test/units/testsuite-65.sh

   1 #!/usr/bin/env bash
   2 # SPDX-License-Identifier: LGPL-2.1-or-later
   3 # shellcheck disable=SC2016
   4 set -eux
   5
   6 systemd-analyze log-level debug
   7 export SYSTEMD_LOG_LEVEL=debug
   8
   9 mkdir -p /tmp/img/usr/lib/systemd/system/
  10 mkdir -p /tmp/img/opt/
  11
  12 touch /tmp/img/opt/script0.sh
  13 chmod +x /tmp/img/opt/script0.sh
  14
  15 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
  16 [Service]
  17 ExecStart = /opt/script0.sh
  18 EOF
  19
  20 set +e
  21 # Default behaviour is to recurse through all dependencies when unit is loaded
  22 systemd-analyze verify --root=/tmp/img/ testfile.service \
  23     && { echo 'unexpected success'; exit 1; }
  24
  25 # As above, recurses through all dependencies when unit is loaded
  26 systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service \
  27     && { echo 'unexpected success'; exit 1; }
  28
  29 # Recurses through unit file and its direct dependencies when unit is loaded
  30 systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service \
  31     && { echo 'unexpected success'; exit 1; }
  32
  33 set -e
  34
  35 # zero exit status since dependencies are ignored when unit is loaded
  36 systemd-analyze verify --recursive-errors=no --root=/tmp/img/ testfile.service
  37
  38 rm /tmp/img/usr/lib/systemd/system/testfile.service
  39
  40 cat <<EOF >/tmp/testfile.service
  41 [Unit]
  42 foo = bar
  43
  44 [Service]
  45 ExecStart = echo hello
  46 EOF
  47
  48 cat <<EOF >/tmp/testfile2.service
  49 [Unit]
  50 Requires = testfile.service
  51
  52 [Service]
  53 ExecStart = echo hello
  54 EOF
  55
  56 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
  57 systemd-analyze verify --recursive-errors=no /tmp/testfile2.service
  58
  59 set +e
  60 # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
  61 systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service \
  62     && { echo 'unexpected success'; exit 1; }
  63 set -e
  64
  65 rm /tmp/testfile.service
  66 rm /tmp/testfile2.service
  67
  68 cat <<EOF >/tmp/testfile.service
  69 [Service]
  70 ExecStart = echo hello
  71 EOF
  72
  73 # Prevent regression from #13380 and #20859 where we can't verify hidden files
  74 cp /tmp/testfile.service /tmp/.testfile.service
  75
  76 systemd-analyze verify /tmp/.testfile.service
  77
  78 rm /tmp/.testfile.service
  79
  80 # Alias a unit file's name on disk (see #20061)
  81 cp /tmp/testfile.service /tmp/testsrvc
  82
  83 systemd-analyze verify /tmp/testsrvc \
  84     && { echo 'unexpected success'; exit 1; }
  85
  86 systemd-analyze verify /tmp/testsrvc:alias.service
  87
  88 # Zero exit status since the value used for comparison determine exposure to security threats is by default 100
  89 systemd-analyze security --offline=true /tmp/testfile.service
  90
  91 set +e
  92 #The overall exposure level assigned to the unit is greater than the set threshold
  93 systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \
  94     && { echo 'unexpected success'; exit 1; }
  95 set -e
  96
  97 rm /tmp/testfile.service
  98
  99 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
 100 [Service]
 101 ExecStart = echo hello
 102 PrivateNetwork = yes
 103 PrivateDevices = yes
 104 PrivateUsers = yes
 105 EOF
 106
 107 # The new overall exposure level assigned to the unit is less than the set thresholds
 108 # Verifies that the --offline= option works with --root=
 109 systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service
 110
 111 # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed
 112 # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in
 113 # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight
 114 # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is
 115 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
 116 # level for the unit file should decrease to account for that increased weight.
