 0);
        assert_se(si.si_code == CLD_EXITED);
        n += si.si_status;

        r = wait_for_terminate(pid2, &si);
        assert_se(r >= 0);
        assert_se(si.si_code == CLD_EXITED);
        n += si.si_status;

        r = wait_for_terminate(pid3, &si);
        assert_se(r >= 0);
        assert_se(si.si_code == CLD_EXITED);
        n += si.si_status;

        assert_se(n == 1);
}

static void test_protect_kernel_logs(void) {
        int r;
        pid_t pid;
        static const NamespaceInfo ns_info = {
                .protect_kernel_logs = true,
        };

        if (geteuid() > 0) {
                (void) log_tests_skipped("not root");
                return;
        }

        /* In a container we likely don't have access to /dev/kmsg */
        if (detect_container() > 0) {
                (void) log_tests_skipped("in container");
                return;
        }


        pid = fork();
        assert_se(pid >= 0);

        if (pid == 0) {
                _cleanup_close_ int fd = -1;

                fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC);
                assert_se(fd > 0);

                r = setup_namespace(NULL,
                                    NULL,
                                    NULL,
                                    &ns_info,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL, 0,
                                    NULL, 0,
                                    NULL, 0,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    0,
                                    NULL,
                                    0,
                                    NULL,
                                    NULL,
                                    0,
                                    NULL,
                                    NULL,
                                    0,
                                    NULL);
                assert_se(r == 0);

                assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
                assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0);
                assert_se(errno == EACCES);

                _exit(EXIT_SUCCESS);
        }

        assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
}

int main(int argc, char *argv[]) {
        sd_id128_t bid;
        char boot_id[SD_ID128_STRING_MAX];
        _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL, *zz = NULL;

        test_setup_logging(LOG_INFO);

        test_namespace_cleanup_tmpdir();

        if (!have_namespaces()) {
                log_tests_skipped("Don't have namespace support");
                return EXIT_TEST_SKIP;
        }

        assert_se(sd_id128_get_boot(&bid) >= 0);
        sd_id128_to_string(bid, boot_id);

        x = strjoin("/tmp/systemd-private-", boot_id, "-abcd.service-");
        y = strjoin("/var/tmp/systemd-private-", boot_id, "-abcd.service-");
        assert_se(x && y);

        test_tmpdir("abcd.service", x, y);

        z = strjoin("/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
        zz = strjoin("/var/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");

        assert_se(z && zz);

        test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);

        test_netns();
        test_protect_kernel_logs();

