2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
6 # shellcheck source=test/units/util.sh
7 .
"$(dirname "$0")"/util.sh
9 systemctl log-level debug
10 export SYSTEMD_LOG_LEVEL
=debug
14 # We can't really test time, critical-chain and plot verbs here, as
15 # the testsuite service is a part of the boot transaction, so let's assume
18 systemd-analyze
time ||
:
19 systemd-analyze critical-chain ||
:
22 systemd-run
--wait --user --pipe -M testuser@.
host systemd-analyze blame
24 systemd-analyze plot
>/dev
/null ||
:
25 systemd-analyze plot
--json=pretty
>/dev
/null ||
:
26 systemd-analyze plot
--json=short
>/dev
/null ||
:
27 systemd-analyze plot
--json=off
>/dev
/null ||
:
28 systemd-analyze plot
--json=pretty
--no-legend >/dev
/null ||
:
29 systemd-analyze plot
--json=short
--no-legend >/dev
/null ||
:
30 systemd-analyze plot
--json=off
--no-legend >/dev
/null ||
:
31 systemd-analyze plot
--table >/dev
/null ||
:
32 systemd-analyze plot
--table --no-legend >/dev
/null ||
:
33 # legacy/deprecated options (moved to systemctl, but still usable from analyze)
34 systemd-analyze log-level
35 systemd-analyze log-level
"$(systemctl log-level)"
36 systemd-analyze get-log-level
37 systemd-analyze set-log-level
"$(systemctl log-level)"
38 systemd-analyze log-target
39 systemd-analyze log-target
"$(systemctl log-target)"
40 systemd-analyze get-log-target
41 systemd-analyze set-log-target
"$(systemctl log-target)"
42 systemd-analyze service-watchdogs
43 systemd-analyze service-watchdogs
"$(systemctl service-watchdogs)"
45 systemd-analyze dot
>/dev
/null
46 systemd-analyze dot systemd-journald.service
>/dev
/null
47 systemd-analyze dot systemd-journald.service systemd-logind.service
>/dev
/null
48 systemd-analyze dot
--from-pattern="*" --from-pattern="*.service" systemd-journald.service
>/dev
/null
49 systemd-analyze dot
--to-pattern="*" --to-pattern="*.service" systemd-journald.service
>/dev
/null
50 systemd-analyze dot
--from-pattern="*.service" --to-pattern="*.service" systemd-journald.service
>/dev
/null
51 systemd-analyze dot
--order systemd-journald.service systemd-logind.service
>/dev
/null
52 systemd-analyze dot
--require systemd-journald.service systemd-logind.service
>/dev
/null
53 systemd-analyze dot
"systemd-*.service" >/dev
/null
54 (! systemd-analyze dot systemd-journald.service systemd-logind.service
"*" bbb ccc
)
56 # this should be rate limited to 10 calls in 10 minutes for unprivileged callers
58 runas testuser systemd-analyze dump systemd-journald.service
>/dev
/null
60 (! runas testuser systemd-analyze dump
>/dev
/null
)
61 # still limited after a reload
62 systemctl daemon-reload
63 (! runas testuser systemd-analyze dump
>/dev
/null
)
65 systemctl daemon-reexec
66 (! runas testuser systemd-analyze dump
>/dev
/null
)
67 # privileged call, so should not be rate limited
69 systemd-analyze dump systemd-journald.service
>/dev
/null
71 systemd-analyze dump
>/dev
/null
72 systemd-analyze dump
"*" >/dev
/null
73 systemd-analyze dump
"*.socket" >/dev
/null
74 systemd-analyze dump
"*.socket" "*.service" aaaaaaa ...
>/dev
/null
75 systemd-analyze dump systemd-journald.service
>/dev
/null
76 systemd-analyze malloc
>/dev
/null
77 (! systemd-analyze dump
"")
79 systemd-analyze unit-files
>/dev
/null
80 systemd-analyze unit-files systemd-journald.service
>/dev
/null
81 systemd-analyze unit-files
"*" >/dev
/null
82 systemd-analyze unit-files
"*" aaaaaa
"*.service" "*.target" >/dev
/null
83 systemd-analyze unit-files
--user >/dev
/null
84 systemd-analyze unit-files
--user "*" aaaaaa
"*.service" "*.target" >/dev
/null
86 systemd-analyze unit-paths
87 systemd-analyze unit-paths
--user
88 systemd-analyze unit-paths
--global
90 systemd-analyze exit-status
91 systemd-analyze exit-status STDOUT BPF
92 systemd-analyze exit-status
0 1 {63.
