1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2014 Ronny Chevalier
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/prctl.h>
25 #include <sys/types.h>
27 #include "cpu-set-util.h"
28 #include "errno-list.h"
34 #include "path-util.h"
37 #include "seccomp-util.h"
39 #include "stat-util.h"
40 #include "test-helper.h"
43 #include "user-util.h"
47 typedef void (*test_function_t
)(Manager
*m
);
49 static void check(Manager
*m
, Unit
*unit
, int status_expected
, int code_expected
) {
50 Service
*service
= NULL
;
52 usec_t timeout
= 2 * USEC_PER_MINUTE
;
57 service
= SERVICE(unit
);
58 printf("%s\n", unit
->id
);
59 exec_context_dump(&service
->exec_context
, stdout
, "\t");
60 ts
= now(CLOCK_MONOTONIC
);
61 while (!IN_SET(service
->state
, SERVICE_DEAD
, SERVICE_FAILED
)) {
65 r
= sd_event_run(m
->event
, 100 * USEC_PER_MSEC
);
68 n
= now(CLOCK_MONOTONIC
);
69 if (ts
+ timeout
< n
) {
70 log_error("Test timeout when testing %s", unit
->id
);
74 exec_status_dump(&service
->main_exec_status
, stdout
, "\t");
75 assert_se(service
->main_exec_status
.status
== status_expected
);
76 assert_se(service
->main_exec_status
.code
== code_expected
);
79 static bool check_nobody_user_and_group(void) {
80 static int cache
= -1;
87 if (!synthesize_nobody())
90 p
= getpwnam(NOBODY_USER_NAME
);
92 !streq(p
->pw_name
, NOBODY_USER_NAME
) ||
93 p
->pw_uid
!= UID_NOBODY
||
94 p
->pw_gid
!= GID_NOBODY
)
97 p
= getpwuid(UID_NOBODY
);
99 !streq(p
->pw_name
, NOBODY_USER_NAME
) ||
100 p
->pw_uid
!= UID_NOBODY
||
101 p
->pw_gid
!= GID_NOBODY
)
104 g
= getgrnam(NOBODY_GROUP_NAME
);
106 !streq(g
->gr_name
, NOBODY_GROUP_NAME
) ||
107 g
->gr_gid
!= GID_NOBODY
)
110 g
= getgrgid(GID_NOBODY
);
112 !streq(g
->gr_name
, NOBODY_GROUP_NAME
) ||
113 g
->gr_gid
!= GID_NOBODY
)
124 static bool is_inaccessible_available(void) {
128 "/run/systemd/inaccessible/reg",
129 "/run/systemd/inaccessible/dir",
130 "/run/systemd/inaccessible/chr",
131 "/run/systemd/inaccessible/blk",
132 "/run/systemd/inaccessible/fifo",
133 "/run/systemd/inaccessible/sock"
135 if (access(p
, F_OK
) < 0)
142 static void test(Manager
*m
, const char *unit_name
, int status_expected
, int code_expected
) {
145 assert_se(unit_name
);
147 assert_se(manager_load_unit(m
, unit_name
, NULL
, NULL
, &unit
) >= 0);
148 assert_se(UNIT_VTABLE(unit
)->start(unit
) >= 0);
149 check(m
, unit
, status_expected
, code_expected
);
152 static void test_exec_bindpaths(Manager
*m
) {
153 assert_se(mkdir_p("/tmp/test-exec-bindpaths", 0755) >= 0);
154 assert_se(mkdir_p("/tmp/test-exec-bindreadonlypaths", 0755) >= 0);
156 test(m
, "exec-bindpaths.service", 0, CLD_EXITED
);
158 (void) rm_rf("/tmp/test-exec-bindpaths", REMOVE_ROOT
|REMOVE_PHYSICAL
);
159 (void) rm_rf("/tmp/test-exec-bindreadonlypaths", REMOVE_ROOT
|REMOVE_PHYSICAL
);
162 static void test_exec_cpuaffinity(Manager
*m
) {
163 _cleanup_cpu_free_ cpu_set_t
*c
= NULL
;
166 assert_se(c
= cpu_set_malloc(&n
));
167 assert_se(sched_getaffinity(0, CPU_ALLOC_SIZE(n
), c
) >= 0);
169 if (CPU_ISSET_S(0, CPU_ALLOC_SIZE(n
), c
) == 0) {
170 log_notice("Cannot use CPU 0, skipping %s", __func__
);
174 test(m
, "exec-cpuaffinity1.service", 0, CLD_EXITED
);
175 test(m
, "exec-cpuaffinity2.service", 0, CLD_EXITED
);
177 if (CPU_ISSET_S(1, CPU_ALLOC_SIZE(n
), c
) == 0 ||
178 CPU_ISSET_S(2, CPU_ALLOC_SIZE(n
