]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
281e05b6 | 2 | |
cc7fa4fb RC |
3 | #include <grp.h> |
4 | #include <pwd.h> | |
ff4ca461 | 5 | #include <stdio.h> |
70d7aea5 | 6 | #include <sys/prctl.h> |
ff4ca461 | 7 | #include <sys/types.h> |
281e05b6 | 8 | |
b7856f92 | 9 | #include "capability-util.h" |
4e79aeaa | 10 | #include "cpu-set-util.h" |
b4891260 | 11 | #include "errno-list.h" |
03bd70dd | 12 | #include "fileio.h" |
f4f15635 | 13 | #include "fs-util.h" |
281e05b6 | 14 | #include "macro.h" |
f4f15635 | 15 | #include "manager.h" |
a22692d7 | 16 | #include "missing_prctl.h" |
281e05b6 | 17 | #include "mkdir.h" |
ff4ca461 | 18 | #include "path-util.h" |
c6878637 | 19 | #include "rm-rf.h" |
349cc4a5 | 20 | #if HAVE_SECCOMP |
83f12b27 FS |
21 | #include "seccomp-util.h" |
22 | #endif | |
57b7a260 | 23 | #include "service.h" |
34b86909 | 24 | #include "stat-util.h" |
8b3aa503 | 25 | #include "test-helper.h" |
cc100a5a | 26 | #include "tests.h" |
f4f15635 | 27 | #include "unit.h" |
57c2efa0 | 28 | #include "user-util.h" |
f4f15635 | 29 | #include "util.h" |
4dd4cb8f | 30 | #include "virt.h" |
281e05b6 | 31 | |
5f00dc4d | 32 | static bool can_unshare; |
b7172f34 | 33 | |
281e05b6 RC |
34 | typedef void (*test_function_t)(Manager *m); |
35 | ||
c3ab2c38 LP |
36 | static int cld_dumped_to_killed(int code) { |
37 | /* Depending on the system, seccomp version, … some signals might result in dumping, others in plain | |
38 | * killing. Let's ignore the difference here, and map both cases to CLD_KILLED */ | |
39 | return code == CLD_DUMPED ? CLD_KILLED : code; | |
40 | } | |
41 | ||
31cd5f63 | 42 | static void wait_for_service_finish(Manager *m, Unit *unit) { |
281e05b6 RC |
43 | Service *service = NULL; |
44 | usec_t ts; | |
8adb3d63 | 45 | usec_t timeout = 2 * USEC_PER_MINUTE; |
281e05b6 RC |
46 | |
47 | assert_se(m); | |
48 | assert_se(unit); | |
49 | ||
50 | service = SERVICE(unit); | |
51 | printf("%s\n", unit->id); | |
52 | exec_context_dump(&service->exec_context, stdout, "\t"); | |
53 | ts = now(CLOCK_MONOTONIC); | |
ec2ce0c5 | 54 | while (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED)) { |
281e05b6 RC |
55 | int r; |
56 | usec_t n; | |
57 | ||
58 | r = sd_event_run(m->event, 100 * USEC_PER_MSEC); | |
59 | assert_se(r >= 0); | |
60 | ||
61 | n = now(CLOCK_MONOTONIC); | |
62 | if (ts + timeout < n) { | |
63 | log_error("Test timeout when testing %s", unit->id); | |
1acacd73 | 64 | r = unit_kill(unit, KILL_ALL, SIGKILL, NULL); |
f7f8e8cb EV |
65 | if (r < 0) |
66 | log_error_errno(r, "Failed to kill %s: %m", unit->id); | |
281e05b6 RC |
67 | exit(EXIT_FAILURE); |
68 | } | |
69 | } | |
31cd5f63 AZ |
70 | } |
71 | ||
72 | static void check_main_result(const char *func, Manager *m, Unit *unit, int status_expected, int code_expected) { | |
73 | Service *service = NULL; | |
74 | ||
75 | assert_se(m); | |
76 | assert_se(unit); | |
77 | ||
78 | wait_for_service_finish(m, unit); | |
79 | ||
80 | service = SERVICE(unit); | |
281e05b6 | 81 | exec_status_dump(&service->main_exec_status, stdout, "\t"); |
18f8c5d4 | 82 | |
c3ab2c38 | 83 | if (cld_dumped_to_killed(service->main_exec_status.code) != cld_dumped_to_killed(code_expected)) { |
6aed6a11 ZJS |
84 | log_error("%s: %s: exit code %d, expected %d", |
85 | func, unit->id, | |
86 | service->main_exec_status.code, code_expected); | |
87 | abort(); | |
18f8c5d4 LP |
88 | } |
89 | ||
90 | if (service->main_exec_status.status != status_expected) { | |
91 | log_error("%s: %s: exit status %d, expected %d", | |
92 | func, unit->id, | |
93 | service->main_exec_status.status, status_expected); | |
94 | abort(); | |
6aed6a11 | 95 | } |
281e05b6 RC |
96 | } |
97 | ||
31cd5f63 AZ |
98 | static void check_service_result(const char *func, Manager *m, Unit *unit, ServiceResult result_expected) { |
99 | Service *service = NULL; | |
100 | ||
101 | assert_se(m); | |
102 | assert_se(unit); | |
103 | ||
104 | wait_for_service_finish(m, unit); | |
105 | ||
106 | service = SERVICE(unit); | |
107 | ||
108 | if (service->result != result_expected) { | |
109 | log_error("%s: %s: service end result %s, expected %s", | |
110 | func, unit->id, | |
111 | service_result_to_string(service->result), | |
112 | service_result_to_string(result_expected)); | |
113 | abort(); | |
114 | } | |
115 | } | |
116 | ||
57c2efa0 YW |
117 | static bool check_nobody_user_and_group(void) { |
118 | static int cache = -1; | |
119 | struct passwd *p; | |
120 | struct group *g; | |
121 | ||
122 | if (cache >= 0) | |
123 | return !!cache; | |
124 | ||
125 | if (!synthesize_nobody()) | |
126 | goto invalid; | |
127 | ||
128 | p = getpwnam(NOBODY_USER_NAME); | |
129 | if (!p || | |
130 | !streq(p->pw_name, NOBODY_USER_NAME) || | |
131 | p->pw_uid != UID_NOBODY || | |
132 | p->pw_gid != GID_NOBODY) | |
133 | goto invalid; | |
134 | ||
135 | p = getpwuid(UID_NOBODY); | |
136 | if (!p || | |
137 | !streq(p->pw_name, NOBODY_USER_NAME) || | |
138 | p->pw_uid != UID_NOBODY || | |
139 | p->pw_gid != GID_NOBODY) | |
140 | goto invalid; | |
141 | ||
142 | g = getgrnam(NOBODY_GROUP_NAME); | |
143 | if (!g || | |
144 | !streq(g->gr_name, NOBODY_GROUP_NAME) || | |