.65}
93 (! systemd-analyze exit-status STDOUT BPF
"hello*")
95 systemd-analyze capability
96 systemd-analyze capability cap_chown CAP_KILL
97 systemd-analyze capability
0 1 {30.
.32}
98 (! systemd-analyze capability cap_chown CAP_KILL
"hello*")
100 mkdir
-p /run
/systemd
/system
101 UNIT_NAME
="analyze-condition-$RANDOM.service"
102 cat >"/run/systemd/system/$UNIT_NAME" <<EOF
104 AssertPathExists=/etc/os-release
105 AssertEnvironment=!FOOBAR
106 ConditionKernelVersion=>1.0
107 ConditionPathExists=/etc/os-release
112 systemctl daemon-reload
113 systemd-analyze condition
--unit="$UNIT_NAME"
114 systemd-analyze condition
'ConditionKernelVersion = ! <4.0' \
115 'ConditionKernelVersion = >=3.1' \
116 'ConditionACPower=|false' \
117 'ConditionArchitecture=|!arm' \
118 'AssertPathExists=/etc/os-release'
119 (! systemd-analyze condition
'ConditionArchitecture=|!arm' 'AssertXYZ=foo')
120 (! systemd-analyze condition
'ConditionKernelVersion=<1.0')
121 (! systemd-analyze condition
'AssertKernelVersion=<1.0')
123 systemd-analyze syscall-filter
>/dev
/null
124 systemd-analyze syscall-filter @chown @sync
125 systemd-analyze syscall-filter @sync @sync @sync
126 (! systemd-analyze syscall-filter @chown @sync @foobar
)
127 # filesystems (requires libbpf support)
128 if systemctl
--version |
grep "+BPF_FRAMEWORK"; then
129 systemd-analyze filesystems
>/dev
/null
130 systemd-analyze filesystems @basic-api
131 systemd-analyze filesystems @basic-api @basic-api @basic-api
132 (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api
)
135 systemd-analyze calendar
'*-2-29 0:0:0'
136 systemd-analyze calendar
--iterations=5 '*-2-29 0:0:0'
137 systemd-analyze calendar
'*-* *:*:*'
138 systemd-analyze calendar
--iterations=5 '*-* *:*:*'
139 systemd-analyze calendar
--iterations=50 '*-* *:*:*'
140 systemd-analyze calendar
--iterations=0 '*-* *:*:*'
141 systemd-analyze calendar
--iterations=5 '01-01-22 01:00:00'
142 systemd-analyze calendar
--base-time=yesterday
--iterations=5 '*-* *:*:*'
143 (! systemd-analyze calendar
--iterations=0 '*-* 99:*:*')
144 (! systemd-analyze calendar
--base-time=never
'*-* *:*:*')
145 (! systemd-analyze calendar
1)
146 (! systemd-analyze calendar
"")
148 systemd-analyze timestamp now
149 systemd-analyze timestamp
-- -1
150 systemd-analyze timestamp yesterday now tomorrow
151 (! systemd-analyze timestamp yesterday never tomorrow
)
152 (! systemd-analyze timestamp
1)
153 (! systemd-analyze timestamp
'*-2-29 0:0:0')
154 (! systemd-analyze timestamp
"")
156 systemd-analyze timespan
1
157 systemd-analyze timespan
1s
300s
'1year 0.000001s'
158 (! systemd-analyze timespan
1s
300s aaaaaa
'1year 0.000001s')
159 (! systemd-analyze timespan
-- -1)
160 (! systemd-analyze timespan
'*-2-29 0:0:0')
161 (! systemd-analyze timespan
"")
163 systemd-analyze cat-config systemd
/system.conf
>/dev
/null
164 systemd-analyze cat-config
/etc
/systemd
/system.conf
>/dev
/null
165 systemd-analyze cat-config systemd
/system.conf systemd
/journald.conf
>/dev
/null
166 systemd-analyze cat-config systemd
/system.conf foo
/bar systemd
/journald.conf
>/dev
/null
167 systemd-analyze cat-config foo
/bar
168 systemd-analyze cat-config
--tldr systemd
/system.conf
>/dev
/null
169 systemd-analyze cat-config
--tldr /etc
/systemd
/system.conf
>/dev
/null
170 systemd-analyze cat-config
--tldr systemd
/system.conf systemd
/journald.conf
>/dev
/null
171 systemd-analyze cat-config
--tldr systemd
/system.conf foo
/bar systemd
/journald.conf
>/dev
/null
172 systemd-analyze cat-config
--tldr foo
/bar
174 systemd-analyze security
175 systemd-analyze security
--json=off
176 systemd-analyze security
--json=pretty | jq
177 systemd-analyze security
--json=short | jq
179 if [[ ! -v ASAN_OPTIONS
]]; then
180 # check that systemd-analyze cat-config paths work in a chroot
182 mount
--bind / /tmp
/root
