]> git.ipfire.org Git - thirdparty/systemd.git/blob - test/units/testsuite-65.sh
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #27867 from keszybz/vconsole-reload-again
[thirdparty/systemd.git] / test / units / testsuite-65.sh
1 #!/usr/bin/env bash
2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
4 set -eux
5
6 # shellcheck source=test/units/util.sh
7 . "$(dirname "$0")"/util.sh
8
9 systemctl log-level debug
10 export SYSTEMD_LOG_LEVEL=debug
11
12 # Sanity checks
13 #
14 # We can't really test time, critical-chain and plot verbs here, as
15 # the testsuite service is a part of the boot transaction, so let's assume
16 # they fail
17 systemd-analyze || :
18 systemd-analyze time || :
19 systemd-analyze critical-chain || :
20 # blame
21 systemd-analyze blame
22 systemd-run --wait --user --pipe -M testuser@.host systemd-analyze blame
23 # plot
24 systemd-analyze plot >/dev/null || :
25 systemd-analyze plot --json=pretty >/dev/null || :
26 systemd-analyze plot --json=short >/dev/null || :
27 systemd-analyze plot --json=off >/dev/null || :
28 systemd-analyze plot --json=pretty --no-legend >/dev/null || :
29 systemd-analyze plot --json=short --no-legend >/dev/null || :
30 systemd-analyze plot --json=off --no-legend >/dev/null || :
31 systemd-analyze plot --table >/dev/null || :
32 systemd-analyze plot --table --no-legend >/dev/null || :
33 # legacy/deprecated options (moved to systemctl, but still usable from analyze)
34 systemd-analyze log-level
35 systemd-analyze log-level "$(systemctl log-level)"
36 systemd-analyze get-log-level
37 systemd-analyze set-log-level "$(systemctl log-level)"
38 systemd-analyze log-target
39 systemd-analyze log-target "$(systemctl log-target)"
40 systemd-analyze get-log-target
41 systemd-analyze set-log-target "$(systemctl log-target)"
42 systemd-analyze service-watchdogs
43 systemd-analyze service-watchdogs "$(systemctl service-watchdogs)"
44 # dot
45 systemd-analyze dot >/dev/null
46 systemd-analyze dot systemd-journald.service >/dev/null
47 systemd-analyze dot systemd-journald.service systemd-logind.service >/dev/null
48 systemd-analyze dot --from-pattern="*" --from-pattern="*.service" systemd-journald.service >/dev/null
49 systemd-analyze dot --to-pattern="*" --to-pattern="*.service" systemd-journald.service >/dev/null
50 systemd-analyze dot --from-pattern="*.service" --to-pattern="*.service" systemd-journald.service >/dev/null
51 systemd-analyze dot --order systemd-journald.service systemd-logind.service >/dev/null
52 systemd-analyze dot --require systemd-journald.service systemd-logind.service >/dev/null
53 systemd-analyze dot "systemd-*.service" >/dev/null
54 (! systemd-analyze dot systemd-journald.service systemd-logind.service "*" bbb ccc)
55 # dump
56 # this should be rate limited to 10 calls in 10 minutes for unprivileged callers
57 for _ in {1..10}; do
58 runas testuser systemd-analyze dump systemd-journald.service >/dev/null
59 done
60 (! runas testuser systemd-analyze dump >/dev/null)
61 # still limited after a reload
62 systemctl daemon-reload
63 (! runas testuser systemd-analyze dump >/dev/null)
64 # and a re-exec
65 systemctl daemon-reexec
66 (! runas testuser systemd-analyze dump >/dev/null)
67 # privileged call, so should not be rate limited
68 for _ in {1..10}; do
69 systemd-analyze dump systemd-journald.service >/dev/null
70 done
71 systemd-analyze dump >/dev/null
72 systemd-analyze dump "*" >/dev/null
73 systemd-analyze dump "*.socket" >/dev/null
74 systemd-analyze dump "*.socket" "*.service" aaaaaaa ... >/dev/null
75 systemd-analyze dump systemd-journald.service >/dev/null
76 systemd-analyze malloc >/dev/null
77 (! systemd-analyze dump "")
78 # unit-files
79 systemd-analyze unit-files >/dev/null
80 systemd-analyze unit-files systemd-journald.service >/dev/null
81 systemd-analyze unit-files "*" >/dev/null
