[thirdparty/systemd.git] / src / test / test-namespace.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "namespace.h"
#include "process-util.h"
#include "string-util.h"
#include "tests.h"
#include "user-util.h"
#include "util.h"
#include "virt.h"

static void test_namespace_cleanup_tmpdir(void) {
        {
                _cleanup_(namespace_cleanup_tmpdirp) char *dir;
                assert_se(dir = strdup(RUN_SYSTEMD_EMPTY));
        }

        {
                _cleanup_(namespace_cleanup_tmpdirp) char *dir;
                assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX"));
                assert_se(mkdtemp(dir));
        }
}

static void test_tmpdir(const char *id, const char *A, const char *B) {
        _cleanup_free_ char *a, *b;
        struct stat x, y;
        char *c, *d;

        assert_se(setup_tmp_dirs(id, &a, &b) == 0);

        assert_se(stat(a, &x) >= 0);
        assert_se(stat(b, &y) >= 0);

        assert_se(S_ISDIR(x.st_mode));
        assert_se(S_ISDIR(y.st_mode));

        if (!streq(a, RUN_SYSTEMD_EMPTY)) {
                assert_se(startswith(a, A));
                assert_se((x.st_mode & 01777) == 0700);
                c = strjoina(a, "/tmp");
                assert_se(stat(c, &x) >= 0);
                assert_se(S_ISDIR(x.st_mode));
                assert_se(FLAGS_SET(x.st_mode, 01777));
                assert_se(rmdir(c) >= 0);
                assert_se(rmdir(a) >= 0);
        }

        if (!streq(b, RUN_SYSTEMD_EMPTY)) {
                assert_se(startswith(b, B));
                assert_se((y.st_mode & 01777) == 0700);
                d = strjoina(b, "/tmp");
                assert_se(stat(d, &y) >= 0);
                assert_se(S_ISDIR(y.st_mode));
                assert_se(FLAGS_SET(y.st_mode, 01777));
                assert_se(rmdir(d) >= 0);
                assert_se(rmdir(b) >= 0);
        }
}

static void test_shareable_ns(unsigned long nsflag) {
        _cleanup_close_pair_ int s[2] = { -1, -1 };
        pid_t pid1, pid2, pid3;
        int r, n = 0;
        siginfo_t si;

        if (geteuid() > 0) {
                (void) log_tests_skipped("not root");
                return;
        }

        assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);

        pid1 = fork();
        assert_se(pid1 >= 0);

        if (pid1 == 0) {
                r = setup_shareable_ns(s, nsflag);
                assert_se(r >= 0);
                _exit(r);
        }

        pid2 = fork();
        assert_se(pid2 >= 0);

        if (pid2 == 0) {
                r = setup_shareable_ns(s, nsflag);
                assert_se(r >= 0);
                exit(r);
        }

        pid3 = fork();
        assert_se(pid3 >= 0);

        if (pid3 == 0) {
                r = setup_shareable_ns(s, nsflag);
                assert_se(r >= 0);
                exit(r);
        }

        r = wait_for_terminate(pid1, &si);
        assert_se(r >= 0);
        assert_se(si.si_code == CLD_EXITED);
        n += si.si_status;

        r = wait_for_terminate(pid2, &si);
        assert_se(r >= 0);
        assert_se(si.si_code == CLD_EXITED);
        n += si.si_status;

        r = wait_for_terminate(pid3, &si);
        assert_se(r >= 0);
        assert_se(si.si_code == CLD_EXITED);
        n += si.si_status;

        assert_se(n == 1);
}

static void test_netns(void) {
        test_shareable_ns(CLONE_NEWNET);
}

static void test_ipcns(void) {
        test_shareable_ns(CLONE_NEWIPC);
}

static void test_protect_kernel_logs(void) {
        int r;
        pid_t pid;
        static const NamespaceInfo ns_info = {
                .protect_kernel_logs = true,
        };

        if (geteuid() > 0) {
                (void) log_tests_skipped("not root");
                return;
        }

        /* In a container we likely don't have access to /dev/kmsg */
        if (detect_container() > 0) {
                (void) log_tests_skipped("in container");
                return;
        }

        pid = fork();
        assert_se(pid >= 0);

        if (pid == 0) {
                _cleanup_close_ int fd = -1;

                fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC);
                assert_se(fd > 0);

                r = setup_namespace(NULL,
                                    NULL,
                                    NULL,
                                    &ns_info,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL, 0,
                                    NULL, 0,
                                    NULL, 0,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL,
                                    0,
                                    NULL,
                                    0,
                                    NULL,
                                    NULL,
                                    0,
                                    NULL,
                                    NULL,
                                    NULL,
                                    0,
                                    NULL,
                                    NULL,
                                    NULL,
                                    NULL);
                assert_se(r == 0);

                assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
                assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0);
                assert_se(errno == EACCES);