183 if mountpoint
-q /usr
; then
184 mount
--bind /usr
/tmp
/root
/usr
186 systemd-analyze cat-config systemd
/system-preset
>/tmp
/out1
187 chroot
/tmp
/root systemd-analyze cat-config systemd
/system-preset
>/tmp
/out2
192 mkdir
-p /tmp
/img
/usr
/lib
/systemd
/system
/
193 mkdir
-p /tmp
/img
/opt
/
195 touch /tmp
/img
/opt
/script0.sh
196 chmod +x
/tmp
/img
/opt
/script0.sh
198 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
200 ExecStart = /opt/script0.sh
204 # Default behaviour is to recurse through all dependencies when unit is loaded
205 (! systemd-analyze verify
--root=/tmp
/img
/ testfile.service
)
207 # As above, recurses through all dependencies when unit is loaded
208 (! systemd-analyze verify
--recursive-errors=yes --root=/tmp
/img
/ testfile.service
)
210 # Recurses through unit file and its direct dependencies when unit is loaded
211 (! systemd-analyze verify
--recursive-errors=one
--root=/tmp
/img
/ testfile.service
)
215 # zero exit status since dependencies are ignored when unit is loaded
216 systemd-analyze verify
--recursive-errors=no
--root=/tmp
/img
/ testfile.service
218 rm /tmp
/img
/usr
/lib
/systemd
/system
/testfile.service
220 cat <<EOF >/tmp/testfile.service
225 ExecStart = echo hello
228 cat <<EOF >/tmp/testfile2.service
230 Requires = testfile.service
233 ExecStart = echo hello
236 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
237 systemd-analyze verify
--recursive-errors=no
/tmp
/testfile2.service
240 # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
241 (! systemd-analyze verify
--recursive-errors=yes /tmp
/testfile2.service
)
244 rm /tmp
/testfile.service
245 rm /tmp
/testfile2.service
247 cat <<EOF >/tmp/sample.service
249 Description = A Sample Service
252 ExecStart = echo hello
256 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
257 systemd-analyze verify
--recursive-errors=no
/tmp
/sample.service
259 cat <<EOF >/tmp/testfile.service
261 ExecStart = echo hello
265 # Prevent regression from #13380 and #20859 where we can't verify hidden files
266 cp /tmp
/testfile.service
/tmp
/.testfile.service
268 systemd-analyze verify
/tmp
/.testfile.service
270 rm /tmp
/.testfile.service
272 # Alias a unit file's name on disk (see #20061)
273 cp /tmp
/testfile.service
/tmp
/testsrvc
275 (! systemd-analyze verify
/tmp
/testsrvc
)
277 systemd-analyze verify
/tmp
/testsrvc
:alias.service
279 # Zero exit status since the value used for comparison determine exposure to security threats is by default 100
280 systemd-analyze security
--offline=true
/tmp
/testfile.service
282 #The overall exposure level assigned to the unit is greater than the set threshold
283 (! systemd-analyze security
--threshold=90 --offline=true
/tmp
/testfile.service
)
285 # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
286 systemd-analyze security
--offline=true
/tmp
/testfile.service |
grep -q -F "/dev/sda"
288 rm /tmp
/testfile.service
290 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
292 ExecStart = echo hello
298 # The new overall exposure level assigned to the unit is less than the set thresholds
299 # Verifies that the --offline= option works with --root=
300 systemd-analyze security
--threshold=90 --offline=true
--root=/tmp
/img
/ testfile.service
302 cat <<EOF >/tmp/foo@.service
307 cat <<EOF >/tmp/hoge@test.service
314 systemd-analyze verify foo@bar.service
315 systemd-analyze verify foo@.service
316 systemd-analyze verify hoge@
test.service
317 (! systemd-analyze verify hoge@nonexist.service
)
318 (! systemd-analyze verify hoge@.service
)
321 systemd-analyze verify tmp
/foo@bar.service
322 systemd-analyze verify tmp
/foo@.service
323 systemd-analyze verify tmp
/hoge@
test.service
324 (! systemd-analyze verify tmp
/hoge@nonexist.service
)
325 (! systemd-analyze verify tmp
/hoge@.service
)
328 systemd-analyze verify ..