145 | g->gr_gid != GID_NOBODY) | |
146 | goto invalid; | |
147 | ||
148 | g = getgrgid(GID_NOBODY); | |
149 | if (!g || | |
150 | !streq(g->gr_name, NOBODY_GROUP_NAME) || | |
151 | g->gr_gid != GID_NOBODY) | |
152 | goto invalid; | |
153 | ||
154 | cache = 1; | |
155 | return true; | |
156 | ||
157 | invalid: | |
158 | cache = 0; | |
159 | return false; | |
160 | } | |
161 | ||
9f82d685 YW |
162 | static bool check_user_has_group_with_same_name(const char *name) { |
163 | struct passwd *p; | |
164 | struct group *g; | |
165 | ||
166 | assert(name); | |
167 | ||
168 | p = getpwnam(name); | |
169 | if (!p || | |
170 | !streq(p->pw_name, name)) | |
171 | return false; | |
172 | ||
173 | g = getgrgid(p->pw_gid); | |
174 | if (!g || | |
175 | !streq(g->gr_name, name)) | |
176 | return false; | |
177 | ||
178 | return true; | |
179 | } | |
180 | ||
6086d2da | 181 | static bool is_inaccessible_available(void) { |
b2238e38 | 182 | const char *p; |
6086d2da DP |
183 | |
184 | FOREACH_STRING(p, | |
185 | "/run/systemd/inaccessible/reg", | |
186 | "/run/systemd/inaccessible/dir", | |
187 | "/run/systemd/inaccessible/chr", | |
188 | "/run/systemd/inaccessible/blk", | |
189 | "/run/systemd/inaccessible/fifo", | |
190 | "/run/systemd/inaccessible/sock" | |
191 | ) { | |
192 | if (access(p, F_OK) < 0) | |
193 | return false; | |
194 | } | |
195 | ||
196 | return true; | |
197 | } | |
198 | ||
6aed6a11 | 199 | static void test(const char *func, Manager *m, const char *unit_name, int status_expected, int code_expected) { |
281e05b6 RC |
200 | Unit *unit; |
201 | ||
202 | assert_se(unit_name); | |
203 | ||
ba412430 | 204 | assert_se(manager_load_startable_unit_or_warn(m, unit_name, NULL, &unit) >= 0); |
bd7989a3 | 205 | assert_se(unit_start(unit) >= 0); |
31cd5f63 AZ |
206 | check_main_result(func, m, unit, status_expected, code_expected); |
207 | } | |
208 | ||
209 | static void test_service(const char *func, Manager *m, const char *unit_name, ServiceResult result_expected) { | |
210 | Unit *unit; | |
211 | ||
212 | assert_se(unit_name); | |
213 | ||
214 | assert_se(manager_load_startable_unit_or_warn(m, unit_name, NULL, &unit) >= 0); | |
215 | assert_se(unit_start(unit) >= 0); | |
216 | check_service_result(func, m, unit, result_expected); | |
281e05b6 RC |
217 | } |
218 | ||
f0e018e7 YW |
219 | static void test_exec_bindpaths(Manager *m) { |
220 | assert_se(mkdir_p("/tmp/test-exec-bindpaths", 0755) >= 0); | |
221 | assert_se(mkdir_p("/tmp/test-exec-bindreadonlypaths", 0755) >= 0); | |
d053b72b | 222 | |
6aed6a11 | 223 | test(__func__, m, "exec-bindpaths.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); |
d053b72b | 224 | |
f0e018e7 YW |
225 | (void) rm_rf("/tmp/test-exec-bindpaths", REMOVE_ROOT|REMOVE_PHYSICAL); |
226 | (void) rm_rf("/tmp/test-exec-bindreadonlypaths", REMOVE_ROOT|REMOVE_PHYSICAL); | |
d053b72b YW |
227 | } |
228 | ||
4e79aeaa | 229 | static void test_exec_cpuaffinity(Manager *m) { |
167a776d | 230 | _cleanup_(cpu_set_reset) CPUSet c = {}; |
4e79aeaa | 231 | |
167a776d ZJS |
232 | assert_se(cpu_set_realloc(&c, 8192) >= 0); /* just allocate the maximum possible size */ |
233 | assert_se(sched_getaffinity(0, c.allocated, c.set) >= 0); | |
4e79aeaa | 234 | |
167a776d | 235 | if (!CPU_ISSET_S(0, c.allocated, c.set)) { |
4e79aeaa YW |
236 | log_notice("Cannot use CPU 0, skipping %s", __func__); |
237 | return; | |
238 | } | |
239 | ||
6aed6a11 ZJS |
240 | test(__func__, m, "exec-cpuaffinity1.service", 0, CLD_EXITED); |
241 | test(__func__, m, "exec-cpuaffinity2.service", 0, CLD_EXITED); | |
4e79aeaa | 242 | |
167a776d ZJS |
243 | if (!CPU_ISSET_S(1, c.allocated, c.set) || |
244 | !CPU_ISSET_S(2, c.allocated, c.set)) { | |
4e79aeaa YW |
245 | log_notice("Cannot use CPU 1 or 2, skipping remaining tests in %s", __func__); |
246 | return; | |
247 | } | |
248 | ||
6aed6a11 | 249 | test(__func__, m, "exec-cpuaffinity3.service", 0, CLD_EXITED); |
4e79aeaa YW |
250 | } |
251 | ||
281e05b6 RC |
252 | static void test_exec_workingdirectory(Manager *m) { |
253 | assert_se(mkdir_p("/tmp/test-exec_workingdirectory", 0755) >= 0); | |
254 | ||
6aed6a11 ZJS |
255 | test(__func__, m, "exec-workingdirectory.service", 0, CLD_EXITED); |
256 | test(__func__, m, "exec-workingdirectory-trailing-dot.service", 0, CLD_EXITED); | |
281e05b6 | 257 | |
c6878637 | 258 | (void) rm_rf("/tmp/test-exec_workingdirectory", REMOVE_ROOT|REMOVE_PHYSICAL); |
281e05b6 RC |
259 | } |
260 | ||
261 | static void test_exec_personality(Manager *m) { | |
281e05b6 | 262 | #if defined(__x86_64__) |
6aed6a11 | 263 | test(__func__, m, "exec-personality-x86-64.service", 0, CLD_EXITED); |
7517f51e HB |
264 | |
265 | #elif defined(__s390__) | |
6aed6a11 | 266 | test(__func__, m, "exec-personality-s390.service", 0, CLD_EXITED); |
7517f51e | 267 | |
12591863 JS |
268 | #elif defined(__powerpc64__) |
269 | # if __BYTE_ORDER == __BIG_ENDIAN | |
6aed6a11 | 270 | test(__func__, m, "exec-personality-ppc64.service", 0, CLD_EXITED); |
12591863 | 271 | # else |
6aed6a11 | 272 | test(__func__, m, "exec-personality-ppc64le.service", 0, CLD_EXITED); |
12591863 JS |
273 | # endif |
274 | ||