                _exit(EXIT_SUCCESS);
        }

        assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
}

int main(int argc, char *argv[]) {
        _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL, *zz = NULL;
        sd_id128_t bid;

        test_setup_logging(LOG_INFO);

        test_namespace_cleanup_tmpdir();

        if (!have_namespaces()) {
                log_tests_skipped("Don't have namespace support");
                return EXIT_TEST_SKIP;
        }

        assert_se(sd_id128_get_boot(&bid) >= 0);

        x = strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-abcd.service-");
        y = strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-abcd.service-");
        assert_se(x && y);

        test_tmpdir("abcd.service", x, y);

        z = strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
        zz = strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");

        assert_se(z && zz);

        test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);

        test_netns();
        test_ipcns();
        test_protect_kernel_logs();

        return EXIT_SUCCESS;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
d8c9d3a4	2
806aea38	3	#include <fcntl.h>
613b411c	4	#include <sys/socket.h>
ca78ad1d	5	#include <sys/stat.h>
d8c9d3a4	6
b5efdb8a	7	#include "alloc-util.h"
3ffd4af2	8	#include "fd-util.h"
d8c9d3a4	9	#include "namespace.h"
0b452006	10	#include "process-util.h"
07630cea	11	#include "string-util.h"
317bb217	12	#include "tests.h"
806aea38	13	#include "user-util.h"
07630cea	14	#include "util.h"
806aea38	15	#include "virt.h"
d8c9d3a4	16
56a13a49 ZJS	17	static void test_namespace_cleanup_tmpdir(void) {
	18	{
	19	_cleanup_(namespace_cleanup_tmpdirp) char *dir;
	20	assert_se(dir = strdup(RUN_SYSTEMD_EMPTY));
	21	}
	22
	23	{
	24	_cleanup_(namespace_cleanup_tmpdirp) char *dir;
	25	assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX"));
	26	assert_se(mkdtemp(dir));
	27	}
	28	}
	29
d8c9d3a4 ZJS	30	static void test_tmpdir(const char id, const char A, const char *B) {
d8c9d3a4 ZJS	31	_cleanup_free_ char a, b;
613b411c LP	32	struct stat x, y;
613b411c LP	33	char c, d;
d8c9d3a4	34
613b411c	35	assert_se(setup_tmp_dirs(id, &a, &b) == 0);
d8c9d3a4	36
613b411c LP	37	assert_se(stat(a, &x) >= 0);
613b411c LP	38	assert_se(stat(b, &y) >= 0);
d8c9d3a4	39
613b411c LP	40	assert_se(S_ISDIR(x.st_mode));
613b411c LP	41	assert_se(S_ISDIR(y.st_mode));
d8c9d3a4	42
56a13a49 ZJS	43	if (!streq(a, RUN_SYSTEMD_EMPTY)) {
	44	assert_se(startswith(a, A));
	45	assert_se((x.st_mode & 01777) == 0700);
	46	c = strjoina(a, "/tmp");
	47	assert_se(stat(c, &x) >= 0);
	48	assert_se(S_ISDIR(x.st_mode));
1d6cc5d0	49	assert_se(FLAGS_SET(x.st_mode, 01777));
56a13a49 ZJS	50	assert_se(rmdir(c) >= 0);
	51	assert_se(rmdir(a) >= 0);
	52	}
613b411c	53
56a13a49 ZJS	54	if (!streq(b, RUN_SYSTEMD_EMPTY)) {
	55	assert_se(startswith(b, B));
	56	assert_se((y.st_mode & 01777) == 0700);
	57	d = strjoina(b, "/tmp");
	58	assert_se(stat(d, &y) >= 0);
	59	assert_se(S_ISDIR(y.st_mode));
1d6cc5d0	60	assert_se(FLAGS_SET(y.st_mode, 01777));
56a13a49 ZJS	61	assert_se(rmdir(d) >= 0);
	62	assert_se(rmdir(b) >= 0);
	63	}
613b411c LP	64	}
613b411c LP	65
54c2459d	66	static void test_shareable_ns(unsigned long nsflag) {
3d94f76c	67	_cleanup_close_pair_ int s[2] = { -1, -1 };
613b411c LP	68	pid_t pid1, pid2, pid3;
	69	int r, n = 0;
	70	siginfo_t si;
	71
806aea38 KK	72	if (geteuid() > 0) {
	73	(void) log_tests_skipped("not root");
	74	return;
	75	}
613b411c LP	76
	77	assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);
	78
	79	pid1 = fork();
	80	assert_se(pid1 >= 0);
	81
	82	if (pid1 == 0) {
54c2459d	83	r = setup_shareable_ns(s, nsflag);
613b411c LP	84	assert_se(r >= 0);
	85	_exit(r);
	86	}