 117 cat <<EOF >/tmp/testfile.json
 118 {"UserOrDynamicUser":
 119     {"description_bad": "Service runs as root user",
 120     "weight": 0,
 121     "range": 10
 122     },
 123 "SupplementaryGroups":
 124     {"description_good": "Service has no supplementary groups",
 125     "description_bad": "Service runs with supplementary groups",
 126     "description_na": "Service runs as root, option does not matter",
 127     "weight": 200,
 128     "range": 1
 129     },
 130 "PrivateDevices":
 131     {"description_good": "Service has no access to hardware devices",
 132     "description_bad": "Service potentially has access to hardware devices",
 133     "weight": 1000,
 134     "range": 1
 135     },
 136 "PrivateMounts":
 137     {"description_good": "Service cannot install system mounts",
 138     "description_bad": "Service may install system mounts",
 139     "weight": 1000,
 140     "range": 1
 141     },
 142 "PrivateNetwork":
 143     {"description_good": "Service doesn't have access to the host's network",
 144     "description_bad": "Service has access to the host's network",
 145     "weight": 6000,
 146     "range": 1
 147     },
 148 "PrivateTmp":
 149     {"description_good": "Service has no access to other software's temporary files",
 150     "description_bad": "Service has access to other software's temporary files",
 151     "weight": 1000,
 152     "range": 1
 153     },
 154 "PrivateUsers":
 155     {"description_good": "Service does not have access to other users",
 156     "description_bad": "Service has access to other users",
 157     "weight": 1000,
 158     "range": 1
 159     },
 160 "ProtectControlGroups":
 161     {"description_good": "Service cannot modify the control group file system",
 162     "description_bad": "Service may modify the control group file system",
 163     "weight": 1000,
 164     "range": 1
 165     },
 166 "ProtectKernelModules":
 167     {"description_good": "Service cannot load or read kernel modules",
 168     "description_bad": "Service may load or read kernel modules",
 169     "weight": 1000,
 170     "range": 1
 171     },
 172 "ProtectKernelTunables":
 173     {"description_good": "Service cannot alter kernel tunables (/proc/sys, …)",
 174     "description_bad": "Service may alter kernel tunables",
 175     "weight": 1000,
 176     "range": 1
 177     },
 178 "ProtectKernelLogs":
 179     {"description_good": "Service cannot read from or write to the kernel log ring buffer",
 180     "description_bad": "Service may read from or write to the kernel log ring buffer",
 181     "weight": 1000,
 182     "range": 1
 183     },
 184 "ProtectClock":
 185     {"description_good": "Service cannot write to the hardware clock or system clock",
 186     "description_bad": "Service may write to the hardware clock or system clock",
 187     "weight": 1000,
 188     "range": 1
 189     },
 190 "ProtectHome":
 191     {"weight": 1000,
 192     "range": 10
 193     },
 194 "ProtectHostname":
 195     {"description_good": "Service cannot change system host/domainname",
 196     "description_bad": "Service may change system host/domainname",
 197     "weight": 50,
 198     "range": 1
 199     },
 200 "ProtectSystem":
 201     {"weight": 1000,
 202     "range": 10
 203     },
 204 "RootDirectoryOrRootImage":
 205     {"description_good": "Service has its own root directory/image",
 206     "description_bad": "Service runs within the host's root directory",
 207     "weight": 200,
 208     "range": 1
 209     },
 210 "LockPersonality":
 211     {"description_good": "Service cannot change ABI personality",
 212     "description_bad": "Service may change ABI personality",
 213     "weight": 100,
 214     "range": 1
 215     },
 216 "MemoryDenyWriteExecute":
 217     {"description_good": "Service cannot create writable executable memory mappings",
 218     "description_bad": "Service may create writable executable memory mappings",
 219     "weight": 100,
 220     "range": 1
 221     },
 222 "NoNewPrivileges":
 223     {"description_good": "Service processes cannot acquire new privileges",
 224     "description_bad": "Service processes may acquire new privileges",
 225     "weight": 1000,
 226     "range": 1
 227     },
 228 "CapabilityBoundingSet_CAP_SYS_ADMIN":
 229     {"description_good": "Service has no administrator privileges",
 230     "description_bad": "Service has administrator privileges",
 231     "weight": 1500,
 232     "range": 1
 233     },
 234 "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP":
 235     {"description_good": "Service cannot change UID/GID identities/capabilities",