), c
) == 0) {
179 log_notice("Cannot use CPU 1 or 2, skipping remaining tests in %s", __func__
);
183 test(m
, "exec-cpuaffinity3.service", 0, CLD_EXITED
);
186 static void test_exec_workingdirectory(Manager
*m
) {
187 assert_se(mkdir_p("/tmp/test-exec_workingdirectory", 0755) >= 0);
189 test(m
, "exec-workingdirectory.service", 0, CLD_EXITED
);
191 (void) rm_rf("/tmp/test-exec_workingdirectory", REMOVE_ROOT
|REMOVE_PHYSICAL
);
194 static void test_exec_personality(Manager
*m
) {
195 #if defined(__x86_64__)
196 test(m
, "exec-personality-x86-64.service", 0, CLD_EXITED
);
198 #elif defined(__s390__)
199 test(m
, "exec-personality-s390.service", 0, CLD_EXITED
);
201 #elif defined(__powerpc64__)
202 # if __BYTE_ORDER == __BIG_ENDIAN
203 test(m
, "exec-personality-ppc64.service", 0, CLD_EXITED
);
205 test(m
, "exec-personality-ppc64le.service", 0, CLD_EXITED
);
208 #elif defined(__aarch64__)
209 test(m
, "exec-personality-aarch64.service", 0, CLD_EXITED
);
211 #elif defined(__i386__)
212 test(m
, "exec-personality-x86.service", 0, CLD_EXITED
);
214 log_notice("Unknown personality, skipping %s", __func__
);
218 static void test_exec_ignoresigpipe(Manager
*m
) {
219 test(m
, "exec-ignoresigpipe-yes.service", 0, CLD_EXITED
);
220 test(m
, "exec-ignoresigpipe-no.service", SIGPIPE
, CLD_KILLED
);
223 static void test_exec_privatetmp(Manager
*m
) {
224 assert_se(touch("/tmp/test-exec_privatetmp") >= 0);
226 test(m
, "exec-privatetmp-yes.service", 0, CLD_EXITED
);
227 test(m
, "exec-privatetmp-no.service", 0, CLD_EXITED
);
229 unlink("/tmp/test-exec_privatetmp");
232 static void test_exec_privatedevices(Manager
*m
) {
235 if (detect_container() > 0) {
236 log_notice("Testing in container, skipping %s", __func__
);
239 if (!is_inaccessible_available()) {
240 log_notice("Testing without inaccessible, skipping %s", __func__
);
244 test(m
, "exec-privatedevices-yes.service", 0, CLD_EXITED
);
245 test(m
, "exec-privatedevices-no.service", 0, CLD_EXITED
);
247 /* We use capsh to test if the capabilities are
248 * properly set, so be sure that it exists */
249 r
= find_binary("capsh", NULL
);
251 log_error_errno(r
, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__
);
255 test(m
, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED
);
256 test(m
, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED
);
257 test(m
, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED
);
258 test(m
, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED
);
261 static void test_exec_protectkernelmodules(Manager
*m
) {
264 if (detect_container() > 0) {
265 log_notice("Testing in container, skipping %s", __func__
);
268 if (!is_inaccessible_available()) {
269 log_notice("Testing without inaccessible, skipping %s", __func__
);
273 r
= find_binary("capsh", NULL
);
275 log_error_errno(r
, "Skipping %s, could not find capsh binary: %m", __func__
);
279 test(m
, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED
);
280 test(m
, "exec-protectkernelmodules-yes-capabilities.service", 0, CLD_EXITED
);
281 test(m
, "exec-protectkernelmodules-yes-mount-propagation.service", 0, CLD_EXITED
);
284 static void test_exec_readonlypaths(Manager
*m
) {
286 test(m
, "exec-readonlypaths-simple.service", 0, CLD_EXITED
);
288 if (path_is_read_only_fs("/var") > 0) {
289 log_notice("Directory /var is readonly, skipping remaining tests in %s", __func__
