]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
d8c9d3a4 | 2 | |
806aea38 | 3 | #include <fcntl.h> |
613b411c | 4 | #include <sys/socket.h> |
ca78ad1d | 5 | #include <sys/stat.h> |
d8c9d3a4 | 6 | |
b5efdb8a | 7 | #include "alloc-util.h" |
3ffd4af2 | 8 | #include "fd-util.h" |
d8c9d3a4 | 9 | #include "namespace.h" |
0b452006 | 10 | #include "process-util.h" |
07630cea | 11 | #include "string-util.h" |
317bb217 | 12 | #include "tests.h" |
806aea38 | 13 | #include "user-util.h" |
07630cea | 14 | #include "util.h" |
806aea38 | 15 | #include "virt.h" |
d8c9d3a4 | 16 | |
56a13a49 ZJS |
17 | static void test_namespace_cleanup_tmpdir(void) { |
18 | { | |
19 | _cleanup_(namespace_cleanup_tmpdirp) char *dir; | |
20 | assert_se(dir = strdup(RUN_SYSTEMD_EMPTY)); | |
21 | } | |
22 | ||
23 | { | |
24 | _cleanup_(namespace_cleanup_tmpdirp) char *dir; | |
25 | assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX")); | |
26 | assert_se(mkdtemp(dir)); | |
27 | } | |
28 | } | |
29 | ||
d8c9d3a4 ZJS |
30 | static void test_tmpdir(const char *id, const char *A, const char *B) { |
31 | _cleanup_free_ char *a, *b; | |
613b411c LP |
32 | struct stat x, y; |
33 | char *c, *d; | |
d8c9d3a4 | 34 | |
613b411c | 35 | assert_se(setup_tmp_dirs(id, &a, &b) == 0); |
d8c9d3a4 | 36 | |
613b411c LP |
37 | assert_se(stat(a, &x) >= 0); |
38 | assert_se(stat(b, &y) >= 0); | |
d8c9d3a4 | 39 | |
613b411c LP |
40 | assert_se(S_ISDIR(x.st_mode)); |
41 | assert_se(S_ISDIR(y.st_mode)); | |
d8c9d3a4 | 42 | |
56a13a49 ZJS |
43 | if (!streq(a, RUN_SYSTEMD_EMPTY)) { |
44 | assert_se(startswith(a, A)); | |
45 | assert_se((x.st_mode & 01777) == 0700); | |
46 | c = strjoina(a, "/tmp"); | |
47 | assert_se(stat(c, &x) >= 0); | |
48 | assert_se(S_ISDIR(x.st_mode)); | |
1d6cc5d0 | 49 | assert_se(FLAGS_SET(x.st_mode, 01777)); |
56a13a49 ZJS |
50 | assert_se(rmdir(c) >= 0); |
51 | assert_se(rmdir(a) >= 0); | |
52 | } | |
613b411c | 53 | |
56a13a49 ZJS |
54 | if (!streq(b, RUN_SYSTEMD_EMPTY)) { |
55 | assert_se(startswith(b, B)); | |
56 | assert_se((y.st_mode & 01777) == 0700); | |
57 | d = strjoina(b, "/tmp"); | |
58 | assert_se(stat(d, &y) >= 0); | |
59 | assert_se(S_ISDIR(y.st_mode)); | |
1d6cc5d0 | 60 | assert_se(FLAGS_SET(y.st_mode, 01777)); |
56a13a49 ZJS |
61 | assert_se(rmdir(d) >= 0); |
62 | assert_se(rmdir(b) >= 0); | |
63 | } | |
613b411c LP |
64 | } |
65 | ||
54c2459d | 66 | static void test_shareable_ns(unsigned long nsflag) { |
3d94f76c | 67 | _cleanup_close_pair_ int s[2] = { -1, -1 }; |
613b411c LP |
68 | pid_t pid1, pid2, pid3; |
69 | int r, n = 0; | |
70 | siginfo_t si; | |
71 | ||
806aea38 KK |
72 | if (geteuid() > 0) { |
73 | (void) log_tests_skipped("not root"); | |
74 | return; | |
75 | } | |
613b411c LP |
76 | |
77 | assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0); | |
78 | ||
79 | pid1 = fork(); | |
80 | assert_se(pid1 >= 0); | |
81 | ||
82 | if (pid1 == 0) { | |
54c2459d | 83 | r = setup_shareable_ns(s, nsflag); |
613b411c LP |
84 | assert_se(r >= 0); |
85 | _exit(r); | |
86 | } | |
87 | ||
88 | pid2 = fork(); | |
89 | assert_se(pid2 >= 0); | |
90 | ||
91 | if (pid2 == 0) { | |
54c2459d | 92 | r = setup_shareable_ns(s, nsflag); |
613b411c LP |
93 | assert_se(r >= 0); |
94 | exit(r); | |
95 | } | |
96 | ||
97 | pid3 = fork(); | |
98 | assert_se(pid3 >= 0); | |
99 | ||
100 | if (pid3 == 0) { | |
54c2459d | 101 | r = setup_shareable_ns(s, nsflag); |
613b411c LP |
102 | assert_se(r >= 0); |
103 | exit(r); | |
104 | } | |
105 | ||
106 | r = wait_for_terminate(pid1, &si); | |
107 | assert_se(r >= 0); | |
108 | assert_se(si.si_code == CLD_EXITED); | |
109 | n += si.si_status; | |
110 | ||
111 | r = wait_for_terminate(pid2, &si); | |
112 | assert_se(r >= 0); | |
113 | assert_se(si.si_code == CLD_EXITED); | |