/tmp
/foo@bar.service
329 systemd-analyze verify ..
/tmp
/foo@.service
330 systemd-analyze verify ..
/tmp
/hoge@
test.service
331 (! systemd-analyze verify ..
/tmp
/hoge@nonexist.service
)
332 (! systemd-analyze verify ..
/tmp
/hoge@.service
)
334 systemd-analyze verify
/tmp
/foo@bar.service
335 systemd-analyze verify
/tmp
/foo@.service
336 systemd-analyze verify
/tmp
/hoge@
test.service
337 (! systemd-analyze verify
/tmp
/hoge@nonexist.service
)
338 (! systemd-analyze verify
/tmp
/hoge@.service
)
340 # test that all commands are verified.
341 cat <<EOF >/tmp/multi-exec-start.service
347 systemd-analyze verify
/tmp
/multi-exec-start.service
348 echo 'ExecStart=command-should-not-exist' >>/tmp
/multi-exec-start.service
349 (! systemd-analyze verify
/tmp
/multi-exec-start.service
)
351 # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed
352 # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in
353 # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight
354 # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is
355 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
356 # level for the unit file should decrease to account for that increased weight.
357 cat <<EOF >/tmp/testfile.json
358 {"UserOrDynamicUser":
359 {"description_bad": "Service runs as root user",
363 "SupplementaryGroups":
364 {"description_good": "Service has no supplementary groups",
365 "description_bad": "Service runs with supplementary groups",
366 "description_na": "Service runs as root, option does not matter",
371 {"description_good": "Service has no access to hardware devices",
372 "description_bad": "Service potentially has access to hardware devices",
377 {"description_good": "Service cannot install system mounts",
378 "description_bad": "Service may install system mounts",
383 {"description_good": "Service doesn't have access to the host's network",
384 "description_bad": "Service has access to the host's network",
389 {"description_good": "Service has no access to other software's temporary files",
390 "description_bad": "Service has access to other software's temporary files",
395 {"description_good": "Service does not have access to other users",
396 "description_bad": "Service has access to other users",
400 "ProtectControlGroups":
401 {"description_good": "Service cannot modify the control group file system",
402 "description_bad": "Service may modify the control group file system",
406 "ProtectKernelModules":
407 {"description_good": "Service cannot load or read kernel modules",
408 "description_bad": "Service may load or read kernel modules",
412 "ProtectKernelTunables":
413 {"description_good": "Service cannot alter kernel tunables (/proc/sys, …)",
414 "description_bad": "Service may alter kernel tunables",
419 {"description_good": "Service cannot read from or write to the kernel log ring buffer",
420 "description_bad": "Service may read from or write to the kernel log ring buffer",
425 {"description_good": "Service cannot write to the hardware clock or system clock",
426 "description_bad": "Service may write to the hardware clock or system clock",
435 {"description_good": "Service cannot change system host/domainname",
436 "description_bad": "Service may change system host/domainname",
444 "RootDirectoryOrRootImage":
445 {"description_good": "Service has its own root directory/image",
446 "description_bad": "Service runs within the host's root directory",
451 {"description_good": "Service cannot change ABI personality",
452 "description_bad": "Service may change ABI personality",
456 "MemoryDenyWriteExecute":
457 {"description_good": "Service cannot create writable executable memory mappings",
458 "description_bad": "Service may create writable executable memory mappings",
463 {"description_good": "Service processes cannot acquire new privileges",
464 "description_bad": "Service processes may acquire new privileges",
468 "CapabilityBoundingSet_CAP_SYS_ADMIN":
469 {"description_good": "Service has no administrator privileges",
470 "description_bad": "Service has administrator privileges",
474 "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP":
475 {"description_good": "Service cannot change UID/GID identities/capabilities",
