2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
7 # shellcheck source=test/units/util.sh
8 .
"$(dirname "$0")"/util.sh
10 # Make sure the unit's exec context matches its configuration
11 # See: https://github.com/systemd/systemd/pull/29552
13 # Even though hidepid= was introduced in kernel 3.3, we support only
14 # the post 5.8 implementation that allows us to apply the option per-instance,
15 # instead of the whole namespace. To distinguish between these two implementations
16 # lets check if we can mount procfs with a named value (e.g. hidepid=off), since
17 # support for this was introduced in the same commit as the per-instance stuff
18 proc_supports_option
() {
22 proc_tmp
="$(mktemp -d)"
23 mount
-t proc
-o "$option" proc
"$proc_tmp" && ec
=0 || ec
=$?
24 mountpoint
-q "$proc_tmp" && umount
-q "$proc_tmp"
30 # In coverage builds we disable ProtectSystem= and ProtectHome= via a service.d
31 # dropin in /etc. This dropin has, unfortunately, higher priority than
32 # the transient stuff from systemd-run. Let's just skip the following tests
33 # in that case instead of complicating the test setup even more */
34 if [[ -z "${COVERAGE_BUILD_DIR:-}" ]]; then
35 if ! systemd-detect-virt
-cq && command -v bootctl
>/dev
/null
; then
36 boot_path
="$(bootctl --print-boot-path)"
37 esp_path
="$(bootctl --print-esp-path)"
39 # If the mount points are handled by automount units, make sure we trigger
40 # them before proceeding further
41 ls -l "$boot_path" "$esp_path"
44 systemd-run
--wait --pipe -p ProtectSystem
=yes \
45 bash
-xec "test ! -w /usr; ${boot_path:+"test ! -w $boot_path; test ! -w $esp_path;"} test -w /etc; test -w /var"
46 systemd-run
--wait --pipe -p ProtectSystem
=full \
47 bash
-xec "test ! -w /usr; ${boot_path:+"test ! -w $boot_path; test ! -w $esp_path;"} test ! -w /etc; test -w /var"
48 systemd-run
--wait --pipe -p ProtectSystem
=strict \
49 bash
-xec "test ! -w /; test ! -w /etc; test ! -w /var; test -w /dev; test -w /proc"
50 systemd-run
--wait --pipe -p ProtectSystem
=no \
51 bash
-xec "test -w /; test -w /etc; test -w /var; test -w /dev; test -w /proc"
53 MARK
="$(mktemp /root/.exec-context.XXX)"
54 systemd-run
--wait --pipe -p ProtectHome
=yes \
55 bash
-xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK"
56 systemd-run
--wait --pipe -p ProtectHome
=read-only \
57 bash
-xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test -e $MARK"
58 systemd-run
--wait --pipe -p ProtectHome
=tmpfs \
59 bash
-xec "test -w /home; test -w /root; test -w /run/user; test ! -e $MARK"
60 systemd-run
--wait --pipe -p ProtectHome
=no \
61 bash
-xec "test -w /home; test -w /root; test -w /run/user; test -e $MARK"
65 if proc_supports_option
"hidepid=off"; then
66 systemd-run
--wait --pipe -p ProtectProc
=noaccess
-p User
=testuser \
67 bash
-xec 'test -e /proc/1; test ! -r /proc/1; test -r /proc/$$$$/comm'
68 systemd-run
--wait --pipe -p ProtectProc
=invisible
-p User
=testuser \
69 bash
-xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
70 systemd-run
--wait --pipe -p ProtectProc
=ptraceable
-p User
=testuser \
71 bash
-xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
72 systemd-run
--wait --pipe -p ProtectProc
=ptraceable
-p User