275 | #elif defined(__aarch64__) | |
6aed6a11 | 276 | test(__func__, m, "exec-personality-aarch64.service", 0, CLD_EXITED); |
12591863 | 277 | |
5798eb4c | 278 | #elif defined(__i386__) |
6aed6a11 | 279 | test(__func__, m, "exec-personality-x86.service", 0, CLD_EXITED); |
f0e018e7 YW |
280 | #else |
281 | log_notice("Unknown personality, skipping %s", __func__); | |
281e05b6 RC |
282 | #endif |
283 | } | |
284 | ||
285 | static void test_exec_ignoresigpipe(Manager *m) { | |
6aed6a11 ZJS |
286 | test(__func__, m, "exec-ignoresigpipe-yes.service", 0, CLD_EXITED); |
287 | test(__func__, m, "exec-ignoresigpipe-no.service", SIGPIPE, CLD_KILLED); | |
281e05b6 RC |
288 | } |
289 | ||
290 | static void test_exec_privatetmp(Manager *m) { | |
291 | assert_se(touch("/tmp/test-exec_privatetmp") >= 0); | |
292 | ||
6aed6a11 ZJS |
293 | test(__func__, m, "exec-privatetmp-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
294 | test(__func__, m, "exec-privatetmp-no.service", 0, CLD_EXITED); | |
281e05b6 RC |
295 | |
296 | unlink("/tmp/test-exec_privatetmp"); | |
297 | } | |
298 | ||
299 | static void test_exec_privatedevices(Manager *m) { | |
f0e018e7 YW |
300 | int r; |
301 | ||
4dd4cb8f | 302 | if (detect_container() > 0) { |
f0e018e7 | 303 | log_notice("Testing in container, skipping %s", __func__); |
4dd4cb8f SM |
304 | return; |
305 | } | |
6086d2da | 306 | if (!is_inaccessible_available()) { |
f0e018e7 | 307 | log_notice("Testing without inaccessible, skipping %s", __func__); |
6086d2da DP |
308 | return; |
309 | } | |
310 | ||
6aed6a11 ZJS |
311 | test(__func__, m, "exec-privatedevices-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
312 | test(__func__, m, "exec-privatedevices-no.service", 0, CLD_EXITED); | |
313 | test(__func__, m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
6086d2da | 314 | |
0608ba98 ZJS |
315 | /* We use capsh to test if the capabilities are |
316 | * properly set, so be sure that it exists */ | |
317 | r = find_binary("capsh", NULL); | |
318 | if (r < 0) { | |
5cd33ccc | 319 | log_notice_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__); |
6086d2da DP |
320 | return; |
321 | } | |
322 | ||
6aed6a11 ZJS |
323 | test(__func__, m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED); |
324 | test(__func__, m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED); | |
325 | test(__func__, m, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED); | |
326 | test(__func__, m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED); | |
615a1f4b DH |
327 | } |
328 | ||
7e46b29b | 329 | static void test_exec_protecthome(Manager *m) { |
9ca58284 ZJS |
330 | if (!can_unshare) { |
331 | log_notice("Cannot reliably unshare, skipping %s", __func__); | |
332 | return; | |
333 | } | |
334 | ||
335 | test(__func__, m, "exec-protecthome-tmpfs-vs-protectsystem-strict.service", 0, CLD_EXITED); | |
7e46b29b YW |
336 | } |
337 | ||
4982dbcc | 338 | static void test_exec_protectkernelmodules(Manager *m) { |
0608ba98 ZJS |
339 | int r; |
340 | ||
3ae33295 | 341 | if (detect_container() > 0) { |
f0e018e7 | 342 | log_notice("Testing in container, skipping %s", __func__); |
3ae33295 DH |
343 | return; |
344 | } | |
6086d2da | 345 | if (!is_inaccessible_available()) { |
f0e018e7 | 346 | log_notice("Testing without inaccessible, skipping %s", __func__); |
6086d2da DP |
347 | return; |
348 | } | |
3ae33295 | 349 | |
0608ba98 ZJS |
350 | r = find_binary("capsh", NULL); |
351 | if (r < 0) { | |
5cd33ccc | 352 | log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); |
0608ba98 ZJS |
353 | return; |
354 | } | |
355 | ||
6aed6a11 ZJS |
356 | test(__func__, m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED); |
357 | test(__func__, m, "exec-protectkernelmodules-yes-capabilities.service", 0, CLD_EXITED); | |
358 | test(__func__, m, "exec-protectkernelmodules-yes-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
3ae33295 DH |
359 | } |
360 | ||
f78b36f0 | 361 | static void test_exec_readonlypaths(Manager *m) { |
34b86909 | 362 | |
6aed6a11 | 363 | test(__func__, m, "exec-readonlypaths-simple.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
f0e018e7 YW |
364 | |
365 | if (path_is_read_only_fs("/var") > 0) { | |
366 | log_notice("Directory /var is readonly, skipping remaining tests in %s", __func__); | |
34b86909 | 367 | return; |
f0e018e7 | 368 | } |
34b86909 | 369 | |
6aed6a11 ZJS |
370 | test(__func__, m, "exec-readonlypaths.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
371 | test(__func__, m, "exec-readonlypaths-with-bindpaths.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
372 | test(__func__, m, "exec-readonlypaths-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
cdfbd1fb DH |
373 | } |
374 | ||
375 | static void test_exec_readwritepaths(Manager *m) { | |
34b86909 | 376 | |
f0e018e7 YW |
377 | if (path_is_read_only_fs("/") > 0) { |
378 | log_notice("Root directory is readonly, skipping %s", __func__); | |
34b86909 | 379 | return; |
f0e018e7 | 380 | } |
34b86909 | 381 | |
6aed6a11 | 382 | test(__func__, m, "exec-readwritepaths-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
cdfbd1fb DH |
383 | } |
384 | ||