);
293 test(m
, "exec-readonlypaths.service", 0, CLD_EXITED
);
294 test(m
, "exec-readonlypaths-mount-propagation.service", 0, CLD_EXITED
);
295 test(m
, "exec-readonlypaths-with-bindpaths.service", 0, CLD_EXITED
);
298 static void test_exec_readwritepaths(Manager
*m
) {
300 if (path_is_read_only_fs("/") > 0) {
301 log_notice("Root directory is readonly, skipping %s", __func__
);
305 test(m
, "exec-readwritepaths-mount-propagation.service", 0, CLD_EXITED
);
308 static void test_exec_inaccessiblepaths(Manager
*m
) {
310 if (!is_inaccessible_available()) {
311 log_notice("Testing without inaccessible, skipping %s", __func__
);
315 test(m
, "exec-inaccessiblepaths-proc.service", 0, CLD_EXITED
);
317 if (path_is_read_only_fs("/") > 0) {
318 log_notice("Root directory is readonly, skipping remaining tests in %s", __func__
);
322 test(m
, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED
);
325 static void test_exec_temporaryfilesystem(Manager
*m
) {
327 test(m
, "exec-temporaryfilesystem-options.service", 0, CLD_EXITED
);
328 test(m
, "exec-temporaryfilesystem-ro.service", 0, CLD_EXITED
);
329 test(m
, "exec-temporaryfilesystem-rw.service", 0, CLD_EXITED
);
330 test(m
, "exec-temporaryfilesystem-usr.service", 0, CLD_EXITED
);
333 static void test_exec_systemcallfilter(Manager
*m
) {
335 if (!is_seccomp_available()) {
336 log_notice("Seccomp not available, skipping %s", __func__
);
340 test(m
, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED
);
341 test(m
, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED
);
342 test(m
, "exec-systemcallfilter-failing.service", SIGSYS
, CLD_KILLED
);
343 test(m
, "exec-systemcallfilter-failing2.service", SIGSYS
, CLD_KILLED
);
344 test(m
, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED
);
345 test(m
, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED
);
349 static void test_exec_systemcallerrornumber(Manager
*m
) {
351 if (!is_seccomp_available()) {
352 log_notice("Seccomp not available, skipping %s", __func__
);
356 test(m
, "exec-systemcallerrornumber-name.service", errno_from_name("EACCES"), CLD_EXITED
);
357 test(m
, "exec-systemcallerrornumber-number.service", 255, CLD_EXITED
);
361 static void test_exec_restrictnamespaces(Manager
*m
) {
363 if (!is_seccomp_available()) {
364 log_notice("Seccomp not available, skipping %s", __func__
);
368 test(m
, "exec-restrictnamespaces-no.service", 0, CLD_EXITED
);
369 test(m
, "exec-restrictnamespaces-yes.service", 1, CLD_EXITED
);
370 test(m
, "exec-restrictnamespaces-mnt.service", 0, CLD_EXITED
);
371 test(m
, "exec-restrictnamespaces-mnt-blacklist.service", 1, CLD_EXITED
);
375 static void test_exec_systemcallfilter_system(Manager
*m
) {
377 if (!is_seccomp_available()) {
378 log_notice("Seccomp not available, skipping %s", __func__
);
382 test(m
, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED
);
384 if (!check_nobody_user_and_group()) {
385 log_error_errno(errno
, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__
);
389 if (!STR_IN_SET(NOBODY_USER_NAME
, "nobody", "nfsnobody")) {
390 log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME
, __func__
);
394 test(m
, "exec-systemcallfilter-system-user-" NOBODY_USER_NAME
".service", 0, CLD_EXITED
);
398 static void test_exec_user(Manager
*m
) {
399 test(m