=testuser
-p AmbientCapabilities
=CAP_SYS_PTRACE \
73 bash
-xec 'test -r /proc/1; test -r /proc/$$$$/comm'
74 systemd-run
--wait --pipe -p ProtectProc
=default
-p User
=testuser \
75 bash
-xec 'test -r /proc/1; test -r /proc/$$$$/comm'
78 if proc_supports_option
"subset=pid"; then
79 systemd-run
--wait --pipe -p ProcSubset
=pid
-p User
=testuser \
80 bash
-xec "test -r /proc/1/comm; test ! -e /proc/cpuinfo"
81 systemd-run
--wait --pipe -p ProcSubset
=all
-p User
=testuser \
82 bash
-xec "test -r /proc/1/comm; test -r /proc/cpuinfo"
85 if ! systemd-detect-virt
-cq; then
86 systemd-run
--wait --pipe -p ProtectKernelLogs
=yes -p User
=testuser \
87 bash
-xec "test ! -r /dev/kmsg"
88 systemd-run
--wait --pipe -p ProtectKernelLogs
=no
-p User
=testuser \
89 bash
-xec "test -r /dev/kmsg"
92 systemd-run
--wait --pipe -p BindPaths
="/etc /home:/mnt:norbind -/foo/bar/baz:/usr:rbind" \
93 bash
-xec "mountpoint /etc; test -d /etc/systemd; mountpoint /mnt; ! mountpoint /usr"
94 systemd-run
--wait --pipe -p BindReadOnlyPaths
="/etc /home:/mnt:norbind -/foo/bar/baz:/usr:rbind" \
95 bash
-xec "test ! -w /etc; test ! -w /mnt; ! mountpoint /usr"
97 # Check if we correctly serialize, deserialize, and set directives that
98 # have more complex internal handling
99 if ! systemd-detect-virt
-cq; then
100 # Funny detail: this originally used the underlying rootfs device, but that,
101 # for some reason, caused "divide error" in kernel, followed by a kernel panic
103 LODEV
="$(losetup --show -f "$TEMPFILE")"
104 ROOT_DEV_MAJ_MIN
="$(lsblk -nro MAJ:MIN "$LODEV")"
105 EXPECTED_IO_MAX
="$ROOT_DEV_MAJ_MIN rbps=1000 wbps=1000000000000 riops=2000000000 wiops=4000"
106 EXPECTED_IO_LATENCY
="$ROOT_DEV_MAJ_MIN target=69000"
107 SERVICE_NAME
="test-io-directives-$RANDOM.service"
108 CGROUP_PATH
="/sys/fs/cgroup/system.slice/$SERVICE_NAME"
112 # Throw in a couple of invalid entries just to test things out
113 -p IOReadBandwidthMax
="/foo/bar 1M"
114 -p IOReadBandwidthMax
="/foo/baz 1M"
115 -p IOReadBandwidthMax
="$LODEV 1M"
116 -p IOReadBandwidthMax
="$LODEV 1K"
117 -p IOWriteBandwidthMax
="$LODEV 1G"
118 -p IOWriteBandwidthMax
="$LODEV 1T"
119 -p IOReadIOPSMax
="$LODEV 2G"
120 -p IOWriteIOPSMax
="$LODEV 4K"
121 -p IODeviceLatencyTargetSec
="$LODEV 666ms"
122 -p IODeviceLatencyTargetSec
="/foo/bar 69ms"
123 -p IODeviceLatencyTargetSec
="$LODEV 69ms"
124 -p IOReadBandwidthMax
="/foo/bar 1M"
125 -p IOReadBandwidthMax
="/foo/baz 1M"
126 # TODO: IODeviceWeight= doesn't work on loop devices and virtual disks
127 -p IODeviceWeight
="$LODEV 999"
128 -p IODeviceWeight
="/foo/bar 999"
131 systemctl set-property system.slice IOAccounting
=yes
132 # io.latency not available by default on Debian stable
133 if [[ -e /sys
/fs
/cgroup
/system.slice
/io.latency
]]; then
134 systemd-run
--wait --pipe --unit "$SERVICE_NAME" "${ARGUMENTS[@]}" \
135 bash
-xec "diff <(echo $EXPECTED_IO_MAX) $CGROUP_PATH/io.max; diff <(echo $EXPECTED_IO_LATENCY) $CGROUP_PATH/io.latency"
140 -p CPUSchedulingPolicy
=rr
# ID: 2
141 -p CPUSchedulingPolicy
=fifo
# ID: 1
142 -p CPUSchedulingPriority
=5 # Actual prio: 94 (99 - prio)
143 -p CPUSchedulingPriority
=10 # Actual prio: 89 (99 - prio)
146 systemd-run