385 | static void test_exec_inaccessiblepaths(Manager *m) { | |
34b86909 | 386 | |
f0e018e7 YW |
387 | if (!is_inaccessible_available()) { |
388 | log_notice("Testing without inaccessible, skipping %s", __func__); | |
34b86909 | 389 | return; |
f0e018e7 | 390 | } |
34b86909 | 391 | |
6aed6a11 | 392 | test(__func__, m, "exec-inaccessiblepaths-sys.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
f78b36f0 | 393 | |
f0e018e7 YW |
394 | if (path_is_read_only_fs("/") > 0) { |
395 | log_notice("Root directory is readonly, skipping remaining tests in %s", __func__); | |
af4af186 EV |
396 | return; |
397 | } | |
398 | ||
6aed6a11 | 399 | test(__func__, m, "exec-inaccessiblepaths-mount-propagation.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
c090d74d TR |
400 | } |
401 | ||
4cac89bd YW |
402 | static void test_exec_temporaryfilesystem(Manager *m) { |
403 | ||
6aed6a11 ZJS |
404 | test(__func__, m, "exec-temporaryfilesystem-options.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); |
405 | test(__func__, m, "exec-temporaryfilesystem-ro.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
406 | test(__func__, m, "exec-temporaryfilesystem-rw.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
407 | test(__func__, m, "exec-temporaryfilesystem-usr.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
4cac89bd YW |
408 | } |
409 | ||
281e05b6 | 410 | static void test_exec_systemcallfilter(Manager *m) { |
349cc4a5 | 411 | #if HAVE_SECCOMP |
738c74d7 YW |
412 | int r; |
413 | ||
f0e018e7 YW |
414 | if (!is_seccomp_available()) { |
415 | log_notice("Seccomp not available, skipping %s", __func__); | |
83f12b27 | 416 | return; |
f0e018e7 YW |
417 | } |
418 | ||
6aed6a11 ZJS |
419 | test(__func__, m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED); |
420 | test(__func__, m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED); | |
421 | test(__func__, m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED); | |
422 | test(__func__, m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED); | |
738c74d7 YW |
423 | |
424 | r = find_binary("python3", NULL); | |
425 | if (r < 0) { | |
426 | log_notice_errno(r, "Skipping remaining tests in %s, could not find python3 binary: %m", __func__); | |
427 | return; | |
428 | } | |
429 | ||
6aed6a11 ZJS |
430 | test(__func__, m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED); |
431 | test(__func__, m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED); | |
432 | test(__func__, m, "exec-systemcallfilter-with-errno-multi.service", errno_from_name("EILSEQ"), CLD_EXITED); | |
281e05b6 RC |
433 | #endif |
434 | } | |
435 | ||
436 | static void test_exec_systemcallerrornumber(Manager *m) { | |
349cc4a5 | 437 | #if HAVE_SECCOMP |
738c74d7 YW |
438 | int r; |
439 | ||
f0e018e7 YW |
440 | if (!is_seccomp_available()) { |
441 | log_notice("Seccomp not available, skipping %s", __func__); | |
7a18854f | 442 | return; |
f0e018e7 YW |
443 | } |
444 | ||
738c74d7 YW |
445 | r = find_binary("python3", NULL); |
446 | if (r < 0) { | |
447 | log_notice_errno(r, "Skipping %s, could not find python3 binary: %m", __func__); | |
448 | return; | |
449 | } | |
450 | ||
6aed6a11 ZJS |
451 | test(__func__, m, "exec-systemcallerrornumber-name.service", errno_from_name("EACCES"), CLD_EXITED); |
452 | test(__func__, m, "exec-systemcallerrornumber-number.service", 255, CLD_EXITED); | |
281e05b6 RC |
453 | #endif |
454 | } | |
455 | ||
f0e018e7 | 456 | static void test_exec_restrictnamespaces(Manager *m) { |
349cc4a5 | 457 | #if HAVE_SECCOMP |
f0e018e7 YW |
458 | if (!is_seccomp_available()) { |
459 | log_notice("Seccomp not available, skipping %s", __func__); | |
97e60383 | 460 | return; |
f0e018e7 | 461 | } |
97e60383 | 462 | |
6aed6a11 ZJS |
463 | test(__func__, m, "exec-restrictnamespaces-no.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); |
464 | test(__func__, m, "exec-restrictnamespaces-yes.service", 1, CLD_EXITED); | |
465 | test(__func__, m, "exec-restrictnamespaces-mnt.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
466 | test(__func__, m, "exec-restrictnamespaces-mnt-blacklist.service", 1, CLD_EXITED); | |
467 | test(__func__, m, "exec-restrictnamespaces-merge-and.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
468 | test(__func__, m, "exec-restrictnamespaces-merge-or.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
469 | test(__func__, m, "exec-restrictnamespaces-merge-all.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); | |
97e60383 DH |
470 | #endif |
471 | } | |
472 | ||
f0e018e7 | 473 | static void test_exec_systemcallfilter_system(Manager *m) { |
349cc4a5 | 474 | #if HAVE_SECCOMP |
f0e018e7 YW |
475 | if (!is_seccomp_available()) { |
476 | log_notice("Seccomp not available, skipping %s", __func__); | |
83f12b27 | 477 | return; |
f0e018e7 | 478 | } |
57c2efa0 | 479 | |
6aed6a11 | 480 | test(__func__, m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED); |
69b07407 | 481 | |
57c2efa0 | 482 | if (!check_nobody_user_and_group()) { |
5cd33ccc | 483 | log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); |
57c2efa0 YW |
484 | return; |
485 | } | |
486 | ||
