Brief is sweet.
systemctl stop sleep.service hello-after-sleep.target
# Some basic testing that --show-transaction does something useful
-systemctl is-active systemd-importd && { echo 'unexpected success'; exit 1; }
+(! systemctl is-active systemd-importd)
systemctl -T start systemd-importd
systemctl is-active systemd-importd
systemctl --show-transaction stop systemd-importd
-systemctl is-active systemd-importd && { echo 'unexpected success'; exit 1; }
+(! systemctl is-active systemd-importd)
# Test for a crash when enqueuing a JOB_NOP when other job already exists
systemctl start --no-block hello-after-sleep.target
# wait5fail fails, so systemctl should fail
START_SEC=$(date -u '+%s')
-systemctl start --wait wait2.service wait5fail.service && { echo 'unexpected success'; exit 1; }
+(! systemctl start --wait wait2.service wait5fail.service)
END_SEC=$(date -u '+%s')
ELAPSED=$((END_SEC-START_SEC))
[[ "$ELAPSED" -ge 5 ]] && [[ "$ELAPSED" -le 7 ]] || exit 1
grep -q '^__CURSOR=' /output
grep -q '^MESSAGE=foo$' /output
grep -q '^PRIORITY=6$' /output
-grep '^FOO=' /output && { echo 'unexpected success'; exit 1; }
-grep '^SYSLOG_FACILITY=' /output && { echo 'unexpected success'; exit 1; }
+(! grep '^FOO=' /output)
+(! grep '^SYSLOG_FACILITY=' /output)
-# `-b all` negates earlier use of -b (-b and -m are otherwise exclusive)
+# '-b all' negates earlier use of -b (-b and -m are otherwise exclusive)
journalctl -b -1 -b all -m >/dev/null
# -b always behaves like -b0
set -o pipefail
systemd-run --wait -p FailureAction=poweroff true
-systemd-run --wait -p SuccessAction=poweroff false && { echo 'unexpected success'; exit 1; }
+(! systemd-run --wait -p SuccessAction=poweroff false)
if ! test -f /firstphase ; then
echo OK >/firstphase
# This has to fail, as we shouldn't accept the dangerous PID file, and then
# inotify-wait on it to be corrected which we never do.
-systemd-run --unit=test-mainpidsh3.service \
- -p StandardOutput=tty \
- -p StandardError=tty \
- -p Type=forking \
- -p RuntimeDirectory=mainpidsh3 \
- -p PIDFile=/run/mainpidsh3/pid \
- -p DynamicUser=1 \
- -p TimeoutStartSec=2s \
- /dev/shm/test-mainpid3.sh \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run \
+ --unit=test-mainpidsh3.service \
+ -p StandardOutput=tty \
+ -p StandardError=tty \
+ -p Type=forking \
+ -p RuntimeDirectory=mainpidsh3 \
+ -p PIDFile=/run/mainpidsh3/pid \
+ -p DynamicUser=1 \
+ -p TimeoutStartSec=2s \
+ /dev/shm/test-mainpid3.sh)
# Test that this failed due to timeout, and not some other error
test "$(systemctl show -P Result test-mainpidsh3.service)" = timeout
mkfifo /tmp/f/fifo
chmod 644 /tmp/f/fifo
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/f/fifo 0666 daemon daemon - This string should not be written
EOF
ln -s missing /tmp/f/dangling
ln -s /tmp/file-owned-by-root /tmp/f/symlink
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/f/dangling 0644 daemon daemon - -
f /tmp/f/symlink 0644 daemon daemon - -
EOF
EOF
test -f /tmp/f/ro-fs/foo; test ! -s /tmp/f/ro-fs/foo
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/f/ro-fs/foo 0666 - - - -
EOF
test "$(stat -c %U:%G:%a /tmp/f/fifo)" = "root:root:644"
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/f/ro-fs/bar 0644 - - - -
EOF
test ! -e /tmp/f/ro-fs/bar
ln -s /root /tmp/f/daemon/unsafe-symlink
chown -R --no-dereference daemon:daemon /tmp/f/daemon
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/f/daemon/unsafe-symlink/exploit 0644 daemon daemon - -
EOF
test ! -e /tmp/f/daemon/unsafe-symlink/exploit
### unspecified in the other cases.
mkfifo /tmp/F/fifo
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
F /tmp/F/fifo 0644 - - - -
EOF
ln -s missing /tmp/F/dangling
ln -s /tmp/file-owned-by-root /tmp/F/symlink
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/F/dangling 0644 daemon daemon - -