476 "description_bad": "Service may change UID/GID identities/capabilities",
480 "CapabilityBoundingSet_CAP_SYS_PTRACE":
481 {"description_good": "Service has no ptrace() debugging abilities",
482 "description_bad": "Service has ptrace() debugging abilities",
486 "CapabilityBoundingSet_CAP_SYS_TIME":
487 {"description_good": "Service processes cannot change the system clock",
488 "description_bad": "Service processes may change the system clock",
492 "CapabilityBoundingSet_CAP_NET_ADMIN":
493 {"description_good": "Service has no network configuration privileges",
494 "description_bad": "Service has network configuration privileges",
498 "CapabilityBoundingSet_CAP_SYS_RAWIO":
499 {"description_good": "Service has no raw I/O access",
500 "description_bad": "Service has raw I/O access",
504 "CapabilityBoundingSet_CAP_SYS_MODULE":
505 {"description_good": "Service cannot load kernel modules",
506 "description_bad": "Service may load kernel modules",
510 "CapabilityBoundingSet_CAP_AUDIT":
511 {"description_good": "Service has no audit subsystem access",
512 "description_bad": "Service has audit subsystem access",
516 "CapabilityBoundingSet_CAP_SYSLOG":
517 {"description_good": "Service has no access to kernel logging",
518 "description_bad": "Service has access to kernel logging",
522 "CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE":
523 {"description_good": "Service has no privileges to change resource use parameters",
524 "description_bad": "Service has privileges to change resource use parameters",
528 "CapabilityBoundingSet_CAP_MKNOD":
529 {"description_good": "Service cannot create device nodes",
530 "description_bad": "Service may create device nodes",
534 "CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP":
535 {"description_good": "Service cannot change file ownership/access mode/capabilities",
536 "description_bad": "Service may change file ownership/access mode/capabilities unrestricted",
540 "CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER":
541 {"description_good": "Service cannot override UNIX file/IPC permission checks",
542 "description_bad": "Service may override UNIX file/IPC permission checks",
546 "CapabilityBoundingSet_CAP_KILL":
547 {"description_good": "Service cannot send UNIX signals to arbitrary processes",
548 "description_bad": "Service may send UNIX signals to arbitrary processes",
552 "CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW":
553 {"description_good": "Service has no elevated networking privileges",
554 "description_bad": "Service has elevated networking privileges",
558 "CapabilityBoundingSet_CAP_SYS_BOOT":
559 {"description_good": "Service cannot issue reboot()",
560 "description_bad": "Service may issue reboot()",
564 "CapabilityBoundingSet_CAP_MAC":
565 {"description_good": "Service cannot adjust SMACK MAC",
566 "description_bad": "Service may adjust SMACK MAC",
570 "CapabilityBoundingSet_CAP_LINUX_IMMUTABLE":
571 {"description_good": "Service cannot mark files immutable",
572 "description_bad": "Service may mark files immutable",
576 "CapabilityBoundingSet_CAP_IPC_LOCK":
577 {"description_good": "Service cannot lock memory into RAM",
578 "description_bad": "Service may lock memory into RAM",
582 "CapabilityBoundingSet_CAP_SYS_CHROOT":
583 {"description_good": "Service cannot issue chroot()",
584 "description_bad": "Service may issue chroot()",
588 "CapabilityBoundingSet_CAP_BLOCK_SUSPEND":
589 {"description_good": "Service cannot establish wake locks",
590 "description_bad": "Service may establish wake locks",
594 "CapabilityBoundingSet_CAP_WAKE_ALARM":
595 {"description_good": "Service cannot program timers that wake up the system",
596 "description_bad": "Service may program timers that wake up the system",
600 "CapabilityBoundingSet_CAP_LEASE":
601 {"description_good": "Service cannot create file leases",
602 "description_bad": "Service may create file leases",
606 "CapabilityBoundingSet_CAP_SYS_TTY_CONFIG":
607 {"description_good": "Service cannot issue vhangup()",
608 "description_bad": "Service may issue vhangup()",
612 "CapabilityBoundingSet_CAP_SYS_PACCT":
613 {"description_good": "Service cannot use acct()",
614 "description_bad": "Service may use acct()",