        return EXIT_SUCCESS;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
d8c9d3a4	2
806aea38	3	#include <fcntl.h>
613b411c	4	#include <sys/socket.h>
ca78ad1d	5	#include <sys/stat.h>
d8c9d3a4	6
b5efdb8a	7	#include "alloc-util.h"
3ffd4af2	8	#include "fd-util.h"
d8c9d3a4	9	#include "namespace.h"
0b452006	10	#include "process-util.h"
07630cea	11	#include "string-util.h"
317bb217	12	#include "tests.h"
806aea38	13	#include "user-util.h"
07630cea	14	#include "util.h"
806aea38	15	#include "virt.h"
d8c9d3a4	16
56a13a49 ZJS	17	static void test_namespace_cleanup_tmpdir(void) {
	18	{
	19	_cleanup_(namespace_cleanup_tmpdirp) char *dir;
	20	assert_se(dir = strdup(RUN_SYSTEMD_EMPTY));
	21	}
	22
	23	{
	24	_cleanup_(namespace_cleanup_tmpdirp) char *dir;
	25	assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX"));
	26	assert_se(mkdtemp(dir));
	27	}
	28	}
	29
d8c9d3a4 ZJS	30	static void test_tmpdir(const char id, const char A, const char *B) {
d8c9d3a4 ZJS	31	_cleanup_free_ char a, b;
613b411c LP	32	struct stat x, y;
613b411c LP	33	char c, d;
d8c9d3a4	34
613b411c	35	assert_se(setup_tmp_dirs(id, &a, &b) == 0);
d8c9d3a4	36
613b411c LP	37	assert_se(stat(a, &x) >= 0);
613b411c LP	38	assert_se(stat(b, &y) >= 0);
d8c9d3a4	39
613b411c LP	40	assert_se(S_ISDIR(x.st_mode));
613b411c LP	41	assert_se(S_ISDIR(y.st_mode));
d8c9d3a4	42
56a13a49 ZJS	43	if (!streq(a, RUN_SYSTEMD_EMPTY)) {
	44	assert_se(startswith(a, A));
	45	assert_se((x.st_mode & 01777) == 0700);
	46	c = strjoina(a, "/tmp");
	47	assert_se(stat(c, &x) >= 0);
	48	assert_se(S_ISDIR(x.st_mode));
1d6cc5d0	49	assert_se(FLAGS_SET(x.st_mode, 01777));
56a13a49 ZJS	50	assert_se(rmdir(c) >= 0);
	51	assert_se(rmdir(a) >= 0);
	52	}
613b411c	53
56a13a49 ZJS	54	if (!streq(b, RUN_SYSTEMD_EMPTY)) {
	55	assert_se(startswith(b, B));
	56	assert_se((y.st_mode & 01777) == 0700);
	57	d = strjoina(b, "/tmp");
	58	assert_se(stat(d, &y) >= 0);
	59	assert_se(S_ISDIR(y.st_mode));
1d6cc5d0	60	assert_se(FLAGS_SET(y.st_mode, 01777));
56a13a49 ZJS	61	assert_se(rmdir(d) >= 0);
	62	assert_se(rmdir(b) >= 0);
	63	}
613b411c LP	64	}
613b411c LP	65
806aea38	66	static void test_netns(void) {
3d94f76c	67	_cleanup_close_pair_ int s[2] = { -1, -1 };
613b411c LP	68	pid_t pid1, pid2, pid3;
	69	int r, n = 0;
	70	siginfo_t si;
	71
806aea38 KK	72	if (geteuid() > 0) {
	73	(void) log_tests_skipped("not root");
	74	return;
	75	}
613b411c LP	76
	77	assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);
	78
	79	pid1 = fork();
	80	assert_se(pid1 >= 0);
	81
	82	if (pid1 == 0) {
	83	r = setup_netns(s);
	84	assert_se(r >= 0);
	85	_exit(r);
	86	}
	87
	88	pid2 = fork();
	89	assert_se(pid2 >= 0);
	90
	91	if (pid2 == 0) {
	92	r = setup_netns(s);
	93	assert_se(r >= 0);
	94	exit(r);
	95	}
	96
	97	pid3 = fork();
	98	assert_se(pid3 >= 0);
	99
	100	if (pid3 == 0) {
	101	r = setup_netns(s);
	102	assert_se(r >= 0);
	103	exit(r);
	104	}
	105
	106	r = wait_for_terminate(pid1, &si);
	107	assert_se(r >= 0);
	108	assert_se(si.si_code == CLD_EXITED);
	109	n += si.si_status;
	110
	111	r = wait_for_terminate(pid2, &si);
	112	assert_se(r >= 0);
	113	assert_se(si.si_code == CLD_EXITED);
	114	n += si.si_status;
	115
	116	r = wait_for_terminate(pid3, &si);
	117	assert_se(r >= 0);
	118	assert_se(si.si_code == CLD_EXITED);
	119	n += si.si_status;
	120
	121	assert_se(n == 1);
806aea38 KK	122	}
	123
	124	static void test_protect_kernel_logs(void) {
	125	int r;
	126	pid_t pid;
	127	static const NamespaceInfo ns_info = {
	128	.protect_kernel_logs = true,
	129	};
	130
	131	if (geteuid() > 0) {
	132	(void) log_tests_skipped("not root");
	133	return;
	134	}
	135
	136	/* In a container we likely don't have access to /dev/kmsg */
	137	if (detect_container() > 0) {
	138	(void) log_tests_skipped("in container");
	139	return;
	140	}
	141
	142
	143	pid = fork();
	144	assert_se(pid >= 0);
	145
	146	if (pid == 0) {
	147	_cleanup_close_ int fd = -1;
	148
	149	fd = open("/dev/kmsg", O_RDONLY \| O_CLOEXEC);
	150	assert_se(fd > 0);
	151
	152	r = setup_namespace(NULL,
18d73705	153	NULL,
806aea38 KK	154	NULL,
	155	&ns_info,
	156	NULL,
	157	NULL,
	158	NULL,
	159	NULL,
	160	NULL, 0,
	161	NULL, 0,
b3d13314	162	NULL, 0,
806aea38 KK	163	NULL,
806aea38 KK	164	NULL,
91dd5f7c	165	NULL,
bbb4e7f3	166	NULL,
806aea38	167	0,
0389f4fa LB	168	NULL,
	169	0,
	170	NULL,
	171	NULL,
806aea38	172	0,
d4d55b0d LB	173	NULL,
	174	NULL,
	175	0,
806aea38 KK	176	NULL);
	177	assert_se(r == 0);
	178
	179	assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
	180	assert_se(open("/dev/kmsg", O_RDONLY \| O_CLOEXEC) < 0);
	181	assert_se(errno == EACCES);
	182
	183	_exit(EXIT_SUCCESS);
	184	}
	185
	186	assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
d8c9d3a4 ZJS	187	}
	188
	189	int main(int argc, char *argv[]) {
6b46ea73 LP	190	sd_id128_t bid;
	191	char boot_id[SD_ID128_STRING_MAX];
	192	_cleanup_free_ char x = NULL, y = NULL, z = NULL, zz = NULL;
d8c9d3a4	193
6d7c4033	194	test_setup_logging(LOG_INFO);
d2528deb	195
56a13a49 ZJS	196	test_namespace_cleanup_tmpdir();
56a13a49 ZJS	197
5f00dc4d LP	198	if (!have_namespaces()) {
	199	log_tests_skipped("Don't have namespace support");
	200	return EXIT_TEST_SKIP;
	201	}
	202
6b46ea73 LP	203	assert_se(sd_id128_get_boot(&bid) >= 0);
	204	sd_id128_to_string(bid, boot_id);
	205
605405c6 ZJS	206	x = strjoin("/tmp/systemd-private-", boot_id, "-abcd.service-");
605405c6 ZJS	207	y = strjoin("/var/tmp/systemd-private-", boot_id, "-abcd.service-");
6b46ea73 LP	208	assert_se(x && y);
	209
	210	test_tmpdir("abcd.service", x, y);
	211
605405c6 ZJS	212	z = strjoin("/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
605405c6 ZJS	213	zz = strjoin("/var/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
6b46ea73 LP	214
	215	assert_se(z && zz);
	216
	217	test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);
d8c9d3a4	218
806aea38 KK	219	test_netns();
	220	test_protect_kernel_logs();
	221
	222	return EXIT_SUCCESS;
d8c9d3a4	223	}