f /tmp/F/symlink 0644 daemon daemon - -
EOF
test -f /tmp/F/ro-fs/foo; test ! -s /tmp/F/ro-fs/foo
echo "truncating is not allowed anymore" >/tmp/F/rw-fs/foo
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
F /tmp/F/ro-fs/foo 0644 - - - -
EOF
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
F /tmp/F/ro-fs/foo 0644 - - - - This string should not be written
EOF
test -f /tmp/F/ro-fs/foo
# Trying to change the perms should fail.
: >/tmp/F/rw-fs/foo
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
F /tmp/F/ro-fs/foo 0666 - - - -
EOF
test "$(stat -c %U:%G:%a /tmp/F/ro-fs/foo)" = "root:root:644"
### Try to create a new file.
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
F /tmp/F/ro-fs/bar 0644 - - - -
EOF
test ! -e /tmp/F/ro-fs/bar
ln -s /root /tmp/F/daemon/unsafe-symlink
chown -R --no-dereference daemon:daemon /tmp/F/daemon
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
F /tmp/F/daemon/unsafe-symlink/exploit 0644 daemon daemon - -
EOF
test ! -e /tmp/F/daemon/unsafe-symlink/exploit
test ! -e /tmp/w/unexistent
### no argument given -> fails.
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
w /tmp/w/unexistent 0644 - - - -
EOF
ln -s /root /tmp/w/daemon/unsafe-symlink
chown -R --no-dereference daemon:daemon /tmp/w/daemon
-systemd-tmpfiles --create - <<EOF && { echo 'unexpected success'; exit 1; }
+(! systemd-tmpfiles --create -) <<EOF
f /tmp/w/daemon/unsafe-symlink/exploit 0644 daemon daemon - -
EOF
test ! -e /tmp/w/daemon/unsafe-symlink/exploit
# Verify the command fails to write to a root-owned subdirectory under an
# unprivileged user's directory when it's not part of the prefix, as expected
# by the unsafe_transition function.
-echo 'd /tmp/user/root/test' | systemd-tmpfiles --create - \
- && { echo 'unexpected success'; exit 1; }
+echo 'd /tmp/user/root/test' | (! systemd-tmpfiles --create -)
test ! -e /tmp/user/root/test
-echo 'd /user/root/test' | systemd-tmpfiles --root=/tmp --create - \
- && { echo 'unexpected success'; exit 1; }
+echo 'd /user/root/test' | (! systemd-tmpfiles --root=/tmp --create -)
test ! -e /tmp/user/root/test
# Verify the above works when all user-owned directories are in the prefix.
# And now, do the same with Type=exec, where the latter two should fail
systemd-run --unit=four -p Type=exec /bin/sleep infinity
-systemd-run --unit=five -p Type=exec -p User=idontexist /bin/sleep infinity && { echo 'unexpected success'; exit 1; }
-systemd-run --unit=six -p Type=exec /tmp/brokenbinary && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=five -p Type=exec -p User=idontexist /bin/sleep infinity)
+(! systemd-run --unit=six -p Type=exec /tmp/brokenbinary)
systemd-run --unit=seven -p KillSignal=SIGTERM -p RestartKillSignal=SIGINT -p Type=exec /bin/sleep infinity
# Both TERM and SIGINT happen to have the same number on all architectures
# Should work normally
busctl call \
- org.freedesktop.systemd1 /org/freedesktop/systemd1 \
- org.freedesktop.systemd1.Manager StartTransientUnit \
- "ssa(sv)a(sa(sv))" test-20933-ok.service replace 1 \
- ExecStart "a(sasb)" 1 \
- /usr/bin/sleep 2 /usr/bin/sleep 1 true \
- 0
+ org.freedesktop.systemd1 /org/freedesktop/systemd1 \
+ org.freedesktop.systemd1.Manager StartTransientUnit \
+ "ssa(sv)a(sa(sv))" test-20933-ok.service replace 1 \
+ ExecStart "a(sasb)" 1 \
+ /usr/bin/sleep 2 /usr/bin/sleep 1 true \
+ 0
# DBus call should fail but not crash systemd
-busctl call \
- org.freedesktop.systemd1 /org/freedesktop/systemd1 \
- org.freedesktop.systemd1.Manager StartTransientUnit \
- "ssa(sv)a(sa(sv))" test-20933-bad.service replace 1 \
- ExecStart "a(sasb)" 1 \
- /usr/bin/sleep 0 true \
- 0 && { echo 'unexpected success'; exit 1; }
+(! busctl call \
+ org.freedesktop.systemd1 /org/freedesktop/systemd1 \
+ org.freedesktop.systemd1.Manager StartTransientUnit \
+ "ssa(sv)a(sa(sv))" test-20933-bad.service replace 1 \
+ ExecStart "a(sasb)" 1 \
+ /usr/bin/sleep 0 true \
+ 0)
# Same but with the empty argv in the middle
-busctl call \
- org.freedesktop.systemd1 /org/freedesktop/systemd1 \
- org.freedesktop.systemd1.Manager StartTransientUnit \
- "ssa(sv)a(sa(sv))" test-20933-bad-middle.service replace 1 \
- ExecStart "a(sasb)" 3 \
- /usr/bin/sleep 2 /usr/bin/sleep 1 true \
- /usr/bin/sleep 0 true \
- /usr/bin/sleep 2 /usr/bin/sleep 1 true \
- 0 && { echo 'unexpected success'; exit 1; }
+(! busctl call \
+ org.freedesktop.systemd1 /org/freedesktop/systemd1 \
+ org.freedesktop.systemd1.Manager StartTransientUnit \
+ "ssa(sv)a(sa(sv))" test-20933-bad-middle.service replace 1 \
+ ExecStart "a(sasb)" 3 \