618 "CapabilityBoundingSet_CAP_BPF":
619 {"description_good": "Service may load BPF programs",
620 "description_bad": "Service may not load BPF programs",
629 {"description_good": "Service doesn't share key material with other services",
630 "description_bad": "Service shares key material with other service",
635 {"description_good": "Service has restricted access to process tree(/proc hidepid=)",
636 "description_bad": "Service has full access to process tree(/proc hidepid=)",
641 {"description_good": "Service has no access to non-process/proc files(/proc subset=)",
642 "description_bad": "Service has full access to non-process/proc files(/proc subset=)",
647 {"description_good": "Service child processes cannot alter service state",
648 "description_bad": "Service child processes may alter service state",
653 {"description_good": "Service user cannot leave SysV IPC objects around",
654 "description_bad": "Service user may leave SysV IPC objects around",
655 "description_na": "Service runs as root, option does not apply",
660 {"description_good": "Service does not maintain its own delegated control group subtree",
661 "description_bad": "Service maintains its own delegated control group subtree",
666 {"description_good": "Service realtime scheduling access is restricted",
667 "description_bad": "Service may acquire realtime scheduling",
672 {"description_good": "SUID/SGIDfilecreationbyserviceisrestricted",
673 "description_bad": "ServicemaycreateSUID/SGIDfiles",
677 "RestrictNamespaces_user":
678 {"description_good": "Servicecannotcreateusernamespaces",
679 "description_bad": "Servicemaycreateusernamespaces",
683 "RestrictNamespaces_mnt":
684 {"description_good": "Service cannot create file system namespaces",
685 "description_bad": "Service may create file system namespaces",
689 "RestrictNamespaces_ipc":
690 {"description_good": "Service cannot create IPC namespaces",
691 "description_bad": "Service may create IPC namespaces",
695 "RestrictNamespaces_pid":
696 {"description_good": "Service cannot create process namespaces",
697 "description_bad": "Service may create process namespaces",
701 "RestrictNamespaces_cgroup":
702 {"description_good": "Service cannot create cgroup namespaces",
703 "description_bad": "Service may create cgroup namespaces",
707 "RestrictNamespaces_net":
708 {"description_good": "Service cannot create network namespaces",
709 "description_bad": "Service may create network namespaces",
713 "RestrictNamespaces_uts":
714 {"description_good": "Service cannot create hostname namespaces",
715 "description_bad": "Service may create hostname namespaces",
719 "RestrictAddressFamilies_AF_INET_INET6":
720 {"description_good": "Service cannot allocate Internet sockets",
721 "description_bad": "Service may allocate Internet sockets",
725 "RestrictAddressFamilies_AF_UNIX":
726 {"description_good": "Service cannot allocate local sockets",
727 "description_bad": "Service may allocate local sockets",
731 "RestrictAddressFamilies_AF_NETLINK":
732 {"description_good": "Service cannot allocate netlink sockets",
733 "description_bad": "Service may allocate netlink sockets",
737 "RestrictAddressFamilies_AF_PACKET":
738 {"description_good": "Service cannot allocate packet sockets",
739 "description_bad": "Service may allocate packet sockets",
743 "RestrictAddressFamilies_OTHER":
744 {"description_good": "Service cannot allocate exotic sockets",
745 "description_bad": "Service may allocate exotic sockets",
749 "SystemCallArchitectures":
753 "SystemCallFilter_swap":
757 "SystemCallFilter_obsolete":
761 "SystemCallFilter_clock":
765 "SystemCallFilter_cpu_emulation":
769 "SystemCallFilter_debug":
773 "SystemCallFilter_mount":
777 "SystemCallFilter_module":
781 "SystemCallFilter_raw_io":
785 "SystemCallFilter_reboot":
789 "SystemCallFilter_privileged":
793 "SystemCallFilter_resources":
805 "AmbientCapabilities":
806 {"description_good": "Service process does not receive ambient capabilities",
807 "description_bad": "Service process receives ambient capabilities",
818 # Reads in custom security requirements from the parsed .json file and uses these for comparison
819 systemd-analyze security
--threshold=90 --offline=true \
820 --security-policy=/tmp