, "exec-user.service", 0, CLD_EXITED
);
401 if (!check_nobody_user_and_group()) {
402 log_error_errno(errno
, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__
);
406 if (!STR_IN_SET(NOBODY_USER_NAME
, "nobody", "nfsnobody")) {
407 log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME
, __func__
);
411 test(m
, "exec-user-" NOBODY_USER_NAME
".service", 0, CLD_EXITED
);
414 static void test_exec_group(Manager
*m
) {
415 test(m
, "exec-group.service", 0, CLD_EXITED
);
417 if (!check_nobody_user_and_group()) {
418 log_error_errno(errno
, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__
);
422 if (!STR_IN_SET(NOBODY_GROUP_NAME
, "nobody", "nfsnobody", "nogroup")) {
423 log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME
, __func__
);
427 test(m
, "exec-group-" NOBODY_GROUP_NAME
".service", 0, CLD_EXITED
);
430 static void test_exec_supplementarygroups(Manager
*m
) {
431 test(m
, "exec-supplementarygroups.service", 0, CLD_EXITED
);
432 test(m
, "exec-supplementarygroups-single-group.service", 0, CLD_EXITED
);
433 test(m
, "exec-supplementarygroups-single-group-user.service", 0, CLD_EXITED
);
434 test(m
, "exec-supplementarygroups-multiple-groups-default-group-user.service", 0, CLD_EXITED
);
435 test(m
, "exec-supplementarygroups-multiple-groups-withgid.service", 0, CLD_EXITED
);
436 test(m
, "exec-supplementarygroups-multiple-groups-withuid.service", 0, CLD_EXITED
);
439 static void test_exec_dynamicuser(Manager
*m
) {
440 test(m
, "exec-dynamicuser-fixeduser.service", 0, CLD_EXITED
);
441 test(m
, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", 0, CLD_EXITED
);
442 test(m
, "exec-dynamicuser-supplementarygroups.service", 0, CLD_EXITED
);
443 test(m
, "exec-dynamicuser-statedir.service", 0, CLD_EXITED
);
445 test(m
, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED
);
446 test(m
, "exec-dynamicuser-statedir-migrate-step2.service", 0, CLD_EXITED
);
447 (void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT
|REMOVE_PHYSICAL
);
448 (void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT
|REMOVE_PHYSICAL
);
449 (void) rm_rf("/var/lib/private/test-dynamicuser-migrate", REMOVE_ROOT
|REMOVE_PHYSICAL
);
450 (void) rm_rf("/var/lib/private/test-dynamicuser-migrate2", REMOVE_ROOT
|REMOVE_PHYSICAL
);
453 static void test_exec_environment(Manager
*m
) {
454 test(m
, "exec-environment.service", 0, CLD_EXITED
);
455 test(m
, "exec-environment-multiple.service", 0, CLD_EXITED
);
456 test(m
, "exec-environment-empty.service", 0, CLD_EXITED
);
459 static void test_exec_environmentfile(Manager
*m
) {
460 static const char e
[] =
461 "VAR1='word1 word2'\n"
467 "line without an equal\n"
468 "VAR3='$word 5 6'\n";
471 r
= write_string_file("/tmp/test-exec_environmentfile.conf", e
, WRITE_STRING_FILE_CREATE
);
474 test(m
, "exec-environmentfile.service", 0, CLD_EXITED
);
476 (void) unlink("/tmp/test-exec_environmentfile.conf");
479 static void test_exec_passenvironment(Manager
*m
) {
480 /* test-execute runs under MANAGER_USER which, by default, forwards all
481 * variables present in the environment, but only those that are
482 * present _at the time it is created_!
484 * So these PassEnvironment checks are still expected to work, since we
485 * are ensuring the variables are not present at manager creation (they
486 * are unset explicitly in main) and are only set here.