+ /usr/bin/sleep 2 /usr/bin/sleep 1 true \
+ /usr/bin/sleep 0 true \
+ /usr/bin/sleep 2 /usr/bin/sleep 1 true \
+ 0)
systemd-analyze log-level info
# Test removal
machinectl remove testimage
test ! -f /var/lib/machines/testimage.raw
-machinectl image-status testimage && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status testimage)
# Test export of clone
machinectl export-raw testimage3 /var/tmp/testimage3.raw
test -f /var/lib/machines/testimage4.raw
machinectl image-status testimage4
test ! -f /var/lib/machines/testimage3.raw
-machinectl image-status testimage3 && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status testimage3)
cmp /var/tmp/testimage.raw /var/lib/machines/testimage4.raw
# Test export of rename
# Test removal
machinectl remove testimage4
test ! -f /var/lib/machines/testimage4.raw
-machinectl image-status testimage4 && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status testimage4)
# → And now, let's test directory trees ← #
# Test removal
machinectl remove scratch
test ! -f /var/lib/machines/scratch
-machinectl image-status scratchi && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status scratch)
# Test clone
machinectl clone scratch2 scratch3
# Test removal
machinectl remove scratch2
test ! -f /var/lib/machines/scratch2
-machinectl image-status scratch2 && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status scratch2)
# Test rename
machinectl rename scratch3 scratch4
test -d /var/lib/machines/scratch4
machinectl image-status scratch4
test ! -f /var/lib/machines/scratch3
-machinectl image-status scratch3 && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status scratch3)
diff -r /var/tmp/scratch/ /var/lib/machines/scratch4
# Test removal
machinectl remove scratch4
test ! -f /var/lib/machines/scratch4
-machinectl image-status scratch4 && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status scratch4)
# Test import-tar hyphen/stdin pipe behavior
# shellcheck disable=SC2002
# Test removal
machinectl remove scratch5
test ! -f /var/lib/machines/scratch5
-machinectl image-status scratch5 && { echo 'unexpected success'; exit 1; }
+(! machinectl image-status scratch5)
echo OK >/testok
test -d /var/cache/test-service
test -d /var/log/test-service
-systemctl clean test-service && { echo 'unexpected success'; exit 1; }
+(! systemctl clean test-service)
systemctl stop test-service
test -L /var/cache/test-service
test -L /var/log/test-service
-systemctl clean test-service && { echo 'unexpected success'; exit 1; }
+(! systemctl clean test-service)
systemctl stop test-service
test -d /var/cache/hoge
test -d /var/log/hoge
-systemctl clean tmp-hoge.mount && { echo 'unexpected success'; exit 1; }
+(! systemctl clean tmp-hoge.mount)
test -d /etc/hoge
test -d /run/hoge
test -d /var/cache/test-socket
test -d /var/log/test-socket
-systemctl clean test-service.socket && { echo 'unexpected success'; exit 1; }
+(! systemctl clean test-service.socket)
systemctl stop test-service.socket
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz:yyy test -f "${path}"/yyy/test
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}=zzz:xxx zzz:xxx2" -p TemporaryFileSystem="${path}" bash -c "test -f ${path}/xxx/test && test -f ${path}/xxx2/test"
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz:xxx -p TemporaryFileSystem="${path}":ro test -f "${path}"/xxx/test
- systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz test -f "${path}"/zzz/test-missing \
- && { echo 'unexpected success'; exit 1; }
+ (! systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz test -f "${path}"/zzz/test-missing)
test -d "${path}"/zzz
test ! -L "${path}"/zzz
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=1 -p "${directory}=zzz:xxx zzz:xxx2" \
-p TemporaryFileSystem="${path}" -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env bash -c "test -f ${path}/xxx/test && test -f ${path}/xxx2/test"
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=1 -p "${directory}"=zzz:xxx -p TemporaryFileSystem="${path}":ro test -f "${path}"/xxx/test
- systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=1 -p "${directory}"=zzz test -f "${path}"/zzz/test-missing \
- && { echo 'unexpected success'; exit 1; }
+ (! systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=1 -p "${directory}"=zzz test -f "${path}"/zzz/test-missing)
test -L "${path}"/zzz
test -d "${path}"/private/zzz
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz:xxx -p TemporaryFileSystem="${path}" test -f "${path}"/xxx/test