82 systemd-analyze unit-files "*" aaaaaa "*.service" "*.target" >/dev/null
83 systemd-analyze unit-files --user >/dev/null
84 systemd-analyze unit-files --user "*" aaaaaa "*.service" "*.target" >/dev/null
85 # unit-paths
86 systemd-analyze unit-paths
87 systemd-analyze unit-paths --user
88 systemd-analyze unit-paths --global
89 # exist-status
90 systemd-analyze exit-status
91 systemd-analyze exit-status STDOUT BPF
92 systemd-analyze exit-status 0 1 {63..65}
93 (! systemd-analyze exit-status STDOUT BPF "hello*")
94 # capability
95 systemd-analyze capability
96 systemd-analyze capability cap_chown CAP_KILL
97 systemd-analyze capability 0 1 {30..32}
98 (! systemd-analyze capability cap_chown CAP_KILL "hello*")
99 # condition
100 mkdir -p /run/systemd/system
101 UNIT_NAME="analyze-condition-$RANDOM.service"
102 cat >"/run/systemd/system/$UNIT_NAME" <<EOF
103 [Unit]
104 AssertPathExists=/etc/os-release
105 AssertEnvironment=!FOOBAR
106 ConditionKernelVersion=>1.0
107 ConditionPathExists=/etc/os-release
108
109 [Service]
110 ExecStart=/bin/true
111 EOF
112 systemctl daemon-reload
113 systemd-analyze condition --unit="$UNIT_NAME"
114 systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \
115 'ConditionKernelVersion = >=3.1' \
116 'ConditionACPower=|false' \
117 'ConditionArchitecture=|!arm' \
118 'AssertPathExists=/etc/os-release'
119 (! systemd-analyze condition 'ConditionArchitecture=|!arm' 'AssertXYZ=foo')
120 (! systemd-analyze condition 'ConditionKernelVersion=<1.0')
121 (! systemd-analyze condition 'AssertKernelVersion=<1.0')
122 # syscall-filter
123 systemd-analyze syscall-filter >/dev/null
124 systemd-analyze syscall-filter @chown @sync
125 systemd-analyze syscall-filter @sync @sync @sync
126 (! systemd-analyze syscall-filter @chown @sync @foobar)
127 # filesystems (requires libbpf support)
128 if systemctl --version | grep "+BPF_FRAMEWORK"; then
129 systemd-analyze filesystems >/dev/null
130 systemd-analyze filesystems @basic-api
131 systemd-analyze filesystems @basic-api @basic-api @basic-api
132 (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api)
133 fi
134 # calendar
135 systemd-analyze calendar '*-2-29 0:0:0'
136 systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
137 systemd-analyze calendar '*-* *:*:*'
138 systemd-analyze calendar --iterations=5 '*-* *:*:*'
139 systemd-analyze calendar --iterations=50 '*-* *:*:*'
140 systemd-analyze calendar --iterations=0 '*-* *:*:*'
141 systemd-analyze calendar --iterations=5 '01-01-22 01:00:00'
142 systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*'
143 (! systemd-analyze calendar --iterations=0 '*-* 99:*:*')
144 (! systemd-analyze calendar --base-time=never '*-* *:*:*')
145 (! systemd-analyze calendar 1)
146 (! systemd-analyze calendar "")
147 # timestamp
148 systemd-analyze timestamp now
149 systemd-analyze timestamp -- -1
150 systemd-analyze timestamp yesterday now tomorrow
151 (! systemd-analyze timestamp yesterday never tomorrow)
152 (! systemd-analyze timestamp 1)
153 (! systemd-analyze timestamp '*-2-29 0:0:0')
154 (! systemd-analyze timestamp "")
155 # timespan
156 systemd-analyze timespan 1
157 systemd-analyze timespan 1s 300s '1year 0.000001s'
158 (! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s')
159 (! systemd-analyze timespan -- -1)
160 (! systemd-analyze timespan '*-2-29 0:0:0')
161 (! systemd-analyze timespan "")
162 # cat-config
163 systemd-analyze cat-config systemd/system.conf >/dev/null
164 systemd-analyze cat-config /etc/systemd/system.conf >/dev/null
165 systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null
166 systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null
167 systemd-analyze cat-config foo/bar
168 # security
169 systemd-analyze security
170 systemd-analyze security --json=off
171 systemd-analyze security --json=pretty | jq