488 * This is still a good approximation of how a test for MANAGER_SYSTEM
491 assert_se(setenv("VAR1", "word1 word2", 1) == 0);
492 assert_se(setenv("VAR2", "word3", 1) == 0);
493 assert_se(setenv("VAR3", "$word 5 6", 1) == 0);
494 test(m
, "exec-passenvironment.service", 0, CLD_EXITED
);
495 test(m
, "exec-passenvironment-repeated.service", 0, CLD_EXITED
);
496 test(m
, "exec-passenvironment-empty.service", 0, CLD_EXITED
);
497 assert_se(unsetenv("VAR1") == 0);
498 assert_se(unsetenv("VAR2") == 0);
499 assert_se(unsetenv("VAR3") == 0);
500 test(m
, "exec-passenvironment-absent.service", 0, CLD_EXITED
);
503 static void test_exec_umask(Manager
*m
) {
504 test(m
, "exec-umask-default.service", 0, CLD_EXITED
);
505 test(m
, "exec-umask-0177.service", 0, CLD_EXITED
);
508 static void test_exec_runtimedirectory(Manager
*m
) {
509 test(m
, "exec-runtimedirectory.service", 0, CLD_EXITED
);
510 test(m
, "exec-runtimedirectory-mode.service", 0, CLD_EXITED
);
511 test(m
, "exec-runtimedirectory-owner.service", 0, CLD_EXITED
);
513 if (!check_nobody_user_and_group()) {
514 log_error_errno(errno
, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__
);
518 if (!STR_IN_SET(NOBODY_GROUP_NAME
, "nobody", "nfsnobody", "nogroup")) {
519 log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME
, __func__
);
523 test(m
, "exec-runtimedirectory-owner-" NOBODY_GROUP_NAME
".service", 0, CLD_EXITED
);
526 static void test_exec_capabilityboundingset(Manager
*m
) {
529 r
= find_binary("capsh", NULL
);
531 log_error_errno(r
, "Skipping %s, could not find capsh binary: %m", __func__
);
535 test(m
, "exec-capabilityboundingset-simple.service", 0, CLD_EXITED
);
536 test(m
, "exec-capabilityboundingset-reset.service", 0, CLD_EXITED
);
537 test(m
, "exec-capabilityboundingset-merge.service", 0, CLD_EXITED
);
538 test(m
, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED
);
541 static void test_exec_capabilityambientset(Manager
*m
) {
544 /* Check if the kernel has support for ambient capabilities. Run
545 * the tests only if that's the case. Clearing all ambient
546 * capabilities is fine, since we are expecting them to be unset
547 * in the first place for the tests. */
548 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_CLEAR_ALL
, 0, 0, 0);
549 if (r
< 0 && IN_SET(errno
, EINVAL
, EOPNOTSUPP
, ENOSYS
)) {
550 log_error("Skipping %s, the kernel does not support ambient capabilities", __func__
);
554 test(m
, "exec-capabilityambientset.service", 0, CLD_EXITED
);
555 test(m
, "exec-capabilityambientset-merge.service", 0, CLD_EXITED
);
557 if (!check_nobody_user_and_group()) {
558 log_error_errno(errno
, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__
);
562 if (!STR_IN_SET(NOBODY_USER_NAME
, "nobody", "nfsnobody")) {
563 log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME
, __func__
);
567 test(m
, "exec-capabilityambientset-" NOBODY_USER_NAME
".service", 0, CLD_EXITED
);
568 test(m
, "exec-capabilityambientset-merge-" NOBODY_USER_NAME
".service", 0, CLD_EXITED
);
571 static void test_exec_privatenetwork(Manager
*m
) {
574 r
= find_binary("ip", NULL
);
576 log_error_errno(r
, "Skipping %s, could not find ip binary: %m", __func__
);
580 test(m
, "exec-privatenetwork-yes.service", 0, CLD_EXITED
);
583 static void test_exec_oomscoreadjust(Manager
*m
) {
584 test(m
, "exec-oomscoreadjust-positive.service", 0, CLD_EXITED
);
585 test(m
, "exec-oomscoreadjust-negative.service", 0, CLD_EXITED
);