69b07407 | 487 | if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { |
5cd33ccc | 488 | log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); |
69b07407 YW |
489 | return; |
490 | } | |
491 | ||
6aed6a11 | 492 | test(__func__, m, "exec-systemcallfilter-system-user-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); |
19c0b0b9 RC |
493 | #endif |
494 | } | |
495 | ||
281e05b6 | 496 | static void test_exec_user(Manager *m) { |
6aed6a11 | 497 | test(__func__, m, "exec-user.service", 0, CLD_EXITED); |
69b07407 | 498 | |
57c2efa0 | 499 | if (!check_nobody_user_and_group()) { |
5cd33ccc | 500 | log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); |
57c2efa0 YW |
501 | return; |
502 | } | |
503 | ||
69b07407 | 504 | if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { |
5cd33ccc | 505 | log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); |
69b07407 YW |
506 | return; |
507 | } | |
508 | ||
6aed6a11 | 509 | test(__func__, m, "exec-user-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); |
281e05b6 RC |
510 | } |
511 | ||
512 | static void test_exec_group(Manager *m) { | |
6aed6a11 | 513 | test(__func__, m, "exec-group.service", 0, CLD_EXITED); |
69b07407 | 514 | |
57c2efa0 | 515 | if (!check_nobody_user_and_group()) { |
5cd33ccc | 516 | log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); |
57c2efa0 YW |
517 | return; |
518 | } | |
519 | ||
69b07407 | 520 | if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) { |
5cd33ccc | 521 | log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); |
69b07407 YW |
522 | return; |
523 | } | |
524 | ||
6aed6a11 | 525 | test(__func__, m, "exec-group-" NOBODY_GROUP_NAME ".service", 0, CLD_EXITED); |
281e05b6 RC |
526 | } |
527 | ||
f0e018e7 | 528 | static void test_exec_supplementarygroups(Manager *m) { |
6aed6a11 ZJS |
529 | test(__func__, m, "exec-supplementarygroups.service", 0, CLD_EXITED); |
530 | test(__func__, m, "exec-supplementarygroups-single-group.service", 0, CLD_EXITED); | |
531 | test(__func__, m, "exec-supplementarygroups-single-group-user.service", 0, CLD_EXITED); | |
532 | test(__func__, m, "exec-supplementarygroups-multiple-groups-default-group-user.service", 0, CLD_EXITED); | |
533 | test(__func__, m, "exec-supplementarygroups-multiple-groups-withgid.service", 0, CLD_EXITED); | |
534 | test(__func__, m, "exec-supplementarygroups-multiple-groups-withuid.service", 0, CLD_EXITED); | |
86b838ea DH |
535 | } |
536 | ||
f0e018e7 | 537 | static void test_exec_dynamicuser(Manager *m) { |
b7172f34 | 538 | |
6aed6a11 | 539 | test(__func__, m, "exec-dynamicuser-fixeduser.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); |
9f82d685 | 540 | if (check_user_has_group_with_same_name("adm")) |
6aed6a11 | 541 | test(__func__, m, "exec-dynamicuser-fixeduser-adm.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); |
9f82d685 | 542 | if (check_user_has_group_with_same_name("games")) |
6aed6a11 ZJS |
543 | test(__func__, m, "exec-dynamicuser-fixeduser-games.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); |
544 | test(__func__, m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
545 | test(__func__, m, "exec-dynamicuser-supplementarygroups.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
546 | test(__func__, m, "exec-dynamicuser-statedir.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
028f3a7f | 547 | |
1c587309 YW |
548 | (void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL); |
549 | (void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL); | |
550 | (void) rm_rf("/var/lib/private/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL); | |
551 | (void) rm_rf("/var/lib/private/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL); | |
552 | ||
6aed6a11 ZJS |
553 | test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED); |
554 | test(__func__, m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); | |
1c587309 | 555 | |
028f3a7f YW |
556 | (void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL); |
557 | (void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL); | |
558 | (void) rm_rf("/var/lib/private/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL); | |
559 | (void) rm_rf("/var/lib/private/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL); | |
2b9ac11e DH |
560 | } |
561 | ||
281e05b6 | 562 | static void test_exec_environment(Manager *m) { |
6aed6a11 ZJS |
563 | test(__func__, m, "exec-environment-no-substitute.service", 0, CLD_EXITED); |
564 | test(__func__, m, "exec-environment.service", 0, CLD_EXITED); | |
565 | test(__func__, m, "exec-environment-multiple.service", 0, CLD_EXITED); | |
566 | test(__func__, m, "exec-environment-empty.service", 0, CLD_EXITED); | |
281e05b6 RC |
567 | } |
568 | ||
03bd70dd RC |
569 | static void test_exec_environmentfile(Manager *m) { |
570 | static const char e[] = | |
571 | "VAR1='word1 word2'\n" | |
572 | "VAR2=word3 \n" | |
573 | "# comment1\n" | |
574 | "\n" | |
575 | "; comment2\n" | |
576 | " ; # comment3\n" | |
577 | "line without an equal\n" | |
9b796f35 | 578 | "VAR3='$word 5 6'\n" |
b6887d7a JH |
579 | "VAR4='new\nline'\n" |
580 | "VAR5=password\\with\\backslashes"; | |
03bd70dd RC |