	87
	88	pid2 = fork();
	89	assert_se(pid2 >= 0);
	90
	91	if (pid2 == 0) {
54c2459d	92	r = setup_shareable_ns(s, nsflag);
613b411c LP	93	assert_se(r >= 0);
	94	exit(r);
	95	}
	96
	97	pid3 = fork();
	98	assert_se(pid3 >= 0);
	99
	100	if (pid3 == 0) {
54c2459d	101	r = setup_shareable_ns(s, nsflag);
613b411c LP	102	assert_se(r >= 0);
	103	exit(r);
	104	}
	105
	106	r = wait_for_terminate(pid1, &si);
	107	assert_se(r >= 0);
	108	assert_se(si.si_code == CLD_EXITED);
	109	n += si.si_status;
	110
	111	r = wait_for_terminate(pid2, &si);
	112	assert_se(r >= 0);
	113	assert_se(si.si_code == CLD_EXITED);
	114	n += si.si_status;
	115
	116	r = wait_for_terminate(pid3, &si);
	117	assert_se(r >= 0);
	118	assert_se(si.si_code == CLD_EXITED);
	119	n += si.si_status;
	120
	121	assert_se(n == 1);
806aea38 KK	122	}
806aea38 KK	123
54c2459d XR	124	static void test_netns(void) {
	125	test_shareable_ns(CLONE_NEWNET);
	126	}
	127
	128	static void test_ipcns(void) {
	129	test_shareable_ns(CLONE_NEWIPC);
	130	}
	131
806aea38 KK	132	static void test_protect_kernel_logs(void) {
	133	int r;
	134	pid_t pid;
	135	static const NamespaceInfo ns_info = {
	136	.protect_kernel_logs = true,
	137	};
	138
	139	if (geteuid() > 0) {
	140	(void) log_tests_skipped("not root");
	141	return;
	142	}
	143
	144	/* In a container we likely don't have access to /dev/kmsg */
	145	if (detect_container() > 0) {
	146	(void) log_tests_skipped("in container");
	147	return;
	148	}
	149
806aea38 KK	150	pid = fork();
	151	assert_se(pid >= 0);
	152
	153	if (pid == 0) {
	154	_cleanup_close_ int fd = -1;
	155
	156	fd = open("/dev/kmsg", O_RDONLY \| O_CLOEXEC);
	157	assert_se(fd > 0);
	158
	159	r = setup_namespace(NULL,
18d73705	160	NULL,
806aea38 KK	161	NULL,
	162	&ns_info,
	163	NULL,
	164	NULL,
	165	NULL,
	166	NULL,
ddc155b2 TM	167	NULL,
ddc155b2 TM	168	NULL,
df61e79a	169	NULL,
806aea38 KK	170	NULL, 0,
806aea38 KK	171	NULL, 0,
b3d13314	172	NULL, 0,
806aea38 KK	173	NULL,
806aea38 KK	174	NULL,
91dd5f7c	175	NULL,
bbb4e7f3	176	NULL,
806aea38	177	0,
0389f4fa LB	178	NULL,
	179	0,
	180	NULL,
	181	NULL,
806aea38	182	0,
d4d55b0d LB	183	NULL,
d4d55b0d LB	184	NULL,
5e8deb94	185	NULL,
93f59701 LB	186	0,
93f59701 LB	187	NULL,
5e8deb94	188	NULL,
3bdc25a4	189	NULL,
806aea38 KK	190	NULL);
	191	assert_se(r == 0);
	192
	193	assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
	194	assert_se(open("/dev/kmsg", O_RDONLY \| O_CLOEXEC) < 0);
	195	assert_se(errno == EACCES);
	196
	197	_exit(EXIT_SUCCESS);
	198	}
	199
	200	assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
d8c9d3a4 ZJS	201	}
	202
	203	int main(int argc, char *argv[]) {
6b46ea73	204	_cleanup_free_ char x = NULL, y = NULL, z = NULL, zz = NULL;
85b55869	205	sd_id128_t bid;
d8c9d3a4	206
6d7c4033	207	test_setup_logging(LOG_INFO);
d2528deb	208
56a13a49 ZJS	209	test_namespace_cleanup_tmpdir();
56a13a49 ZJS	210
5f00dc4d LP	211	if (!have_namespaces()) {
	212	log_tests_skipped("Don't have namespace support");
	213	return EXIT_TEST_SKIP;
	214	}
	215
6b46ea73	216	assert_se(sd_id128_get_boot(&bid) >= 0);
6b46ea73	217
85b55869 LP	218	x = strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-abcd.service-");
85b55869 LP	219	y = strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-abcd.service-");
6b46ea73 LP	220	assert_se(x && y);
	221
	222	test_tmpdir("abcd.service", x, y);
	223
85b55869 LP	224	z = strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
85b55869 LP	225	zz = strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
6b46ea73 LP	226
	227	assert_se(z && zz);
	228
	229	test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);
d8c9d3a4	230
806aea38	231	test_netns();
54c2459d	232	test_ipcns();
806aea38 KK	233	test_protect_kernel_logs();
	234
	235	return EXIT_SUCCESS;
d8c9d3a4	236	}