 236     "description_bad": "Service may change UID/GID identities/capabilities",
 237     "weight": 1500,
 238     "range": 1
 239     },
 240 "CapabilityBoundingSet_CAP_SYS_PTRACE":
 241     {"description_good": "Service has no ptrace() debugging abilities",
 242     "description_bad": "Service has ptrace() debugging abilities",
 243     "weight": 1500,
 244     "range": 1
 245     },
 246 "CapabilityBoundingSet_CAP_SYS_TIME":
 247     {"description_good": "Service processes cannot change the system clock",
 248     "description_bad": "Service processes may change the system clock",
 249     "weight": 1000,
 250     "range": 1
 251     },
 252 "CapabilityBoundingSet_CAP_NET_ADMIN":
 253     {"description_good": "Service has no network configuration privileges",
 254     "description_bad": "Service has network configuration privileges",
 255     "weight": 1000,
 256     "range": 1
 257     },
 258 "CapabilityBoundingSet_CAP_SYS_RAWIO":
 259     {"description_good": "Service has no raw I/O access",
 260     "description_bad": "Service has raw I/O access",
 261     "weight": 1000,
 262     "range": 1
 263     },
 264 "CapabilityBoundingSet_CAP_SYS_MODULE":
 265     {"description_good": "Service cannot load kernel modules",
 266     "description_bad": "Service may load kernel modules",
 267     "weight": 1000,
 268     "range": 1
 269     },
 270 "CapabilityBoundingSet_CAP_AUDIT":
 271     {"description_good": "Service has no audit subsystem access",
 272     "description_bad": "Service has audit subsystem access",
 273     "weight": 500,
 274     "range": 1
 275     },
 276 "CapabilityBoundingSet_CAP_SYSLOG":
 277     {"description_good": "Service has no access to kernel logging",
 278     "description_bad": "Service has access to kernel logging",
 279     "weight": 500,
 280     "range": 1
 281     },
 282 "CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE":
 283     {"description_good": "Service has no privileges to change resource use parameters",
 284     "description_bad": "Service has privileges to change resource use parameters",
 285     "weight": 500,
 286     "range": 1
 287     },
 288 "CapabilityBoundingSet_CAP_MKNOD":
 289     {"description_good": "Service cannot create device nodes",
 290     "description_bad": "Service may create device nodes",
 291     "weight": 500,
 292     "range": 1
 293     },
 294 "CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP":
 295     {"description_good": "Service cannot change file ownership/access mode/capabilities",
 296     "description_bad": "Service may change file ownership/access mode/capabilities unrestricted",
 297     "weight": 1000,
 298     "range": 1
 299     },
 300 "CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER":
 301     {"description_good": "Service cannot override UNIX file/IPC permission checks",
 302     "description_bad": "Service may override UNIX file/IPC permission checks",
 303     "weight": 1000,
 304     "range": 1
 305     },
 306 "CapabilityBoundingSet_CAP_KILL":
 307     {"description_good": "Service cannot send UNIX signals to arbitrary processes",
 308     "description_bad": "Service may send UNIX signals to arbitrary processes",
 309     "weight": 500,
 310     "range": 1
 311     },
 312 "CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW":
 313     {"description_good": "Service has no elevated networking privileges",
 314     "description_bad": "Service has elevated networking privileges",
 315     "weight": 500,
 316     "range": 1
 317     },
 318 "CapabilityBoundingSet_CAP_SYS_BOOT":
 319     {"description_good": "Service cannot issue reboot()",
 320     "description_bad": "Service may issue reboot()",
 321     "weight": 100,
 322     "range": 1
 323     },
 324 "CapabilityBoundingSet_CAP_MAC":
 325     {"description_good": "Service cannot adjust SMACK MAC",
 326     "description_bad": "Service may adjust SMACK MAC",
 327     "weight": 100,
 328     "range": 1
 329     },
 330 "CapabilityBoundingSet_CAP_LINUX_IMMUTABLE":
 331     {"description_good": "Service cannot mark files immutable",
 332     "description_bad": "Service may mark files immutable",
 333     "weight": 75,
 334     "range": 1
 335     },
 336 "CapabilityBoundingSet_CAP_IPC_LOCK":
 337     {"description_good": "Service cannot lock memory into RAM",
 338     "description_bad": "Service may lock memory into RAM",
 339     "weight": 50,
 340     "range": 1
 341     },
 342 "CapabilityBoundingSet_CAP_SYS_CHROOT":
 343     {"description_good": "Service cannot issue chroot()",
 344     "description_bad": "Service may issue chroot()",
 345     "weight": 50,
 346     "range": 1
 347     },