--wait --pipe --unit "$SERVICE_NAME" "${ARGUMENTS[@]}" \
147 bash
-xec 'grep -E "^policy\s*:\s*1$" /proc/self/sched; grep -E "^prio\s*:\s*89$" /proc/self/sched'
151 -p DevicePolicy
=closed
152 -p DevicePolicy
=strict
153 -p DeviceAllow
="char-mem rm" # Allow read & mknod for /dev/{null,zero,...}
154 -p DeviceAllow
="/dev/loop0 rw"
155 -p DeviceAllow
="/dev/loop0 w" # Allow write for /dev/loop0
156 # Everything else should be disallowed per the strict policy
159 systemd-run
--wait --pipe --unit "$SERVICE_NAME" "${ARGUMENTS[@]}" \
160 bash
-xec 'test -r /dev/null; test ! -w /dev/null; test ! -r /dev/loop0; test -w /dev/loop0; test ! -r /dev/tty; test ! -w /dev/tty'
162 if ! systemctl
--version |
grep -qF -- "-BPF_FRAMEWORK"; then
166 -p SocketBindAllow
=1234
167 -p SocketBindAllow
=ipv4
:udp
:any
168 -p SocketBindAllow
=ipv6
:6666
169 # Everything but the last assignment is superfluous, but it still exercises
170 # the parsing machinery
172 -p SocketBindDeny
=1111
173 -p SocketBindDeny
=ipv4
:1111
174 -p SocketBindDeny
=ipv4
:any
175 -p SocketBindDeny
=ipv4
:tcp
:any
176 -p SocketBindDeny
=ipv4
:udp
:10000-11000
177 -p SocketBindDeny
=ipv6
:1111
178 -p SocketBindDeny
=any
181 # We should fail with EPERM when trying to bind to a socket not on the allow list
182 # (nc exits with 2 in that case)
183 systemd-run
--wait -p SuccessExitStatus
="1 2" --pipe "${ARGUMENTS[@]}" \
184 bash
-xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42'
185 systemd-run
--wait -p SuccessExitStatus
="1 2" --pipe "${ARGUMENTS[@]}" \
186 bash
-xec 'timeout 1s nc -l ::1 9999; exit 42'
187 systemd-run
--wait -p SuccessExitStatus
="1 2" --pipe "${ARGUMENTS[@]}" \
188 bash
-xec 'timeout 1s nc -6 -u -l ::1 9999; exit 42'
189 systemd-run
--wait -p SuccessExitStatus
="1 2" --pipe "${ARGUMENTS[@]}" \
190 bash
-xec 'timeout 1s nc -4 -l 127.0.0.1 6666; exit 42'
191 # Consequently, we should succeed when binding to a socket on the allow list
192 # and keep listening on it until we're killed by `timeout` (EC 124)
193 systemd-run
--wait --pipe -p SuccessExitStatus
=124 "${ARGUMENTS[@]}" \
194 bash
-xec 'timeout 1s nc -4 -l 127.0.0.1 1234; exit 1'
195 systemd-run
--wait --pipe -p SuccessExitStatus
=124 "${ARGUMENTS[@]}" \
196 bash
-xec 'timeout 1s nc -4 -u -l 127.0.0.1 5678; exit 1'
197 systemd-run
--wait --pipe -p SuccessExitStatus
=124 "${ARGUMENTS[@]}" \
198 bash
-xec 'timeout 1s nc -6 -l ::1 1234; exit 1'
199 systemd-run
--wait --pipe -p SuccessExitStatus
=124 "${ARGUMENTS[@]}" \
200 bash
-xec 'timeout 1s nc -6 -l ::1 6666; exit 1'
207 # {Cache,Configuration,Logs,Runtime,State}Directory=
209 -p CacheDirectory
="foo/bar/baz"
210 -p CacheDirectory
="foo"
211 -p CacheDirectory
="context"
212 -p CacheDirectoryMode
="0123"
213 -p CacheDirectoryMode
="0666"
214 -p ConfigurationDirectory
="context/foo also_context/bar context/nested/baz"
215 -p ConfigurationDirectoryMode
="0400"
216 -p LogsDirectory
="context/foo"
218 -p LogsDirectory
="context/a/very/nested/logs/dir"
219 -p RuntimeDirectory
="context"
220 -p RuntimeDirectory
="also_context"
221 -p RuntimeDirectoryPreserve
=yes
222 -p StateDirectory
="context"
223 -p StateDirectory
="./././././././context context context"
224 -p StateDirectoryMode
="0000"