581 | int r; |
582 | ||
583 | r = write_string_file("/tmp/test-exec_environmentfile.conf", e, WRITE_STRING_FILE_CREATE); | |
584 | assert_se(r == 0); | |
585 | ||
6aed6a11 | 586 | test(__func__, m, "exec-environmentfile.service", 0, CLD_EXITED); |
03bd70dd | 587 | |
f0e018e7 | 588 | (void) unlink("/tmp/test-exec_environmentfile.conf"); |
03bd70dd RC |
589 | } |
590 | ||
4c80d201 | 591 | static void test_exec_passenvironment(Manager *m) { |
e1abca2e FB |
592 | /* test-execute runs under MANAGER_USER which, by default, forwards all |
593 | * variables present in the environment, but only those that are | |
594 | * present _at the time it is created_! | |
595 | * | |
596 | * So these PassEnvironment checks are still expected to work, since we | |
597 | * are ensuring the variables are not present at manager creation (they | |
598 | * are unset explicitly in main) and are only set here. | |
599 | * | |
600 | * This is still a good approximation of how a test for MANAGER_SYSTEM | |
601 | * would work. | |
602 | */ | |
4c80d201 FB |
603 | assert_se(setenv("VAR1", "word1 word2", 1) == 0); |
604 | assert_se(setenv("VAR2", "word3", 1) == 0); | |
605 | assert_se(setenv("VAR3", "$word 5 6", 1) == 0); | |
9b796f35 | 606 | assert_se(setenv("VAR4", "new\nline", 1) == 0); |
b6887d7a | 607 | assert_se(setenv("VAR5", "passwordwithbackslashes", 1) == 0); |
6aed6a11 ZJS |
608 | test(__func__, m, "exec-passenvironment.service", 0, CLD_EXITED); |
609 | test(__func__, m, "exec-passenvironment-repeated.service", 0, CLD_EXITED); | |
610 | test(__func__, m, "exec-passenvironment-empty.service", 0, CLD_EXITED); | |
4c80d201 FB |
611 | assert_se(unsetenv("VAR1") == 0); |
612 | assert_se(unsetenv("VAR2") == 0); | |
613 | assert_se(unsetenv("VAR3") == 0); | |
9b796f35 | 614 | assert_se(unsetenv("VAR4") == 0); |
b6887d7a | 615 | assert_se(unsetenv("VAR5") == 0); |
6aed6a11 | 616 | test(__func__, m, "exec-passenvironment-absent.service", 0, CLD_EXITED); |
4c80d201 FB |
617 | } |
618 | ||
27c5347c | 619 | static void test_exec_umask(Manager *m) { |
6aed6a11 ZJS |
620 | test(__func__, m, "exec-umask-default.service", 0, CLD_EXITED); |
621 | test(__func__, m, "exec-umask-0177.service", 0, CLD_EXITED); | |
27c5347c RC |
622 | } |
623 | ||
cc3ddc85 | 624 | static void test_exec_runtimedirectory(Manager *m) { |
6aed6a11 ZJS |
625 | test(__func__, m, "exec-runtimedirectory.service", 0, CLD_EXITED); |
626 | test(__func__, m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED); | |
627 | test(__func__, m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED); | |
57c2efa0 YW |
628 | |
629 | if (!check_nobody_user_and_group()) { | |
5cd33ccc | 630 | log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); |
69b07407 YW |
631 | return; |
632 | } | |
633 | ||
634 | if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) { | |
5cd33ccc | 635 | log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); |
57c2efa0 YW |
636 | return; |
637 | } | |
638 | ||
6aed6a11 | 639 | test(__func__, m, "exec-runtimedirectory-owner-" NOBODY_GROUP_NAME ".service", 0, CLD_EXITED); |
ff4ca461 RC |
640 | } |
641 | ||
642 | static void test_exec_capabilityboundingset(Manager *m) { | |
643 | int r; | |
644 | ||
ff4ca461 RC |
645 | r = find_binary("capsh", NULL); |
646 | if (r < 0) { | |
5cd33ccc | 647 | log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); |
ff4ca461 RC |
648 | return; |
649 | } | |
650 | ||
b7856f92 YW |
651 | if (have_effective_cap(CAP_CHOWN) <= 0 || |
652 | have_effective_cap(CAP_FOWNER) <= 0 || | |
653 | have_effective_cap(CAP_KILL) <= 0) { | |
654 | log_notice("Skipping %s, this process does not have enough capabilities", __func__); | |
655 | return; | |
656 | } | |
657 | ||
6aed6a11 ZJS |
658 | test(__func__, m, "exec-capabilityboundingset-simple.service", 0, CLD_EXITED); |
659 | test(__func__, m, "exec-capabilityboundingset-reset.service", 0, CLD_EXITED); | |
660 | test(__func__, m, "exec-capabilityboundingset-merge.service", 0, CLD_EXITED); | |
661 | test(__func__, m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED); | |
cc3ddc85 RC |
662 | } |
663 | ||
5008da1e | 664 | static void test_exec_basic(Manager *m) { |
6aed6a11 | 665 | test(__func__, m, "exec-basic.service", 0, CLD_EXITED); |
5008da1e ZJS |
666 | } |
667 | ||
b6dc25ee | 668 | static void test_exec_ambientcapabilities(Manager *m) { |
70d7aea5 IP |
669 | int r; |
670 | ||
671 | /* Check if the kernel has support for ambient capabilities. Run | |
672 | * the tests only if that's the case. Clearing all ambient | |
673 | * capabilities is fine, since we are expecting them to be unset | |
674 | * in the first place for the tests. */ | |
675 | r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); | |
f0e018e7 | 676 | if (r < 0 && IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) { |
5cd33ccc | 677 | log_notice("Skipping %s, the kernel does not support ambient capabilities", __func__); |
f0e018e7 YW |
678 | return; |
679 | } | |
680 | ||
e5ba1d32 | 681 | if (have_effective_cap(CAP_CHOWN) <= 0 || |
b7856f92 YW |
682 | have_effective_cap(CAP_NET_RAW) <= 0) { |