 348 "CapabilityBoundingSet_CAP_BLOCK_SUSPEND":
 349     {"description_good": "Service cannot establish wake locks",
 350     "description_bad": "Service may establish wake locks",
 351     "weight": 25,
 352     "range": 1
 353     },
 354 "CapabilityBoundingSet_CAP_WAKE_ALARM":
 355     {"description_good": "Service cannot program timers that wake up the system",
 356     "description_bad": "Service may program timers that wake up the system",
 357     "weight": 25,
 358     "range": 1
 359     },
 360 "CapabilityBoundingSet_CAP_LEASE":
 361     {"description_good": "Service cannot create file leases",
 362     "description_bad": "Service may create file leases",
 363     "weight": 25,
 364     "range": 1
 365     },
 366 "CapabilityBoundingSet_CAP_SYS_TTY_CONFIG":
 367     {"description_good": "Service cannot issue vhangup()",
 368     "description_bad": "Service may issue vhangup()",
 369     "weight": 25,
 370     "range": 1
 371     },
 372 "CapabilityBoundingSet_CAP_SYS_PACCT":
 373     {"description_good": "Service cannot use acct()",
 374     "description_bad": "Service may use acct()",
 375     "weight": 25,
 376     "range": 1
 377     },
 378 "UMask":
 379     {"weight": 100,
 380     "range": 10
 381     },
 382 "KeyringMode":
 383     {"description_good": "Service doesn't share key material with other services",
 384     "description_bad": "Service shares key material with other service",
 385     "weight": 1000,
 386     "range": 1
 387     },
 388 "ProtectProc":
 389     {"description_good": "Service has restricted access to process tree(/proc hidepid=)",
 390     "description_bad": "Service has full access to process tree(/proc hidepid=)",
 391     "weight": 1000,
 392     "range": 3
 393     },
 394 "ProcSubset":
 395     {"description_good": "Service has no access to non-process/proc files(/proc subset=)",
 396     "description_bad": "Service has full access to non-process/proc files(/proc subset=)",
 397     "weight": 10,
 398     "range": 1
 399     },
 400 "NotifyAccess":
 401     {"description_good": "Service child processes cannot alter service state",
 402     "description_bad": "Service child processes may alter service state",
 403     "weight": 1000,
 404     "range": 1
 405     },
 406 "RemoveIPC":
 407     {"description_good": "Service user cannot leave SysV IPC objects around",
 408     "description_bad": "Service user may leave SysV IPC objects around",
 409     "description_na": "Service runs as root, option does not apply",
 410     "weight": 100,
 411     "range": 1
 412     },
 413 "Delegate":
 414     {"description_good": "Service does not maintain its own delegated control group subtree",
 415     "description_bad": "Service maintains its own delegated control group subtree",
 416     "weight": 100,
 417     "range": 1
 418     },
 419 "RestrictRealtime":
 420     {"description_good": "Service realtime scheduling access is restricted",
 421     "description_bad": "Service may acquire realtime scheduling",
 422     "weight": 500,
 423     "range": 1
 424     },
 425 "RestrictSUIDSGID":
 426     {"description_good": "SUID/SGIDfilecreationbyserviceisrestricted",
 427     "description_bad": "ServicemaycreateSUID/SGIDfiles",
 428     "weight": 1000,
 429     "range": 1
 430     },
 431 "RestrictNamespaces_user":
 432     {"description_good": "Servicecannotcreateusernamespaces",
 433     "description_bad": "Servicemaycreateusernamespaces",
 434     "weight": 1500,
 435     "range": 1
 436     },
 437 "RestrictNamespaces_mnt":
 438     {"description_good": "Service cannot create file system namespaces",
 439     "description_bad": "Service may create file system namespaces",
 440     "weight": 500,
 441     "range": 1
 442     },
 443 "RestrictNamespaces_ipc":
 444     {"description_good": "Service cannot create IPC namespaces",
 445     "description_bad": "Service may create IPC namespaces",
 446     "weight": 500,
 447     "range": 1
 448     },
 449 "RestrictNamespaces_pid":
 450     {"description_good": "Service cannot create process namespaces",
 451     "description_bad": "Service may create process namespaces",
 452     "weight": 500,
 453     "range": 1
 454     },
 455 "RestrictNamespaces_cgroup":
 456     {"description_good": "Service cannot create cgroup namespaces",
 457     "description_bad": "Service may create cgroup namespaces",
 458     "weight": 500,
 459     "range": 1
 460     },
 461 "RestrictNamespaces_net":
 462     {"description_good": "Service cannot create network namespaces",
 463     "description_bad": "Service may create network namespaces",
 464     "weight": 500,
 465     "range": 1