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}=zzz:xxx zzz:xxx2" -p TemporaryFileSystem="${path}" bash -c "test -f ${path}/xxx/test && test -f ${path}/xxx2/test"
systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz:xxx -p TemporaryFileSystem="${path}":ro test -f "${path}"/xxx/test
- systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz test -f "${path}"/zzz/test-missing \
- && { echo 'unexpected success'; exit 1; }
+ (! systemd-run --wait -p RuntimeDirectoryPreserve=yes -p DynamicUser=0 -p "${directory}"=zzz test -f "${path}"/zzz/test-missing)
test -d "${path}"/zzz
test ! -L "${path}"/zzz
systemctl start "$SERVICE_NAME"
systemctl status "$SERVICE_NAME"
# The reload SHOULD fail but SHOULD NOT affect the service state
-systemctl reload "$SERVICE_NAME" && { echo 'unexpected success'; exit 1; }
+(! systemctl reload "$SERVICE_NAME")
systemctl status "$SERVICE_NAME"
systemctl stop "$SERVICE_NAME"
systemctl start "$SERVICE_NAME"
systemctl status "$SERVICE_NAME"
# The reload SHOULD fail but SHOULD NOT affect the service state
-systemctl reload "$SERVICE_NAME" && { echo 'unexpected success'; exit 1; }
+(! systemctl reload "$SERVICE_NAME")
systemctl status "$SERVICE_NAME"
systemctl stop "$SERVICE_NAME"
systemd-analyze log-level debug
# test one: Restart=on-failure should restart the service
-systemd-run --unit=one -p Type=oneshot -p Restart=on-failure /bin/bash -c "exit 1" \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=one -p Type=oneshot -p Restart=on-failure /bin/bash -c "exit 1")
for ((secs = 0; secs < MAX_SECS; secs++)); do
- [[ "$(systemctl show one.service -P NRestarts)" -le 0 ]] || break
- sleep 1
+ [[ "$(systemctl show one.service -P NRestarts)" -le 0 ]] || break
+ sleep 1
done
if [[ "$(systemctl show one.service -P NRestarts)" -le 0 ]]; then
- exit 1
+ exit 1
fi
TMP_FILE="/tmp/test-41-oneshot-restart-test"
# test two: make sure StartLimitBurst correctly limits the number of restarts
# and restarts execution of the unit from the first ExecStart=
-systemd-run --unit=two \
- -p StartLimitIntervalSec=120 \
- -p StartLimitBurst=3 \
- -p Type=oneshot \
- -p Restart=on-failure \
- -p ExecStart="/bin/bash -c \"printf a >>$TMP_FILE\"" /bin/bash -c "exit 1" \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=two \
+ -p StartLimitIntervalSec=120 \
+ -p StartLimitBurst=3 \
+ -p Type=oneshot \
+ -p Restart=on-failure \
+ -p ExecStart="/bin/bash -c \"printf a >>$TMP_FILE\"" /bin/bash -c "exit 1")
# wait for at least 3 restarts
for ((secs = 0; secs < MAX_SECS; secs++)); do
- [[ $(cat $TMP_FILE) != "aaa" ]] || break
- sleep 1
+ [[ $(cat $TMP_FILE) != "aaa" ]] || break
+ sleep 1
done
if [[ $(cat $TMP_FILE) != "aaa" ]]; then
- exit 1
+ exit 1
fi
# wait for 5 more seconds to make sure there aren't excess restarts
sleep 5
if [[ $(cat $TMP_FILE) != "aaa" ]]; then
- exit 1
+ exit 1
fi
systemd-analyze log-level info
systemd-analyze log-level debug
-systemd-run --unit=simple1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple -p ExecStopPost='/bin/touch /run/simple1' true
+systemd-run --unit=simple1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple \
+ -p ExecStopPost='/bin/touch /run/simple1' true
test -f /run/simple1
-systemd-run --unit=simple2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple -p ExecStopPost='/bin/touch /run/simple2' false \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=simple2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple \
+ -p ExecStopPost='/bin/touch /run/simple2' false)
test -f /run/simple2
-systemd-run --unit=exec1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec -p ExecStopPost='/bin/touch /run/exec1' sleep 1
+systemd-run --unit=exec1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \
+ -p ExecStopPost='/bin/touch /run/exec1' sleep 1
test -f /run/exec1
-systemd-run --unit=exec2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec -p ExecStopPost='/bin/touch /run/exec2' sh -c 'sleep 1; false' \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=exec2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \
+ -p ExecStopPost='/bin/touch /run/exec2' sh -c 'sleep 1; false')
test -f /run/exec2
cat >/tmp/forking1.sh <<EOF
EOF
chmod +x /tmp/forking1.sh
-systemd-run --unit=forking1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec -p ExecStopPost='/bin/touch /run/forking1' /tmp/forking1.sh
+systemd-run --unit=forking1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \
+ -p ExecStopPost='/bin/touch /run/forking1' /tmp/forking1.sh
test -f /run/forking1
cat >/tmp/forking2.sh <<EOF
set -eux
-( sleep 4; exit 1 ) &
+(sleep 4; exit 1) &
MAINPID=\$!