114 | n += si.si_status; | |
115 | ||
116 | r = wait_for_terminate(pid3, &si); | |
117 | assert_se(r >= 0); | |
118 | assert_se(si.si_code == CLD_EXITED); | |
119 | n += si.si_status; | |
120 | ||
121 | assert_se(n == 1); | |
806aea38 KK |
122 | } |
123 | ||
54c2459d XR |
124 | static void test_netns(void) { |
125 | test_shareable_ns(CLONE_NEWNET); | |
126 | } | |
127 | ||
128 | static void test_ipcns(void) { | |
129 | test_shareable_ns(CLONE_NEWIPC); | |
130 | } | |
131 | ||
806aea38 KK |
132 | static void test_protect_kernel_logs(void) { |
133 | int r; | |
134 | pid_t pid; | |
135 | static const NamespaceInfo ns_info = { | |
136 | .protect_kernel_logs = true, | |
137 | }; | |
138 | ||
139 | if (geteuid() > 0) { | |
140 | (void) log_tests_skipped("not root"); | |
141 | return; | |
142 | } | |
143 | ||
144 | /* In a container we likely don't have access to /dev/kmsg */ | |
145 | if (detect_container() > 0) { | |
146 | (void) log_tests_skipped("in container"); | |
147 | return; | |
148 | } | |
149 | ||
806aea38 KK |
150 | pid = fork(); |
151 | assert_se(pid >= 0); | |
152 | ||
153 | if (pid == 0) { | |
154 | _cleanup_close_ int fd = -1; | |
155 | ||
156 | fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC); | |
157 | assert_se(fd > 0); | |
158 | ||
159 | r = setup_namespace(NULL, | |
18d73705 | 160 | NULL, |
806aea38 KK |
161 | NULL, |
162 | &ns_info, | |
163 | NULL, | |
164 | NULL, | |
165 | NULL, | |
166 | NULL, | |
ddc155b2 TM |
167 | NULL, |
168 | NULL, | |
df61e79a | 169 | NULL, |
806aea38 KK |
170 | NULL, 0, |
171 | NULL, 0, | |
b3d13314 | 172 | NULL, 0, |
806aea38 KK |
173 | NULL, |
174 | NULL, | |
91dd5f7c | 175 | NULL, |
bbb4e7f3 | 176 | NULL, |
806aea38 | 177 | 0, |
0389f4fa LB |
178 | NULL, |
179 | 0, | |
180 | NULL, | |
181 | NULL, | |
806aea38 | 182 | 0, |
d4d55b0d LB |
183 | NULL, |
184 | NULL, | |
5e8deb94 | 185 | NULL, |
93f59701 LB |
186 | 0, |
187 | NULL, | |
5e8deb94 | 188 | NULL, |
3bdc25a4 | 189 | NULL, |
806aea38 KK |
190 | NULL); |
191 | assert_se(r == 0); | |
192 | ||
193 | assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0); | |
194 | assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0); | |
195 | assert_se(errno == EACCES); | |
196 | ||
197 | _exit(EXIT_SUCCESS); | |
198 | } | |
199 | ||
200 | assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS); | |
d8c9d3a4 ZJS |
201 | } |
202 | ||
203 | int main(int argc, char *argv[]) { | |
6b46ea73 | 204 | _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL, *zz = NULL; |
85b55869 | 205 | sd_id128_t bid; |
d8c9d3a4 | 206 | |
6d7c4033 | 207 | test_setup_logging(LOG_INFO); |
d2528deb | 208 | |
56a13a49 ZJS |
209 | test_namespace_cleanup_tmpdir(); |
210 | ||
5f00dc4d LP |
211 | if (!have_namespaces()) { |
212 | log_tests_skipped("Don't have namespace support"); | |
213 | return EXIT_TEST_SKIP; | |
214 | } | |
215 | ||
6b46ea73 | 216 | assert_se(sd_id128_get_boot(&bid) >= 0); |
6b46ea73 | 217 | |
85b55869 LP |
218 | x = strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-abcd.service-"); |
219 | y = strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-abcd.service-"); | |
6b46ea73 LP |
220 | assert_se(x && y); |
221 | ||
222 | test_tmpdir("abcd.service", x, y); | |
223 | ||
85b55869 LP |
224 | z = strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-"); |
225 | zz = strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-"); | |
6b46ea73 LP |
226 | |
227 | assert_se(z && zz); | |
228 | ||
229 | test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz); | |
d8c9d3a4 | 230 | |
806aea38 | 231 | test_netns(); |
54c2459d | 232 | test_ipcns(); |
806aea38 KK |
233 | test_protect_kernel_logs(); |
234 | ||
235 | return EXIT_SUCCESS; | |
d8c9d3a4 | 236 | } |