172 systemd-analyze security --json=short | jq
173
174 if [[ ! -v ASAN_OPTIONS ]]; then
175 # check that systemd-analyze cat-config paths work in a chroot
176 mkdir -p /tmp/root
177 mount --bind / /tmp/root
178 systemd-analyze cat-config systemd/system-preset >/tmp/out1
179 chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2
180 diff /tmp/out{1,2}
181 fi
182
183 # verify
184 mkdir -p /tmp/img/usr/lib/systemd/system/
185 mkdir -p /tmp/img/opt/
186
187 touch /tmp/img/opt/script0.sh
188 chmod +x /tmp/img/opt/script0.sh
189
190 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
191 [Service]
192 ExecStart = /opt/script0.sh
193 EOF
194
195 set +e
196 # Default behaviour is to recurse through all dependencies when unit is loaded
197 (! systemd-analyze verify --root=/tmp/img/ testfile.service)
198
199 # As above, recurses through all dependencies when unit is loaded
200 (! systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service)
201
202 # Recurses through unit file and its direct dependencies when unit is loaded
203 (! systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service)
204
205 set -e
206
207 # zero exit status since dependencies are ignored when unit is loaded
208 systemd-analyze verify --recursive-errors=no --root=/tmp/img/ testfile.service
209
210 rm /tmp/img/usr/lib/systemd/system/testfile.service
211
212 cat <<EOF >/tmp/testfile.service
213 [Unit]
214 foo = bar
215
216 [Service]
217 ExecStart = echo hello
218 EOF
219
220 cat <<EOF >/tmp/testfile2.service
221 [Unit]
222 Requires = testfile.service
223
224 [Service]
225 ExecStart = echo hello
226 EOF
227
228 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
229 systemd-analyze verify --recursive-errors=no /tmp/testfile2.service
230
231 set +e
232 # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
233 (! systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service)
234 set -e
235
236 rm /tmp/testfile.service
237 rm /tmp/testfile2.service
238
239 cat <<EOF >/tmp/testfile.service
240 [Service]
241 ExecStart = echo hello
242 DeviceAllow=/dev/sda
243 EOF
244
245 # Prevent regression from #13380 and #20859 where we can't verify hidden files
246 cp /tmp/testfile.service /tmp/.testfile.service
247
248 systemd-analyze verify /tmp/.testfile.service
249
250 rm /tmp/.testfile.service
251
252 # Alias a unit file's name on disk (see #20061)
253 cp /tmp/testfile.service /tmp/testsrvc
254
255 (! systemd-analyze verify /tmp/testsrvc)
256
257 systemd-analyze verify /tmp/testsrvc:alias.service
258
259 # Zero exit status since the value used for comparison determine exposure to security threats is by default 100
260 systemd-analyze security --offline=true /tmp/testfile.service
261
262 #The overall exposure level assigned to the unit is greater than the set threshold
263 (! systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service)
264
265 # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
266 systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
267
268 rm /tmp/testfile.service
269
270 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
271 [Service]
272 ExecStart = echo hello
273 PrivateNetwork = yes
274 PrivateDevices = yes
275 PrivateUsers = yes
276 EOF
277
278 # The new overall exposure level assigned to the unit is less than the set thresholds
279 # Verifies that the --offline= option works with --root=
280 systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service
281
282 # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed
283 # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in
284 # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight
285 # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is
286 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
287 # level for the unit file should decrease to account for that increased weight.