683 | log_notice("Skipping %s, this process does not have enough capabilities", __func__); | |
684 | return; | |
685 | } | |
686 | ||
6aed6a11 ZJS |
687 | test(__func__, m, "exec-ambientcapabilities.service", 0, CLD_EXITED); |
688 | test(__func__, m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED); | |
69b07407 | 689 | |
57c2efa0 | 690 | if (!check_nobody_user_and_group()) { |
5cd33ccc | 691 | log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); |
69b07407 YW |
692 | return; |
693 | } | |
694 | ||
695 | if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { | |
5cd33ccc | 696 | log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); |
57c2efa0 YW |
697 | return; |
698 | } | |
699 | ||
6aed6a11 ZJS |
700 | test(__func__, m, "exec-ambientcapabilities-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); |
701 | test(__func__, m, "exec-ambientcapabilities-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); | |
70d7aea5 IP |
702 | } |
703 | ||
63447f11 RC |
704 | static void test_exec_privatenetwork(Manager *m) { |
705 | int r; | |
706 | ||
707 | r = find_binary("ip", NULL); | |
708 | if (r < 0) { | |
5cd33ccc | 709 | log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__); |
63447f11 RC |
710 | return; |
711 | } | |
712 | ||
6aed6a11 | 713 | test(__func__, m, "exec-privatenetwork-yes.service", can_unshare ? 0 : EXIT_NETWORK, CLD_EXITED); |
63447f11 RC |
714 | } |
715 | ||
c388dfea | 716 | static void test_exec_oomscoreadjust(Manager *m) { |
6aed6a11 | 717 | test(__func__, m, "exec-oomscoreadjust-positive.service", 0, CLD_EXITED); |
642d1a6d YW |
718 | |
719 | if (detect_container() > 0) { | |
720 | log_notice("Testing in container, skipping remaining tests in %s", __func__); | |
721 | return; | |
722 | } | |
6aed6a11 | 723 | test(__func__, m, "exec-oomscoreadjust-negative.service", 0, CLD_EXITED); |
c388dfea RC |
724 | } |
725 | ||
a6226758 | 726 | static void test_exec_ioschedulingclass(Manager *m) { |
6aed6a11 ZJS |
727 | test(__func__, m, "exec-ioschedulingclass-none.service", 0, CLD_EXITED); |
728 | test(__func__, m, "exec-ioschedulingclass-idle.service", 0, CLD_EXITED); | |
729 | test(__func__, m, "exec-ioschedulingclass-best-effort.service", 0, CLD_EXITED); | |
642d1a6d YW |
730 | |
731 | if (detect_container() > 0) { | |
732 | log_notice("Testing in container, skipping remaining tests in %s", __func__); | |
733 | return; | |
734 | } | |
6aed6a11 | 735 | test(__func__, m, "exec-ioschedulingclass-realtime.service", 0, CLD_EXITED); |
a6226758 RC |
736 | } |
737 | ||
f0e018e7 | 738 | static void test_exec_unsetenvironment(Manager *m) { |
6aed6a11 | 739 | test(__func__, m, "exec-unsetenvironment.service", 0, CLD_EXITED); |
42cc99d5 LP |
740 | } |
741 | ||
9672b583 | 742 | static void test_exec_specifier(Manager *m) { |
6aed6a11 ZJS |
743 | test(__func__, m, "exec-specifier.service", 0, CLD_EXITED); |
744 | test(__func__, m, "exec-specifier@foo-bar.service", 0, CLD_EXITED); | |
745 | test(__func__, m, "exec-specifier-interpolation.service", 0, CLD_EXITED); | |
9672b583 LP |
746 | } |
747 | ||
f0e018e7 | 748 | static void test_exec_standardinput(Manager *m) { |
6aed6a11 ZJS |
749 | test(__func__, m, "exec-standardinput-data.service", 0, CLD_EXITED); |
750 | test(__func__, m, "exec-standardinput-file.service", 0, CLD_EXITED); | |
666d7877 LP |
751 | } |
752 | ||
566b7d23 | 753 | static void test_exec_standardoutput(Manager *m) { |
6aed6a11 | 754 | test(__func__, m, "exec-standardoutput-file.service", 0, CLD_EXITED); |
566b7d23 ZD |
755 | } |
756 | ||
757 | static void test_exec_standardoutput_append(Manager *m) { | |
6aed6a11 | 758 | test(__func__, m, "exec-standardoutput-append.service", 0, CLD_EXITED); |
566b7d23 ZD |
759 | } |
760 | ||
31cd5f63 AZ |
761 | static void test_exec_condition(Manager *m) { |
762 | test_service(__func__, m, "exec-condition-failed.service", SERVICE_FAILURE_EXIT_CODE); | |
763 | test_service(__func__, m, "exec-condition-skip.service", SERVICE_SKIP_CONDITION); | |
764 | } | |
765 | ||
9efb9631 ZJS |
766 | typedef struct test_entry { |
767 | test_function_t f; | |
768 | const char *name; | |
769 | } test_entry; | |
770 | ||
771 | #define entry(x) {x, #x} | |
772 | ||
773 | static int run_tests(UnitFileScope scope, const test_entry tests[], char **patterns) { | |
774 | const test_entry *test = NULL; | |
c70cac54 | 775 | _cleanup_(manager_freep) Manager *m = NULL; |
19c0b0b9 RC |
776 | int r; |
777 | ||
778 | assert_se(tests); | |
779 | ||
e8112e67 | 780 | r = manager_new(scope, MANAGER_TEST_RUN_BASIC, &m); |
730d989a ZJS |
781 | if (MANAGER_SKIP_TEST(r)) |
782 | return log_tests_skipped_errno(r, "manager_new"); | |
19c0b0b9 RC |
783 | assert_se(r >= 0); |
784 | assert_se(manager_startup(m, NULL, NULL) >= 0); | |
785 | ||
9efb9631 ZJS |
786 | for (test = tests; test && test->f; test++) |
787 | if (strv_fnmatch_or_empty(patterns, test->name, FNM_NOESCAPE)) | |
788 | test->f(m); | |
789 | else | |
790 | log_info("Skipping %s because it does not match any pattern.", test->name); | |
19c0b0b9 | 791 | |
19c0b0b9 RC |
792 | return 0; |
793 | } | |
794 | ||
281e05b6 | 795 | int main(int argc, char *argv[]) { |
ac1f08b9 | 796 | _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL; |