disown
EOF
chmod +x /tmp/forking2.sh
-systemd-run --unit=forking2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec -p ExecStopPost='/bin/touch /run/forking2' /tmp/forking2.sh \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=forking2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \
+ -p ExecStopPost='/bin/touch /run/forking2' /tmp/forking2.sh)
test -f /run/forking2
-systemd-run --unit=oneshot1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot -p ExecStopPost='/bin/touch /run/oneshot1' true
+systemd-run --unit=oneshot1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \
+ -p ExecStopPost='/bin/touch /run/oneshot1' true
test -f /run/oneshot1
-systemd-run --unit=oneshot2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot -p ExecStopPost='/bin/touch /run/oneshot2' false \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=oneshot2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \
+ -p ExecStopPost='/bin/touch /run/oneshot2' false)
test -f /run/oneshot2
-systemd-run --unit=dbus1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost -p ExecStopPost='/bin/touch /run/dbus1' \
- busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus RequestName su systemd.test.ExecStopPost 4 \
- || :
+systemd-run --unit=dbus1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost \
+ -p ExecStopPost='/bin/touch /run/dbus1' \
+ busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus RequestName su systemd.test.ExecStopPost 4 || :
test -f /run/dbus1
-systemd-run --unit=dbus2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost -p ExecStopPost='/bin/touch /run/dbus2' true
+systemd-run --unit=dbus2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost \
+ -p ExecStopPost='/bin/touch /run/dbus2' true
test -f /run/dbus2
# https://github.com/systemd/systemd/issues/19920
-systemd-run --unit=dbus3.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p ExecStopPost='/bin/touch /run/dbus3' true \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=dbus3.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus \
+ -p ExecStopPost='/bin/touch /run/dbus3' true)
cat >/tmp/notify1.sh <<EOF
#!/usr/bin/env bash
EOF
chmod +x /tmp/notify1.sh
-systemd-run --unit=notify1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify -p ExecStopPost='/bin/touch /run/notify1' /tmp/notify1.sh
+systemd-run --unit=notify1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \
+ -p ExecStopPost='/bin/touch /run/notify1' /tmp/notify1.sh
test -f /run/notify1
-systemd-run --unit=notify2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify -p ExecStopPost='/bin/touch /run/notify2' true \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=notify2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \
+ -p ExecStopPost='/bin/touch /run/notify2' true)
test -f /run/notify2
systemd-run --unit=idle1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle -p ExecStopPost='/bin/touch /run/idle1' true
test -f /run/idle1
-systemd-run --unit=idle2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle -p ExecStopPost='/bin/touch /run/idle2' false \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --unit=idle2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle \
+ -p ExecStopPost='/bin/touch /run/idle2' false)
test -f /run/idle2
systemd-analyze log-level info
test -e /home/testuser/works.txt
# Confirm that creating a file in home is blocked under read-only
-runas testuser systemd-run --wait --user --unit=test-protect-home-read-only \
+(! runas testuser systemd-run --wait --user --unit=test-protect-home-read-only \
-p ProtectHome=read-only \
-P bash -c '
test -e /home/testuser/works.txt || exit 10
touch /home/testuser/blocked.txt && exit 11
- ' \
- && { echo 'unexpected success'; exit 1; }
+ ')
test ! -e /home/testuser/blocked.txt
# Check that tmpfs hides the whole directory
# namespace (no CAP_SETGID in the parent namespace to write the additional
# mapping of the user supplied group and thus cannot change groups to an
# unmapped group ID)
-runas testuser systemd-run --wait --user --unit=test-group-fail \
+(! runas testuser systemd-run --wait --user --unit=test-group-fail \
-p PrivateUsers=yes -p Group=daemon \
- -P true \
- && { echo 'unexpected success'; exit 1; }
+ -P true)
# Check that with a new user namespace we can bind mount
# files and use a different root directory
-p PrivateNetwork=yes \
/bin/sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
-runas testuser systemd-run --wait --user --unit=test-hostname \
+(! runas testuser systemd-run --wait --user --unit=test-hostname \
-p ProtectHostname=yes \
- hostnamectl hostname foo \
- && { echo 'unexpected success'; exit 1; }
+ hostnamectl hostname foo)
-runas testuser systemd-run --wait --user --unit=test-clock \
+(! runas testuser systemd-run --wait --user --unit=test-clock \
-p ProtectClock=yes \
- timedatectl set-time "2012-10-30 18:17:16" \
- && { echo 'unexpected success'; exit 1; }
+ timedatectl set-time "2012-10-30 18:17:16")
-runas testuser systemd-run --wait --user --unit=test-kernel-tunable \
+(! runas testuser systemd-run --wait --user --unit=test-kernel-tunable \
-p ProtectKernelTunables=yes \
- sh -c "echo 0 >/proc/sys/user/max_user_namespaces" \
- && { echo 'unexpected success'; exit 1; }
+ sh -c "echo 0 >/proc/sys/user/max_user_namespaces")
-runas testuser systemd-run --wait --user --unit=test-kernel-mod \
+(! runas testuser systemd-run --wait --user --unit=test-kernel-mod \
-p ProtectKernelModules=yes \
- sh -c "modprobe -r overlay && modprobe overlay" \
- && { echo 'unexpected success'; exit 1; }
+ sh -c "modprobe -r overlay && modprobe overlay")
if sysctl kernel.dmesg_restrict=0; then