288 cat <<EOF >/tmp/testfile.json
289 {"UserOrDynamicUser":
290 {"description_bad": "Service runs as root user",
291 "weight": 0,
292 "range": 10
293 },
294 "SupplementaryGroups":
295 {"description_good": "Service has no supplementary groups",
296 "description_bad": "Service runs with supplementary groups",
297 "description_na": "Service runs as root, option does not matter",
298 "weight": 200,
299 "range": 1
300 },
301 "PrivateDevices":
302 {"description_good": "Service has no access to hardware devices",
303 "description_bad": "Service potentially has access to hardware devices",
304 "weight": 1000,
305 "range": 1
306 },
307 "PrivateMounts":
308 {"description_good": "Service cannot install system mounts",
309 "description_bad": "Service may install system mounts",
310 "weight": 1000,
311 "range": 1
312 },
313 "PrivateNetwork":
314 {"description_good": "Service doesn't have access to the host's network",
315 "description_bad": "Service has access to the host's network",
316 "weight": 6000,
317 "range": 1
318 },
319 "PrivateTmp":
320 {"description_good": "Service has no access to other software's temporary files",
321 "description_bad": "Service has access to other software's temporary files",
322 "weight": 1000,
323 "range": 1
324 },
325 "PrivateUsers":
326 {"description_good": "Service does not have access to other users",
327 "description_bad": "Service has access to other users",
328 "weight": 1000,
329 "range": 1
330 },
331 "ProtectControlGroups":
332 {"description_good": "Service cannot modify the control group file system",
333 "description_bad": "Service may modify the control group file system",
334 "weight": 1000,
335 "range": 1
336 },
337 "ProtectKernelModules":
338 {"description_good": "Service cannot load or read kernel modules",
339 "description_bad": "Service may load or read kernel modules",
340 "weight": 1000,
341 "range": 1
342 },
343 "ProtectKernelTunables":
344 {"description_good": "Service cannot alter kernel tunables (/proc/sys, …)",
345 "description_bad": "Service may alter kernel tunables",
346 "weight": 1000,
347 "range": 1
348 },
349 "ProtectKernelLogs":
350 {"description_good": "Service cannot read from or write to the kernel log ring buffer",
351 "description_bad": "Service may read from or write to the kernel log ring buffer",
352 "weight": 1000,
353 "range": 1
354 },
355 "ProtectClock":
356 {"description_good": "Service cannot write to the hardware clock or system clock",
357 "description_bad": "Service may write to the hardware clock or system clock",
358 "weight": 1000,
359 "range": 1
360 },
361 "ProtectHome":
362 {"weight": 1000,
363 "range": 10
364 },
365 "ProtectHostname":
366 {"description_good": "Service cannot change system host/domainname",
367 "description_bad": "Service may change system host/domainname",
368 "weight": 50,
369 "range": 1
370 },
371 "ProtectSystem":
372 {"weight": 1000,
373 "range": 10
374 },
375 "RootDirectoryOrRootImage":
376 {"description_good": "Service has its own root directory/image",
377 "description_bad": "Service runs within the host's root directory",
378 "weight": 200,
379 "range": 1
380 },
381 "LockPersonality":
382 {"description_good": "Service cannot change ABI personality",
383 "description_bad": "Service may change ABI personality",
384 "weight": 100,
385 "range": 1
386 },
387 "MemoryDenyWriteExecute":
388 {"description_good": "Service cannot create writable executable memory mappings",
389 "description_bad": "Service may create writable executable memory mappings",
390 "weight": 100,
391 "range": 1
392 },
393 "NoNewPrivileges":
394 {"description_good": "Service processes cannot acquire new privileges",