55890a40 | 797 | _cleanup_free_ char *test_execute_path = NULL; |
9efb9631 ZJS |
798 | |
799 | static const test_entry user_tests[] = { | |
800 | entry(test_exec_basic), | |
801 | entry(test_exec_ambientcapabilities), | |
802 | entry(test_exec_bindpaths), | |
803 | entry(test_exec_capabilityboundingset), | |
31cd5f63 | 804 | entry(test_exec_condition), |
9efb9631 ZJS |
805 | entry(test_exec_cpuaffinity), |
806 | entry(test_exec_environment), | |
807 | entry(test_exec_environmentfile), | |
808 | entry(test_exec_group), | |
809 | entry(test_exec_ignoresigpipe), | |
810 | entry(test_exec_inaccessiblepaths), | |
811 | entry(test_exec_ioschedulingclass), | |
812 | entry(test_exec_oomscoreadjust), | |
813 | entry(test_exec_passenvironment), | |
814 | entry(test_exec_personality), | |
815 | entry(test_exec_privatedevices), | |
816 | entry(test_exec_privatenetwork), | |
817 | entry(test_exec_privatetmp), | |
818 | entry(test_exec_protecthome), | |
819 | entry(test_exec_protectkernelmodules), | |
820 | entry(test_exec_readonlypaths), | |
821 | entry(test_exec_readwritepaths), | |
822 | entry(test_exec_restrictnamespaces), | |
823 | entry(test_exec_runtimedirectory), | |
824 | entry(test_exec_standardinput), | |
825 | entry(test_exec_standardoutput), | |
826 | entry(test_exec_standardoutput_append), | |
827 | entry(test_exec_supplementarygroups), | |
828 | entry(test_exec_systemcallerrornumber), | |
829 | entry(test_exec_systemcallfilter), | |
830 | entry(test_exec_temporaryfilesystem), | |
831 | entry(test_exec_umask), | |
832 | entry(test_exec_unsetenvironment), | |
833 | entry(test_exec_user), | |
834 | entry(test_exec_workingdirectory), | |
835 | {}, | |
281e05b6 | 836 | }; |
9efb9631 ZJS |
837 | static const test_entry system_tests[] = { |
838 | entry(test_exec_dynamicuser), | |
839 | entry(test_exec_specifier), | |
840 | entry(test_exec_systemcallfilter_system), | |
841 | {}, | |
19c0b0b9 | 842 | }; |
281e05b6 RC |
843 | int r; |
844 | ||
6d7c4033 | 845 | test_setup_logging(LOG_DEBUG); |
281e05b6 | 846 | |
0df54921 | 847 | #if HAS_FEATURE_ADDRESS_SANITIZER |
176ceb2c EV |
848 | if (is_run_on_travis_ci()) { |
849 | log_notice("Running on TravisCI under ASan, skipping, see https://github.com/systemd/systemd/issues/10696"); | |
850 | return EXIT_TEST_SKIP; | |
851 | } | |
852 | #endif | |
853 | ||
2482f88d LP |
854 | (void) unsetenv("USER"); |
855 | (void) unsetenv("LOGNAME"); | |
63d6135f | 856 | (void) unsetenv("SHELL"); |
32853207 | 857 | (void) unsetenv("HOME"); |
2482f88d | 858 | |
5f00dc4d LP |
859 | can_unshare = have_namespaces(); |
860 | ||
607ff5f9 | 861 | /* It is needed otherwise cgroup creation fails */ |
317bb217 ZJS |
862 | if (getuid() != 0) |
863 | return log_tests_skipped("not root"); | |
607ff5f9 | 864 | |
651d47d1 | 865 | r = enter_cgroup_subroot(); |
317bb217 ZJS |
866 | if (r == -ENOMEDIUM) |
867 | return log_tests_skipped("cgroupfs not available"); | |
8c759b33 | 868 | |
ac1f08b9 | 869 | assert_se(runtime_dir = setup_fake_runtime_dir()); |
62a85ee0 | 870 | test_execute_path = path_join(get_testdata_dir(), "test-execute"); |
55890a40 | 871 | assert_se(set_unit_path(test_execute_path) >= 0); |
281e05b6 | 872 | |
e1abca2e FB |
873 | /* Unset VAR1, VAR2 and VAR3 which are used in the PassEnvironment test |
874 | * cases, otherwise (and if they are present in the environment), | |
875 | * `manager_default_environment` will copy them into the default | |
876 | * environment which is passed to each created job, which will make the | |
877 | * tests that expect those not to be present to fail. | |
878 | */ | |
879 | assert_se(unsetenv("VAR1") == 0); | |
880 | assert_se(unsetenv("VAR2") == 0); | |
881 | assert_se(unsetenv("VAR3") == 0); | |
882 | ||
9efb9631 | 883 | r = run_tests(UNIT_FILE_USER, user_tests, argv + 1); |
b7172f34 YW |
884 | if (r != 0) |
885 | return r; | |
886 | ||
9efb9631 | 887 | r = run_tests(UNIT_FILE_SYSTEM, system_tests, argv + 1); |
b7172f34 YW |
888 | if (r != 0) |
889 | return r; | |
890 | ||
891 | #if HAVE_SECCOMP | |
892 | /* The following tests are for 1beab8b0d0ff2d7d1436b52d4a0c3d56dc908962. */ | |
893 | if (!is_seccomp_available()) { | |
894 | log_notice("Seccomp not available, skipping unshare() filtered tests."); | |
895 | return 0; | |
896 | } | |
897 | ||
2bd061a4 | 898 | _cleanup_hashmap_free_ Hashmap *s = NULL; |
b7172f34 YW |
899 | assert_se(s = hashmap_new(NULL)); |
900 | r = seccomp_syscall_resolve_name("unshare"); | |
901 | assert_se(r != __NR_SCMP_ERROR); | |
902 | assert_se(hashmap_put(s, UINT32_TO_PTR(r + 1), INT_TO_PTR(-1)) >= 0); | |
903 | assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EOPNOTSUPP), true) >= 0); | |
904 | assert_se(unshare(CLONE_NEWNS) < 0); | |
905 | assert_se(errno == EOPNOTSUPP); | |
906 | ||
907 | can_unshare = false; | |
908 | ||
9efb9631 | 909 | r = run_tests(UNIT_FILE_USER, user_tests, argv + 1); |
19c0b0b9 RC |
910 | if (r != 0) |
911 | return r; | |
281e05b6 | 912 | |
9efb9631 | 913 | return run_tests(UNIT_FILE_SYSTEM, system_tests, argv + 1); |
b7172f34 YW |
914 | #else |
915 | return 0; | |
916 | #endif | |
281e05b6 | 917 | } |