- runas testuser systemd-run --wait --user --unit=test-kernel-log \
+ (! runas testuser systemd-run --wait --user --unit=test-kernel-log \
-p ProtectKernelLogs=yes -p LogNamespace=yes \
- dmesg \
- && { echo 'unexpected success'; exit 1; }
+ dmesg)
fi
unsquashfs -no-xattrs -d /tmp/img /usr/share/minimal_0.raw
journalctl -o cat >/tmp/no-hello-world
grep "^hello world$" /tmp/hello-world
-grep "^hello world$" /tmp/no-hello-world && { echo 'unexpected success'; exit 1; }
+(! grep "^hello world$" /tmp/no-hello-world)
systemd-analyze log-level info
fi
PASSWORD=xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
-PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz \
- && { echo 'unexpected success'; exit 1; }
+(! PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
PASSWORD=xEhErW0ndafV4s homectl with test-user -- touch /home/test-user/xyz
PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz
PASSWORD=xEhErW0ndafV4s homectl with test-user -- rm /home/test-user/xyz
PASSWORD=xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
-PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz \
- && { echo 'unexpected success'; exit 1; }
+(! PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
wait_for_state test-user inactive
homectl remove test-user
# ExtensionDirectories will set up an overlay
mkdir -p "${image_dir}/app0" "${image_dir}/app1" "${image_dir}/app-nodistro"
-systemd-run -P --property ExtensionDirectories="${image_dir}/nonexistent" --property RootImage="${image}.raw" cat /opt/script0.sh && { echo 'unexpected success'; exit 1; }
-systemd-run -P --property ExtensionDirectories="${image_dir}/app0" --property RootImage="${image}.raw" cat /opt/script0.sh && { echo 'unexpected success'; exit 1; }
+(! systemd-run -P --property ExtensionDirectories="${image_dir}/nonexistent" --property RootImage="${image}.raw" cat /opt/script0.sh)
+(! systemd-run -P --property ExtensionDirectories="${image_dir}/app0" --property RootImage="${image}.raw" cat /opt/script0.sh)
systemd-dissect --mount /usr/share/app0.raw "${image_dir}/app0"
systemd-dissect --mount /usr/share/app1.raw "${image_dir}/app1"
systemd-dissect --mount /usr/share/app-nodistro.raw "${image_dir}/app-nodistro"
echo "ID=_any" >/run/extensions/app-reject/usr/lib/extension-release.d/extension-release.app-reject
echo "ID=_any" >/run/extensions/app-reject/usr/lib/os-release
touch /run/extensions/app-reject/usr/lib/systemd/system/other_file
-systemd-sysext merge && { echo 'unexpected success'; exit 1; }
+(! systemd-sysext merge)
test ! -e /usr/lib/systemd/system/some_file
test ! -e /usr/lib/systemd/system/other_file
systemd-sysext unmerge
echo "ID=_any" >/run/confexts/test/etc/extension-release.d/extension-release.test
echo "ARCHITECTURE=_any" >>/run/confexts/test/etc/extension-release.d/extension-release.test
echo "MARKER_CONFEXT_123" >/run/confexts/test/etc/testfile
-cat <<EOF>/run/confexts/test/etc/testscript
+cat <<EOF >/run/confexts/test/etc/testscript
#!/bin/bash
echo "This should not happen"
EOF
chmod +x /run/confexts/test/etc/testscript
systemd-confext merge
grep -q -F "MARKER_CONFEXT_123" /etc/testfile
-/etc/testscript && { echo 'unexpected success'; exit 1; }
+(! /etc/testscript)
systemd-confext status
systemd-confext unmerge
rm -rf /run/confexts/
# Verify that the creds are properly loaded and we can read them from the service's unpriv user
systemd-run -p LoadCredential=passwd:/etc/passwd \
- -p LoadCredential=shadow:/etc/shadow \
- -p SetCredential=dog:wuff \
- -p DynamicUser=1 \
- --unit=test-54-unpriv.service \
- --wait \
- --pipe \
- cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
-( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
+ -p LoadCredential=shadow:/etc/shadow \
+ -p SetCredential=dog:wuff \
+ -p DynamicUser=1 \
+ --unit=test-54-unpriv.service \
+ --wait \
+ --pipe \
+ cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' \
+ >/tmp/ts54-concat
+(cat /etc/passwd /etc/shadow && echo -n wuff) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat
# Test that SetCredential= acts as fallback for LoadCredential=
systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true
# And this should fail
- systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; }
+ (! systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true)
fi
# Verify that the creds are immutable
-systemd-run -p LoadCredential=passwd:/etc/passwd \
- -p DynamicUser=1 \
- --unit=test-54-immutable-touch.service \
- --wait \
- touch '${CREDENTIALS_DIRECTORY}/passwd' \
- && { echo 'unexpected success'; exit 1; }
-systemd-run -p LoadCredential=passwd:/etc/passwd \
- -p DynamicUser=1 \
- --unit=test-54-immutable-rm.service \
- --wait \
- rm '${CREDENTIALS_DIRECTORY}/passwd' \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run -p LoadCredential=passwd:/etc/passwd \
+ -p DynamicUser=1 \
+ --unit=test-54-immutable-touch.service \
+ --wait \
+ touch '${CREDENTIALS_DIRECTORY}/passwd')
+(! systemd-run -p LoadCredential=passwd:/etc/passwd \
+ -p DynamicUser=1 \
+ --unit=test-54-immutable-rm.service \
+ --wait \
+ rm '${CREDENTIALS_DIRECTORY}/passwd')
# Check directory-based loading
mkdir -p /tmp/ts54-creds/sub
echo -n c >/tmp/ts54-creds/baz
echo -n d >/tmp/ts54-creds/sub/qux
systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
- -p DynamicUser=1 \
- --unit=test-54-dir.service \
- --wait \
- --pipe \
- cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
- '${CREDENTIALS_DIRECTORY}/cred_bar' \
- '${CREDENTIALS_DIRECTORY}/cred_baz' \
- '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
+ -p DynamicUser=1 \
+ --unit=test-54-dir.service \
+ --wait \
+ --pipe \
+ cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
+ '${CREDENTIALS_DIRECTORY}/cred_bar' \
+ '${CREDENTIALS_DIRECTORY}/cred_baz' \
+ '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
( echo -n abcd ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat
rm -rf /tmp/ts54-creds
systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
- --wait \
- --pipe \
- cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
+ --wait \
+ --pipe \
+ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
echo -n $RANDOM >/tmp/test-54-plaintext
systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
- --wait \
- --pipe \
- cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
+ --wait \
+ --pipe \
+ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
fi
/tmp/test56-exit-cgroup.sh 'systemctl stop two'
# false exec condition: systemd-run should exit immediately with status code: 1
-systemd-run --wait --unit=three -p Type=notify -p ExitType=cgroup \
+(! systemd-run --wait --unit=three -p Type=notify -p ExitType=cgroup \
-p ExecCondition=false \
- /tmp/test56-exit-cgroup.sh \
- && { echo 'unexpected success'; exit 1; }
+ /tmp/test56-exit-cgroup.sh)
# service should exit uncleanly (main process exits with SIGKILL)
-systemd-run --wait --unit=four -p Type=notify -p ExitType=cgroup \
- /tmp/test56-exit-cgroup.sh 'systemctl kill --signal 9 four' \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-run --wait --unit=four -p Type=notify -p ExitType=cgroup \
+ /tmp/test56-exit-cgroup.sh 'systemctl kill --signal 9 four')
# Multiple level process tree, parent process exits quickly
set +e
# Default behaviour is to recurse through all dependencies when unit is loaded
-systemd-analyze verify --root=/tmp/img/ testfile.service \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-analyze verify --root=/tmp/img/ testfile.service)
# As above, recurses through all dependencies when unit is loaded
-systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service)
# Recurses through unit file and its direct dependencies when unit is loaded
-systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service)
set -e
set +e
# Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
-systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service)
set -e
rm /tmp/testfile.service
# Alias a unit file's name on disk (see #20061)
cp /tmp/testfile.service /tmp/testsrvc
-systemd-analyze verify /tmp/testsrvc \
- && { echo 'unexpected success'; exit 1; }
+(! systemd-analyze verify /tmp/testsrvc)
systemd-analyze verify /tmp/testsrvc:alias.service
# Zero exit status since the value used for comparison determine exposure to security threats is by default 100
systemd-analyze security --offline=true /tmp/testfile.service
-set +e
#The overall exposure level assigned to the unit is greater than the set threshold
-systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \
- && { echo 'unexpected success'; exit 1; }
-set -e
+(! systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service)
# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
--profile=strict \
--root=/tmp/img/ testfile.service
-set +e
# The trusted profile doesn't add any sanboxing options
-systemd-analyze security --threshold=25 --offline=true \
+(! systemd-analyze security --threshold=25 --offline=true \
--security-policy=/tmp/testfile.json \
--profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
- --root=/tmp/img/ testfile.service \
- && { echo 'unexpected success'; exit 1; }
+ --root=/tmp/img/ testfile.service)
-systemd-analyze security --threshold=50 --offline=true \
+(! systemd-analyze security --threshold=50 --offline=true \
--security-policy=/tmp/testfile.json \
- --root=/tmp/img/ testfile.service \
- && { echo 'unexpected success'; exit 1; }
-set -e
+ --root=/tmp/img/ testfile.service)
rm /tmp/img/usr/lib/systemd/system/testfile.service
systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^root \+ignore \+'
systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr-verity \+unprotected \+'
-(! systemd-analyze image-policy 'doedel' )
+(! systemd-analyze image-policy 'doedel')
systemd-analyze log-level info
# Check with wrong PCR
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
-/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
+(! /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1)
# Enroll unlock with PCR+PIN policy
systemd-cryptenroll --wipe-slot=tpm2 $img
/usr/lib/systemd/systemd-cryptsetup detach test-volume
# Check failure with wrong PIN
-env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
+(! env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1)
+
# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
if cryptsetup --help | grep -q 'LUKS2 external token plugin support is compiled-in' && \
/usr/lib/systemd/systemd-cryptsetup detach test-volume
# Check failure with wrong PIN
- env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1 && { echo 'unexpected success'; exit 1; }
+ (! env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1)
else
echo 'cryptsetup has no LUKS2 token plugin support, skipping'
fi
# Check failure with wrong PCR (and correct PIN)
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
-env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
+(! env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1)
# Enroll unlock with PCR 0+7
systemd-cryptenroll --wipe-slot=tpm2 $img
# Invalidate PCR, decrypting should fail now
tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000
- systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" >/dev/null && { echo 'unexpected success'; exit 1; }
+ (! systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" >/dev/null)
