]>
git.ipfire.org Git - thirdparty/systemd.git/blob - test/units/testsuite-07.exec-context.sh
2 # SPDX-License-Identifier: LGPL-2.1-or-later
6 # Make sure the unit's exec context matches its configuration
7 # See: https://github.com/systemd/systemd/pull/29552
9 # Even though hidepid= was introduced in kernel 3.3, we support only
10 # the post 5.8 implementation that allows us to apply the option per-instance,
11 # instead of the whole namespace. To distinguish between these two implementations
12 # lets check if we can mount procfs with a named value (e.g. hidepid=off), since
13 # support for this was introduced in the same commit as the per-instance stuff
14 proc_supports_option
() {
18 proc_tmp
="$(mktemp -d)"
19 mount
-t proc
-o "$option" proc
"$proc_tmp" && ec
=0 || ec
=$?
20 mountpoint
-q "$proc_tmp" && umount
-q "$proc_tmp"
26 # In coverage builds we disable ProtectSystem= and ProtectHome= via a service.d
27 # dropin in /etc. This dropin has, unfortunately, higher priority than
28 # the transient stuff from systemd-run. Let's just skip the following tests
29 # in that case instead of complicating the test setup even more */
30 if [[ -z "${COVERAGE_BUILD_DIR:-}" ]]; then
31 systemd-run
--wait --pipe -p ProtectSystem
=yes \
32 bash
-xec "test ! -w /usr; test ! -w /boot; test -w /etc; test -w /var"
33 systemd-run
--wait --pipe -p ProtectSystem
=full \
34 bash
-xec "test ! -w /usr; test ! -w /boot; test ! -w /etc; test -w /var"
35 systemd-run
--wait --pipe -p ProtectSystem
=strict \
36 bash
-xec "test ! -w /; test ! -w /etc; test ! -w /var; test -w /dev; test -w /proc"
37 systemd-run
--wait --pipe -p ProtectSystem
=no \
38 bash
-xec "test -w /; test -w /etc; test -w /var; test -w /dev; test -w /proc"
40 MARK
="$(mktemp /root/.exec-context.XXX)"
41 systemd-run
--wait --pipe -p ProtectHome
=yes \
42 bash
-xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK"
43 systemd-run
--wait --pipe -p ProtectHome
=read-only \
44 bash
-xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test -e $MARK"
45 systemd-run
--wait --pipe -p ProtectHome
=tmpfs \
46 bash
-xec "test -w /home; test -w /root; test -w /run/user; test ! -e $MARK"
47 systemd-run
--wait --pipe -p ProtectHome
=no \
48 bash
-xec "test -w /home; test -w /root; test -w /run/user; test -e $MARK"
52 if proc_supports_option
"hidepid=off"; then
53 systemd-run
--wait --pipe -p ProtectProc
=noaccess
-p User
=testuser \
54 bash
-xec 'test -e /proc/1; test ! -r /proc/1; test -r /proc/$$$$/comm'
55 systemd-run
--wait --pipe -p ProtectProc
=invisible
-p User
=testuser \
56 bash
-xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
57 systemd-run
--wait --pipe -p ProtectProc
=ptraceable
-p User
=testuser \
58 bash
-xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
59 systemd-run
--wait --pipe -p ProtectProc
=ptraceable
-p User
=testuser
-p AmbientCapabilities
=CAP_SYS_PTRACE \
60 bash
-xec 'test -r /proc/1; test -r /proc/$$$$/comm'
61 systemd-run
--wait --pipe -p ProtectProc
=default
-p User
=testuser \
62 bash
-xec 'test -r /proc/1; test -r /proc/$$$$/comm'
65 if proc_supports_option
"subset=pid"; then
66 systemd-run
--wait --pipe -p ProcSubset
=pid
-p User
=testuser \
67 bash
-xec "test -r /proc/1/comm; test ! -e /proc/cpuinfo"
68 systemd-run
--wait --pipe -p ProcSubset
=all
-p User
=testuser \
69 bash
-xec "test -r /proc/1/comm; test -r /proc/cpuinfo"
72 if ! systemd-detect-virt
-cq; then
73 systemd-run
--wait --pipe -p ProtectKernelLogs
=yes -p User
=testuser \
74 bash
-xec "test ! -r /dev/kmsg"
75 systemd-run
--wait --pipe -p ProtectKernelLogs
=no
-p User
=testuser \
76 bash
-xec "test -r /dev/kmsg"