395 "description_bad": "Service processes may acquire new privileges",
396 "weight": 1000,
397 "range": 1
398 },
399 "CapabilityBoundingSet_CAP_SYS_ADMIN":
400 {"description_good": "Service has no administrator privileges",
401 "description_bad": "Service has administrator privileges",
402 "weight": 1500,
403 "range": 1
404 },
405 "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP":
406 {"description_good": "Service cannot change UID/GID identities/capabilities",
407 "description_bad": "Service may change UID/GID identities/capabilities",
408 "weight": 1500,
409 "range": 1
410 },
411 "CapabilityBoundingSet_CAP_SYS_PTRACE":
412 {"description_good": "Service has no ptrace() debugging abilities",
413 "description_bad": "Service has ptrace() debugging abilities",
414 "weight": 1500,
415 "range": 1
416 },
417 "CapabilityBoundingSet_CAP_SYS_TIME":
418 {"description_good": "Service processes cannot change the system clock",
419 "description_bad": "Service processes may change the system clock",
420 "weight": 1000,
421 "range": 1
422 },
423 "CapabilityBoundingSet_CAP_NET_ADMIN":
424 {"description_good": "Service has no network configuration privileges",
425 "description_bad": "Service has network configuration privileges",
426 "weight": 1000,
427 "range": 1
428 },
429 "CapabilityBoundingSet_CAP_SYS_RAWIO":
430 {"description_good": "Service has no raw I/O access",
431 "description_bad": "Service has raw I/O access",
432 "weight": 1000,
433 "range": 1
434 },
435 "CapabilityBoundingSet_CAP_SYS_MODULE":
436 {"description_good": "Service cannot load kernel modules",
437 "description_bad": "Service may load kernel modules",
438 "weight": 1000,
439 "range": 1
440 },
441 "CapabilityBoundingSet_CAP_AUDIT":
442 {"description_good": "Service has no audit subsystem access",
443 "description_bad": "Service has audit subsystem access",
444 "weight": 500,
445 "range": 1
446 },
447 "CapabilityBoundingSet_CAP_SYSLOG":
448 {"description_good": "Service has no access to kernel logging",
449 "description_bad": "Service has access to kernel logging",
450 "weight": 500,
451 "range": 1
452 },
453 "CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE":
454 {"description_good": "Service has no privileges to change resource use parameters",
455 "description_bad": "Service has privileges to change resource use parameters",
456 "weight": 500,
457 "range": 1
458 },
459 "CapabilityBoundingSet_CAP_MKNOD":
460 {"description_good": "Service cannot create device nodes",
461 "description_bad": "Service may create device nodes",
462 "weight": 500,
463 "range": 1
464 },
465 "CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP":
466 {"description_good": "Service cannot change file ownership/access mode/capabilities",
467 "description_bad": "Service may change file ownership/access mode/capabilities unrestricted",
468 "weight": 1000,
469 "range": 1
470 },
471 "CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER":
472 {"description_good": "Service cannot override UNIX file/IPC permission checks",
473 "description_bad": "Service may override UNIX file/IPC permission checks",
474 "weight": 1000,
475 "range": 1
476 },
477 "CapabilityBoundingSet_CAP_KILL":
478 {"description_good": "Service cannot send UNIX signals to arbitrary processes",
479 "description_bad": "Service may send UNIX signals to arbitrary processes",
480 "weight": 500,
481 "range": 1
482 },
483 "CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW":
484 {"description_good": "Service has no elevated networking privileges",
485 "description_bad": "Service has elevated networking privileges",
486 "weight": 500,
487 "range": 1
488 },
489 "CapabilityBoundingSet_CAP_SYS_BOOT":