/testfile.json \
821 --root=/tmp
/img
/ testfile.service
823 # The strict profile adds a lot of sanboxing options
824 systemd-analyze security
--threshold=25 --offline=true \
825 --security-policy=/tmp
/testfile.json \
827 --root=/tmp
/img
/ testfile.service
829 # The trusted profile doesn't add any sanboxing options
830 (! systemd-analyze security
--threshold=25 --offline=true \
831 --security-policy=/tmp
/testfile.json \
832 --profile=/usr
/lib
/systemd
/portable
/profile
/trusted
/service.conf \
833 --root=/tmp
/img
/ testfile.service
)
835 (! systemd-analyze security
--threshold=50 --offline=true \
836 --security-policy=/tmp
/testfile.json \
837 --root=/tmp
/img
/ testfile.service
)
839 rm /tmp
/img
/usr
/lib
/systemd
/system
/testfile.service
841 if systemd-analyze
--version |
grep -q -F "+ELFUTILS"; then
842 systemd-analyze inspect-elf
--json=short
/lib
/systemd
/systemd |
grep -q -F '"elfType":"executable"'
845 systemd-analyze
--threshold=90 security systemd-journald.service
850 output
=$
(systemd-analyze security
--offline="${2?}" "${3?}" |
grep -F 'SystemCallFilter=')
851 assert_in
"System call ${1?} list" "$output"
852 assert_in
"[+✓] SystemCallFilter=~@swap" "$output"
853 assert_in
"[+✓] SystemCallFilter=~@resources" "$output"
854 assert_in
"[+✓] SystemCallFilter=~@reboot" "$output"
855 assert_in
"[+✓] SystemCallFilter=~@raw-io" "$output"
856 assert_in
"[-✗] SystemCallFilter=~@privileged" "$output"
857 assert_in
"[+✓] SystemCallFilter=~@obsolete" "$output"
858 assert_in
"[+✓] SystemCallFilter=~@mount" "$output"
859 assert_in
"[+✓] SystemCallFilter=~@module" "$output"
860 assert_in
"[+✓] SystemCallFilter=~@debug" "$output"
861 assert_in
"[+✓] SystemCallFilter=~@cpu-emulation" "$output"
862 assert_in
"[-✗] SystemCallFilter=~@clock" "$output"
865 export -n SYSTEMD_LOG_LEVEL
867 mkdir
-p /run
/systemd
/system
868 cat >/run
/systemd
/system
/allow-list.service
<<EOF
871 SystemCallFilter=@system-service
872 SystemCallFilter=~@resources:ENOANO @privileged
873 SystemCallFilter=@clock
876 cat >/run
/systemd
/system
/deny-list.service
<<EOF
879 SystemCallFilter=~@known
880 SystemCallFilter=@system-service
881 SystemCallFilter=~@resources:ENOANO @privileged
882 SystemCallFilter=@clock
885 systemctl daemon-reload
887 check allow
yes /run
/systemd
/system
/allow-list.service
888 check allow no allow-list.service
889 check deny
yes /run
/systemd
/system
/deny-list.service
890 check deny no deny-list.service
892 output
=$
(systemd-run
-p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
893 name
=$
(echo "$output" |
awk '{ print $4 }' | cut
-d';' -f1)
895 check allow
yes /run
/systemd
/transient
/"$name"
896 check allow no
"$name"
898 output
=$
(systemd-run
-p "SystemCallFilter=~@known" -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
899 name
=$
(echo "$output" |
awk '{ print $4 }' | cut
-d';' -f1)
901 check deny
yes /run
/systemd
/transient
/"$name"
902 check deny no
"$name"
904 # Let's also test the "image-policy" verb
906 systemd-analyze image-policy
'*' 2>&1 |
grep -q -F "Long form: =verity+signed+encrypted+unprotected+unused+absent"
907 systemd-analyze image-policy
'-' 2>&1 |
grep -q -F "Long form: =unused+absent"
908 systemd-analyze image-policy
'home=encrypted:usr=verity' 2>&1 |
grep -q -F "Long form: usr=verity:home=encrypted:=unused+absent"
909 systemd-analyze image-policy
'home=encrypted:usr=verity' 2>&1 |
grep -q -e '^home \+encrypted \+'
910 systemd-analyze image-policy
'home=encrypted:usr=verity' 2>&1 |
grep -q -e '^usr \+verity \+'
911 systemd-analyze image-policy
'home=encrypted:usr=verity' 2>&1 |
grep -q -e '^root \+ignore \+'
912 systemd-analyze image-policy
'home=encrypted:usr=verity' 2>&1 |
grep -q -e '^usr-verity \+unprotected \+'
914 (! systemd-analyze image-policy
'doedel')
916 # Output is very hard to predict, but let's run it for coverage anyway
918 systemd-analyze pcrs
--json=pretty
919 systemd-analyze pcrs
14 7 0 ima
921 systemd-analyze architectures
922 systemd-analyze architectures
--json=pretty
923 systemd-analyze architectures x86
924 systemd-analyze architectures x86-64
925 systemd-analyze architectures native
926 systemd-analyze architectures uname
928 systemd-analyze log-level info