# Sign new PCR state, decrypting should work now.
/usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig2"
# After extending the PCR things should fail
tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000
- SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; }
- SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; }
+ (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1)
+ (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1)
# But once we sign the current PCRs, we should be able to unlock again
/usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig3"
# Sign one more phase, this should
/usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig4" >"/tmp/pcrsign.sig5"
- ( ! cmp "/tmp/pcrsign.sig4" "/tmp/pcrsign.sig5" )
+ (! cmp "/tmp/pcrsign.sig4" "/tmp/pcrsign.sig5")
# Should still be good to unlock, given the old entry still exists
SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig5",headless=1
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img_2 /tmp/password
#boolean_arguments
-systemd-cryptenroll --fido2-with-client-pin=false && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-with-client-pin=false)
-systemd-cryptenroll --fido2-with-user-presence=f $img_2 /tmp/foo && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-with-user-presence=f $img_2 /tmp/foo)
-systemd-cryptenroll --fido2-with-client-pin=1234 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-with-client-pin=1234 $img_2)
systemd-cryptenroll --fido2-with-client-pin=false $img_2
-systemd-cryptenroll --fido2-with-user-presence=1234 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-with-user-presence=1234 $img_2)
systemd-cryptenroll --fido2-with-user-presence=false $img_2
-systemd-cryptenroll --fido2-with-user-verification=1234 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-with-user-verification=1234 $img_2)
-systemd-cryptenroll --tpm2-with-pin=1234 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --tpm2-with-pin=1234 $img_2)
systemd-cryptenroll --fido2-with-user-verification=false $img_2
#arg_enroll_type
-systemd-cryptenroll --recovery-key --password $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --recovery-key --password $img_2)
-systemd-cryptenroll --password --recovery-key $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --password --recovery-key $img_2)
-systemd-cryptenroll --password --fido2-device=auto $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --password --fido2-device=auto $img_2)
-systemd-cryptenroll --password --pkcs11-token-uri=auto $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --password --pkcs11-token-uri=auto $img_2)
-systemd-cryptenroll --password --tpm2-device=auto $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --password --tpm2-device=auto $img_2)
#arg_unlock_type
-systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto $img_2)
-systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock $img_2)
#fido2_cred_algorithm
-systemd-cryptenroll --fido2-credential-algorithm=es512 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-credential-algorithm=es512 $img_2)
#tpm2_errors
-systemd-cryptenroll --tpm2-public-key-pcrs=key $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --tpm2-public-key-pcrs=key $img_2)
-systemd-cryptenroll --tpm2-pcrs=key $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --tpm2-pcrs=key $img_2)
-systemd-cryptenroll --tpm2-pcrs=44+8 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --tpm2-pcrs=44+8 $img_2)
systemd-cryptenroll --tpm2-pcrs=8 $img_2
-systemd-cryptenroll --tpm2-pcrs=hello $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --tpm2-pcrs=hello $img_2)
systemd-cryptenroll --tpm2-pcrs=boot-loader-code+boot-loader-config $img_2
#wipe_slots
-systemd-cryptenroll --wipe-slot $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --wipe-slot $img_2)
-systemd-cryptenroll --wipe-slot=10240000 $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --wipe-slot=10240000 $img_2)
#fido2_multiple_auto
-systemd-cryptenroll --fido2-device=auto --unlock-fido2-device=auto $img_2 && { echo 'unexpected success'; exit 1; }
+(! systemd-cryptenroll --fido2-device=auto --unlock-fido2-device=auto $img_2)
echo OK >/testok