490 {"description_good": "Service cannot issue reboot()",
491 "description_bad": "Service may issue reboot()",
492 "weight": 100,
493 "range": 1
494 },
495 "CapabilityBoundingSet_CAP_MAC":
496 {"description_good": "Service cannot adjust SMACK MAC",
497 "description_bad": "Service may adjust SMACK MAC",
498 "weight": 100,
499 "range": 1
500 },
501 "CapabilityBoundingSet_CAP_LINUX_IMMUTABLE":
502 {"description_good": "Service cannot mark files immutable",
503 "description_bad": "Service may mark files immutable",
504 "weight": 75,
505 "range": 1
506 },
507 "CapabilityBoundingSet_CAP_IPC_LOCK":
508 {"description_good": "Service cannot lock memory into RAM",
509 "description_bad": "Service may lock memory into RAM",
510 "weight": 50,
511 "range": 1
512 },
513 "CapabilityBoundingSet_CAP_SYS_CHROOT":
514 {"description_good": "Service cannot issue chroot()",
515 "description_bad": "Service may issue chroot()",
516 "weight": 50,
517 "range": 1
518 },
519 "CapabilityBoundingSet_CAP_BLOCK_SUSPEND":
520 {"description_good": "Service cannot establish wake locks",
521 "description_bad": "Service may establish wake locks",
522 "weight": 25,
523 "range": 1
524 },
525 "CapabilityBoundingSet_CAP_WAKE_ALARM":
526 {"description_good": "Service cannot program timers that wake up the system",
527 "description_bad": "Service may program timers that wake up the system",
528 "weight": 25,
529 "range": 1
530 },
531 "CapabilityBoundingSet_CAP_LEASE":
532 {"description_good": "Service cannot create file leases",
533 "description_bad": "Service may create file leases",
534 "weight": 25,
535 "range": 1
536 },
537 "CapabilityBoundingSet_CAP_SYS_TTY_CONFIG":
538 {"description_good": "Service cannot issue vhangup()",
539 "description_bad": "Service may issue vhangup()",
540 "weight": 25,
541 "range": 1
542 },
543 "CapabilityBoundingSet_CAP_SYS_PACCT":
544 {"description_good": "Service cannot use acct()",
545 "description_bad": "Service may use acct()",
546 "weight": 25,
547 "range": 1
548 },
549 "UMask":
550 {"weight": 100,
551 "range": 10
552 },
553 "KeyringMode":
554 {"description_good": "Service doesn't share key material with other services",
555 "description_bad": "Service shares key material with other service",
556 "weight": 1000,
557 "range": 1
558 },
559 "ProtectProc":
560 {"description_good": "Service has restricted access to process tree(/proc hidepid=)",
561 "description_bad": "Service has full access to process tree(/proc hidepid=)",
562 "weight": 1000,
563 "range": 3
564 },
565 "ProcSubset":
566 {"description_good": "Service has no access to non-process/proc files(/proc subset=)",
567 "description_bad": "Service has full access to non-process/proc files(/proc subset=)",
568 "weight": 10,
569 "range": 1
570 },
571 "NotifyAccess":
572 {"description_good": "Service child processes cannot alter service state",
573 "description_bad": "Service child processes may alter service state",
574 "weight": 1000,
575 "range": 1
576 },
577 "RemoveIPC":
578 {"description_good": "Service user cannot leave SysV IPC objects around",
579 "description_bad": "Service user may leave SysV IPC objects around",
580 "description_na": "Service runs as root, option does not apply",
581 "weight": 100,
582 "range": 1
583 },
584 "Delegate":
585 {"description_good": "Service does not maintain its own delegated control group subtree",
586 "description_bad": "Service maintains its own delegated control group subtree",
587 "weight": 100,
588 "range": 1
589 },
590 "RestrictRealtime":
591 {"description_good": "Service realtime scheduling access is restricted",
592 "description_bad": "Service may acquire realtime scheduling",
593 "weight": 500,
594 "range": 1
