1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
4 #include <sys/socket.h>
7 #include "alloc-util.h"
10 #include "process-util.h"
11 #include "string-util.h"
13 #include "user-util.h"
16 TEST(namespace_cleanup_tmpdir
) {
18 _cleanup_(namespace_cleanup_tmpdirp
) char *dir
;
19 assert_se(dir
= strdup(RUN_SYSTEMD_EMPTY
));
23 _cleanup_(namespace_cleanup_tmpdirp
) char *dir
;
24 assert_se(dir
= strdup("/tmp/systemd-test-namespace.XXXXXX"));
25 assert_se(mkdtemp(dir
));
29 static void test_tmpdir_one(const char *id
, const char *A
, const char *B
) {
30 _cleanup_free_
char *a
, *b
;
34 assert_se(setup_tmp_dirs(id
, &a
, &b
) == 0);
36 assert_se(stat(a
, &x
) >= 0);
37 assert_se(stat(b
, &y
) >= 0);
39 assert_se(S_ISDIR(x
.st_mode
));
40 assert_se(S_ISDIR(y
.st_mode
));
42 if (!streq(a
, RUN_SYSTEMD_EMPTY
)) {
43 assert_se(startswith(a
, A
));
44 assert_se((x
.st_mode
& 01777) == 0700);
45 c
= strjoina(a
, "/tmp");
46 assert_se(stat(c
, &x
) >= 0);
47 assert_se(S_ISDIR(x
.st_mode
));
48 assert_se(FLAGS_SET(x
.st_mode
, 01777));
49 assert_se(rmdir(c
) >= 0);
50 assert_se(rmdir(a
) >= 0);
53 if (!streq(b
, RUN_SYSTEMD_EMPTY
)) {
54 assert_se(startswith(b
, B
));
55 assert_se((y
.st_mode
& 01777) == 0700);
56 d
= strjoina(b
, "/tmp");
57 assert_se(stat(d
, &y
) >= 0);
58 assert_se(S_ISDIR(y
.st_mode
));
59 assert_se(FLAGS_SET(y
.st_mode
, 01777));
60 assert_se(rmdir(d
) >= 0);
61 assert_se(rmdir(b
) >= 0);
66 _cleanup_free_
char *x
= NULL
, *y
= NULL
, *z
= NULL
, *zz
= NULL
;
69 assert_se(sd_id128_get_boot(&bid
) >= 0);
71 x
= strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid
), "-abcd.service-");
72 y
= strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid
), "-abcd.service-");
75 test_tmpdir_one("abcd.service", x
, y
);
77 z
= strjoin("/tmp/systemd-private-", SD_ID128_TO_STRING(bid
), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
78 zz
= strjoin("/var/tmp/systemd-private-", SD_ID128_TO_STRING(bid
), "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
82 test_tmpdir_one("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z
, zz
);
85 static void test_shareable_ns(unsigned long nsflag
) {
86 _cleanup_close_pair_
int s
[2] = { -1, -1 };
87 pid_t pid1
, pid2
, pid3
;
92 (void) log_tests_skipped("not root");
96 assert_se(socketpair(AF_UNIX
, SOCK_DGRAM
, 0, s
) >= 0);
102 r
= setup_shareable_ns(s
, nsflag
);
108 assert_se(pid2
>= 0);
111 r
= setup_shareable_ns(s
, nsflag
);
117 assert_se(pid3
>= 0);
120 r
= setup_shareable_ns(s
, nsflag
);
125 r
= wait_for_terminate(pid1
, &si
);
127 assert_se(si
.si_code
== CLD_EXITED
);
130 r
= wait_for_terminate(pid2
, &si
);
132 assert_se(si
.si_code
== CLD_EXITED
);
135 r
= wait_for_terminate(pid3
, &si
);
137 assert_se(si
.si_code
== CLD_EXITED
);
144 test_shareable_ns(CLONE_NEWNET
);
148 test_shareable_ns(CLONE_NEWIPC
);
151 TEST(protect_kernel_logs
) {
154 static const NamespaceInfo ns_info
= {
155 .protect_kernel_logs
= true,
159 (void) log_tests_skipped("not root");
163 /* In a container we likely don't have access to /dev/kmsg */
164 if (detect_container() > 0) {
165 (void) log_tests_skipped("in container");
173 _cleanup_close_
int fd
= -EBADF
;
175 fd
= open("/dev/kmsg", O_RDONLY
| O_CLOEXEC
);
178 r
= setup_namespace(NULL
,
214 assert_se(setresuid(UID_NOBODY
, UID_NOBODY
, UID_NOBODY
) >= 0);
215 assert_se(open("/dev/kmsg", O_RDONLY
| O_CLOEXEC
) < 0);
216 assert_se(errno
== EACCES
);
221 assert_se(wait_for_terminate_and_check("ns-kernellogs", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
224 static int intro(void) {
225 if (!have_namespaces())
226 return log_tests_skipped("Don't have namespace support");
231 DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO
, intro
);