 466     },
 467 "RestrictNamespaces_uts":
 468     {"description_good": "Service cannot create hostname namespaces",
 469     "description_bad": "Service may create hostname namespaces",
 470     "weight": 100,
 471     "range": 1
 472     },
 473 "RestrictAddressFamilies_AF_INET_INET6":
 474     {"description_good": "Service cannot allocate Internet sockets",
 475     "description_bad": "Service may allocate Internet sockets",
 476     "weight": 1500,
 477     "range": 1
 478     },
 479 "RestrictAddressFamilies_AF_UNIX":
 480     {"description_good": "Service cannot allocate local sockets",
 481     "description_bad": "Service may allocate local sockets",
 482     "weight": 25,
 483     "range": 1
 484     },
 485 "RestrictAddressFamilies_AF_NETLINK":
 486     {"description_good": "Service cannot allocate netlink sockets",
 487     "description_bad": "Service may allocate netlink sockets",
 488     "weight": 200,
 489     "range": 1
 490     },
 491 "RestrictAddressFamilies_AF_PACKET":
 492     {"description_good": "Service cannot allocate packet sockets",
 493     "description_bad": "Service may allocate packet sockets",
 494     "weight": 1000,
 495     "range": 1
 496     },
 497 "RestrictAddressFamilies_OTHER":
 498     {"description_good": "Service cannot allocate exotic sockets",
 499     "description_bad": "Service may allocate exotic sockets",
 500     "weight": 1250,
 501     "range": 1
 502     },
 503 "SystemCallArchitectures":
 504     {"weight": 1000,
 505     "range": 10
 506     },
 507 "SystemCallFilter_swap":
 508     {"weight": 1000,
 509     "range": 10
 510     },
 511 "SystemCallFilter_obsolete":
 512     {"weight": 250,
 513     "range": 10
 514     },
 515 "SystemCallFilter_clock":
 516     {"weight": 1000,
 517     "range": 10
 518     },
 519 "SystemCallFilter_cpu_emulation":
 520     {"weight": 250,
 521     "range": 10
 522     },
 523 "SystemCallFilter_debug":
 524     {"weight": 1000,
 525     "range": 10
 526     },
 527 "SystemCallFilter_mount":
 528     {"weight": 1000,
 529     "range": 10
 530     },
 531 "SystemCallFilter_module":
 532     {"weight": 1000,
 533     "range": 10
 534     },
 535 "SystemCallFilter_raw_io":
 536     {"weight": 1000,
 537     "range": 10
 538     },
 539 "SystemCallFilter_reboot":
 540     {"weight": 1000,
 541     "range": 10
 542     },
 543 "SystemCallFilter_privileged":
 544     {"weight": 700,
 545     "range": 10
 546     },
 547 "SystemCallFilter_resources":
 548     {"weight": 700,
 549     "range": 10
 550     },
 551 "IPAddressDeny":
 552     {"weight": 1000,
 553     "range": 10
 554     },
 555 "DeviceAllow":
 556     {"weight": 1000,
 557     "range": 10
 558     },
 559 "AmbientCapabilities":
 560     {"description_good": "Service process does not receive ambient capabilities",
 561     "description_bad": "Service process receives ambient capabilities",
 562     "weight": 500,
 563     "range": 1
 564     },
 565 "INVALID_ID":
 566     {"weight": 1000,
 567     "range": 10
 568     }
 569 }
 570 EOF
 571
 572 # Reads in custom security requirements from the parsed .json file and uses these for comparison
 573 systemd-analyze security --threshold=90 --offline=true \
 574                            --security-policy=/tmp/testfile.json \
 575                            --root=/tmp/img/ testfile.service
 576
 577 # The strict profile adds a lot of sanboxing options
 578 systemd-analyze security --threshold=20 --offline=true \
 579                            --security-policy=/tmp/testfile.json \
 580                            --profile=strict \
 581                            --root=/tmp/img/ testfile.service
 582
 583 set +e
 584 # The trusted profile doesn't add any sanboxing options
 585 systemd-analyze security --threshold=20 --offline=true \
 586                            --security-policy=/tmp/testfile.json \
 587                            --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
 588                            --root=/tmp/img/ testfile.service \
 589     && { echo 'unexpected success'; exit 1; }
 590
 591 systemd-analyze security --threshold=50 --offline=true \
 592                            --security-policy=/tmp/testfile.json \
 593                            --root=/tmp/img/ testfile.service \
 594     && { echo 'unexpected success'; exit 1; }
 595 set -e
 596
 597 rm /tmp/img/usr/lib/systemd/system/testfile.service
 598
 599 if systemd-analyze --version | grep -q -F "+ELFUTILS"; then
 600     systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"'
 601 fi
 602
 603 systemd-analyze log-level info
 604
 605 echo OK >/testok
 606
 607 exit 0