228 systemd-run
--wait --pipe "${ARGUMENTS[@]}" \
229 bash
-xec '[[ $CACHE_DIRECTORY == /var/cache/context:/var/cache/foo:/var/cache/foo/bar/baz ]];
230 [[ $(stat -c "%a" ${CACHE_DIRECTORY##*:}) == 666 ]]'
231 systemd-run
--wait --pipe "${ARGUMENTS[@]}" \
232 bash
-xec '[[ $CONFIGURATION_DIRECTORY == /etc/also_context/bar:/etc/context/foo:/etc/context/nested/baz ]];
233 [[ $(stat -c "%a" ${CONFIGURATION_DIRECTORY##*:}) == 400 ]]'
234 systemd-run
--wait --pipe "${ARGUMENTS[@]}" \
235 bash
-xec '[[ $LOGS_DIRECTORY == /var/log/context/a/very/nested/logs/dir:/var/log/context/foo ]];
236 [[ $(stat -c "%a" ${LOGS_DIRECTORY##*:}) == 755 ]]'
237 systemd-run
--wait --pipe "${ARGUMENTS[@]}" \
238 bash
-xec '[[ $RUNTIME_DIRECTORY == /run/also_context:/run/context ]];
239 [[ $(stat -c "%a" ${RUNTIME_DIRECTORY##*:}) == 755 ]];
240 [[ $(stat -c "%a" ${RUNTIME_DIRECTORY%%:*}) == 755 ]]'
241 systemd-run
--wait --pipe "${ARGUMENTS[@]}" \
242 bash
-xec '[[ $STATE_DIRECTORY == /var/lib/context ]]; [[ $(stat -c "%a" $STATE_DIRECTORY) == 0 ]]'
244 rm -rf /var
/{cache
,lib
,log
}/context
/etc
/{also_
,}context
248 # Note: keep limits of LimitDATA= and LimitAS= unlimited, otherwise ASan (LSan)
249 # won't be able to mmap the shadow maps
252 -p LimitCPU
=10:15 # ulimit -t
253 -p LimitFSIZE
=96G
# ulimit -f
254 -p LimitDATA
=8T
:infinity
255 -p LimitDATA
=infinity
# ulimit -d
256 -p LimitSTACK
=8M
# ulimit -s
257 -p LimitCORE
=infinity
258 -p LimitCORE
=17M
# ulimit -c
259 -p LimitRSS
=27G
# ulimit -m
260 -p LimitNOFILE
=7:127 # ulimit -n
261 -p LimitAS
=infinity
# ulimit -v
263 -p LimitNPROC
=64:infinity
# ulimit -u
264 -p LimitMEMLOCK
=37M
# ulimit -l
265 -p LimitLOCKS
=19:1021 # ulimit -x
266 -p LimitSIGPENDING
=21 # ulimit -i
267 -p LimitMSGQUEUE
=666 # ulimit -q
268 -p LimitNICE
=4 # ulimit -e
269 -p LimitRTPRIO
=8 # ulimit -r
270 -p LimitRTTIME
=666666 # ulimit -R
272 # Do all the checks in one giant inline shell blob to avoid the overhead of spawning
273 # a new service for each check
275 # Note: ulimit shows storage-related values in 1024-byte increments*
276 # Note2: ulimit -R requires bash >= 5.1
278 # * in POSIX mode -c a -f options show values in 512-byte increments; let's hope
279 # we never run in the POSIX mode
280 systemd-run
--wait --pipe "${ARGUMENTS[@]}" \
281 bash
-xec 'KB=1; MB=$((KB * 1024)); GB=$((MB * 1024)); TB=$((GB * 1024));
282 : CPU; [[ $(ulimit -St) -eq 10 ]]; [[ $(ulimit -Ht) -eq 15 ]];
283 : FSIZE; [[ $(ulimit -Sf) -eq $((96 * GB)) ]]; [[ $(ulimit -Hf) -eq $((96 * GB)) ]];
284 : DATA; [[ $(ulimit -Sd) == unlimited ]]; [[ $(ulimit -Hd) == unlimited ]];
285 : STACK; [[ $(ulimit -Ss) -eq $((8 * MB)) ]]; [[ $(ulimit -Hs) -eq $((8 * MB)) ]];
286 : CORE; [[ $(ulimit -Sc) -eq $((17 * MB)) ]]; [[ $(ulimit -Hc) -eq $((17 * MB)) ]];
287 : RSS; [[ $(ulimit -Sm) -eq $((27 * GB)) ]]; [[ $(ulimit -Hm) -eq $((27 * GB)) ]];
288 : NOFILE; [[ $(ulimit -Sn) -eq 7 ]]; [[ $(ulimit -Hn) -eq 127 ]];
289 : AS; [[ $(ulimit -Sv) == unlimited ]]; [[ $(ulimit -Hv) == unlimited ]];
290 : NPROC; [[ $(ulimit -Su) -eq 64 ]]; [[ $(ulimit -Hu) == unlimited ]];
291 : MEMLOCK; [[ $(ulimit -Sl) -eq $((37 * MB)) ]]; [[ $(ulimit -Hl) -eq $((37 * MB)) ]];
292 : LOCKS; [[ $(ulimit -Sx) -eq 19 ]]; [[ $(ulimit -Hx) -eq 1021 ]];