588 static void test_exec_ioschedulingclass(Manager
*m
) {
589 test(m
, "exec-ioschedulingclass-none.service", 0, CLD_EXITED
);
590 test(m
, "exec-ioschedulingclass-idle.service", 0, CLD_EXITED
);
591 test(m
, "exec-ioschedulingclass-realtime.service", 0, CLD_EXITED
);
592 test(m
, "exec-ioschedulingclass-best-effort.service", 0, CLD_EXITED
);
595 static void test_exec_unsetenvironment(Manager
*m
) {
596 test(m
, "exec-unsetenvironment.service", 0, CLD_EXITED
);
599 static void test_exec_specifier(Manager
*m
) {
600 test(m
, "exec-specifier.service", 0, CLD_EXITED
);
601 test(m
, "exec-specifier@foo-bar.service", 0, CLD_EXITED
);
602 test(m
, "exec-specifier-interpolation.service", 0, CLD_EXITED
);
605 static void test_exec_standardinput(Manager
*m
) {
606 test(m
, "exec-standardinput-data.service", 0, CLD_EXITED
);
607 test(m
, "exec-standardinput-file.service", 0, CLD_EXITED
);
610 static int run_tests(UnitFileScope scope
, const test_function_t
*tests
) {
611 const test_function_t
*test
= NULL
;
617 r
= manager_new(scope
, MANAGER_TEST_RUN_MINIMAL
, &m
);
618 if (MANAGER_SKIP_TEST(r
)) {
619 log_notice_errno(r
, "Skipping test: manager_new: %m");
620 return EXIT_TEST_SKIP
;
623 assert_se(manager_startup(m
, NULL
, NULL
) >= 0);
625 for (test
= tests
; test
&& *test
; test
++)
633 int main(int argc
, char *argv
[]) {
634 _cleanup_(rm_rf_physical_and_freep
) char *runtime_dir
= NULL
;
635 static const test_function_t user_tests
[] = {
637 test_exec_capabilityambientset
,
638 test_exec_capabilityboundingset
,
639 test_exec_cpuaffinity
,
640 test_exec_environment
,
641 test_exec_environmentfile
,
643 test_exec_ignoresigpipe
,
644 test_exec_inaccessiblepaths
,
645 test_exec_ioschedulingclass
,
646 test_exec_oomscoreadjust
,
647 test_exec_passenvironment
,
648 test_exec_personality
,
649 test_exec_privatedevices
,
650 test_exec_privatenetwork
,
651 test_exec_privatetmp
,
652 test_exec_protectkernelmodules
,
653 test_exec_readonlypaths
,
654 test_exec_readwritepaths
,
655 test_exec_restrictnamespaces
,
656 test_exec_runtimedirectory
,
657 test_exec_standardinput
,
658 test_exec_supplementarygroups
,
659 test_exec_systemcallerrornumber
,
660 test_exec_systemcallfilter
,
661 test_exec_temporaryfilesystem
,
663 test_exec_unsetenvironment
,
665 test_exec_workingdirectory
,
668 static const test_function_t system_tests
[] = {
669 test_exec_dynamicuser
,
671 test_exec_systemcallfilter_system
,
676 log_set_max_level(LOG_DEBUG
);
677 log_parse_environment();
680 (void) unsetenv("USER");
681 (void) unsetenv("LOGNAME");
683 /* It is needed otherwise cgroup creation fails */
685 puts("Skipping test: not root");
686 return EXIT_TEST_SKIP
;
689 r
= enter_cgroup_subroot();
690 if (r
== -ENOMEDIUM
) {
691 puts("Skipping test: cgroupfs not available");
692 return EXIT_TEST_SKIP
;
695 assert_se(runtime_dir
= setup_fake_runtime_dir());
696 assert_se(set_unit_path(get_testdata_dir("/test-execute")) >= 0);
698 /* Unset VAR1, VAR2 and VAR3 which are used in the PassEnvironment test
699 * cases, otherwise (and if they are present in the environment),
700 * `manager_default_environment` will copy them into the default
701 * environment which is passed to each created job, which will make the
702 * tests that expect those not to be present to fail.
704 assert_se(unsetenv("VAR1") == 0);
705 assert_se(unsetenv("VAR2") == 0);
706 assert_se(unsetenv("VAR3") == 0);
708 r
= run_tests(UNIT_FILE_USER
, user_tests
);
712 return run_tests(UNIT_FILE_SYSTEM
, system_tests
);