293 : SIGPENDING; [[ $(ulimit -Si) -eq 21 ]]; [[ $(ulimit -Hi) -eq 21 ]];
294 : MSGQUEUE; [[ $(ulimit -Sq) -eq 666 ]]; [[ $(ulimit -Hq) -eq 666 ]];
295 : NICE; [[ $(ulimit -Se) -eq 4 ]]; [[ $(ulimit -He) -eq 4 ]];
296 : RTPRIO; [[ $(ulimit -Sr) -eq 8 ]]; [[ $(ulimit -Hr) -eq 8 ]];
298 : RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];'
300 # RestrictFileSystems=
302 # Note: running instrumented binaries requires at least /proc to be accessible, so let's
303 # skip the test when we're running under sanitizers
305 # Note: $GCOV_ERROR_LOG is used during coverage runs to suppress errors when creating *.gcda files,
306 # since gcov can't access the restricted filesystem (as expected)
307 if [[ ! -v ASAN_OPTIONS
]] && systemctl
--version |
grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf
; then
308 ROOTFS
="$(df --output=fstype /usr/bin | sed --quiet 2p)"
309 systemd-run
--wait --pipe -p RestrictFileSystems
="" ls /
310 systemd-run
--wait --pipe -p RestrictFileSystems
="$ROOTFS foo bar" ls /
311 (! systemd-run
--wait --pipe -p RestrictFileSystems
="$ROOTFS" ls /proc
)
312 (! systemd-run
--wait --pipe -p GCOV_ERROR_LOG
=/dev
/null
-p RestrictFileSystems
="foo" ls /)
313 systemd-run
--wait --pipe -p RestrictFileSystems
="$ROOTFS foo bar baz proc" ls /proc
314 systemd-run
--wait --pipe -p RestrictFileSystems
="$ROOTFS @foo @basic-api" ls /proc
315 systemd-run
--wait --pipe -p RestrictFileSystems
="$ROOTFS @foo @basic-api" ls /sys
/fs
/cgroup
317 systemd-run
--wait --pipe -p RestrictFileSystems
="~" ls /
318 systemd-run
--wait --pipe -p RestrictFileSystems
="~proc" ls /
319 systemd-run
--wait --pipe -p RestrictFileSystems
="~@basic-api" ls /
320 (! systemd-run
--wait --pipe -p GCOV_ERROR_LOG
=/dev
/null
-p RestrictFileSystems
="~$ROOTFS" ls /)
321 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~proc" ls /proc
)
322 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~@basic-api" ls /proc
)
323 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~proc foo @bar @basic-api" ls /proc
)
324 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~proc foo @bar @basic-api" ls /sys
)
325 systemd-run
--wait --pipe -p RestrictFileSystems
="~proc devtmpfs sysfs" ls /
326 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~proc devtmpfs sysfs" ls /proc
)
327 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~proc devtmpfs sysfs" ls /dev
)
328 (! systemd-run
--wait --pipe -p RestrictFileSystems
="~proc devtmpfs sysfs" ls /sys
)
331 # Ensure that clean-up codepaths work correctly if activation ultimately fails
332 touch /run
/not-a-directory
335 chmod +x
/tmp
/root
/foo
336 (! systemd-run
--wait --pipe false
)
337 (! systemd-run
--wait --pipe --unit "test-dynamicuser-fail" -p DynamicUser
=yes -p WorkingDirectory
=/nonexistent true
)
338 (! systemd-run
--wait --pipe -p RuntimeDirectory
=not-a-directory true
)
339 (! systemd-run
--wait --pipe -p RootDirectory
=/tmp
/root this-shouldnt-exist
)
340 (! systemd-run
--wait --pipe -p RootDirectory
=/tmp
/root
/foo
)
341 (! systemd-run
--wait --pipe --service-type=oneshot
-p ExecStartPre
=-/foo
/bar
/baz
-p ExecStart
=-/foo
/bar
/baz
-p RootDirectory
=/tmp
/root
-- "- foo")