595 },
596 "RestrictSUIDSGID":
597 {"description_good": "SUID/SGIDfilecreationbyserviceisrestricted",
598 "description_bad": "ServicemaycreateSUID/SGIDfiles",
599 "weight": 1000,
600 "range": 1
601 },
602 "RestrictNamespaces_user":
603 {"description_good": "Servicecannotcreateusernamespaces",
604 "description_bad": "Servicemaycreateusernamespaces",
605 "weight": 1500,
606 "range": 1
607 },
608 "RestrictNamespaces_mnt":
609 {"description_good": "Service cannot create file system namespaces",
610 "description_bad": "Service may create file system namespaces",
611 "weight": 500,
612 "range": 1
613 },
614 "RestrictNamespaces_ipc":
615 {"description_good": "Service cannot create IPC namespaces",
616 "description_bad": "Service may create IPC namespaces",
617 "weight": 500,
618 "range": 1
619 },
620 "RestrictNamespaces_pid":
621 {"description_good": "Service cannot create process namespaces",
622 "description_bad": "Service may create process namespaces",
623 "weight": 500,
624 "range": 1
625 },
626 "RestrictNamespaces_cgroup":
627 {"description_good": "Service cannot create cgroup namespaces",
628 "description_bad": "Service may create cgroup namespaces",
629 "weight": 500,
630 "range": 1
631 },
632 "RestrictNamespaces_net":
633 {"description_good": "Service cannot create network namespaces",
634 "description_bad": "Service may create network namespaces",
635 "weight": 500,
636 "range": 1
637 },
638 "RestrictNamespaces_uts":
639 {"description_good": "Service cannot create hostname namespaces",
640 "description_bad": "Service may create hostname namespaces",
641 "weight": 100,
642 "range": 1
643 },
644 "RestrictAddressFamilies_AF_INET_INET6":
645 {"description_good": "Service cannot allocate Internet sockets",
646 "description_bad": "Service may allocate Internet sockets",
647 "weight": 1500,
648 "range": 1
649 },
650 "RestrictAddressFamilies_AF_UNIX":
651 {"description_good": "Service cannot allocate local sockets",
652 "description_bad": "Service may allocate local sockets",
653 "weight": 25,
654 "range": 1
655 },
656 "RestrictAddressFamilies_AF_NETLINK":
657 {"description_good": "Service cannot allocate netlink sockets",
658 "description_bad": "Service may allocate netlink sockets",
659 "weight": 200,
660 "range": 1
661 },
662 "RestrictAddressFamilies_AF_PACKET":
663 {"description_good": "Service cannot allocate packet sockets",
664 "description_bad": "Service may allocate packet sockets",
665 "weight": 1000,
666 "range": 1
667 },
668 "RestrictAddressFamilies_OTHER":
669 {"description_good": "Service cannot allocate exotic sockets",
670 "description_bad": "Service may allocate exotic sockets",
671 "weight": 1250,
672 "range": 1
673 },
674 "SystemCallArchitectures":
675 {"weight": 1000,
676 "range": 10
677 },
678 "SystemCallFilter_swap":
679 {"weight": 1000,
680 "range": 10
681 },
682 "SystemCallFilter_obsolete":
683 {"weight": 250,
684 "range": 10
685 },
686 "SystemCallFilter_clock":
687 {"weight": 1000,
688 "range": 10
689 },
690 "SystemCallFilter_cpu_emulation":
691 {"weight": 250,
692 "range": 10
693 },
694 "SystemCallFilter_debug":
695 {"weight": 1000,
696 "range": 10
697 },
698 "SystemCallFilter_mount":
699 {"weight": 1000,
700 "range": 10
701 },
702 "SystemCallFilter_module":
703 {"weight": 1000,
704 "range": 10
705 },
706 "SystemCallFilter_raw_io":
707 {"weight": 1000,
708 "range": 10
709 },
710 "SystemCallFilter_reboot":
711 {"weight": 1000,
712 "range": 10
713 },
714 "SystemCallFilter_privileged":
715 {"weight": 700,
716 "range": 10
717 },
718 "SystemCallFilter_resources":
719 {"weight": 700,
720 "range": 10
721 },
722 "IPAddressDeny":
723 {"weight": 1000,
724 "range": 10
725 },
726 "DeviceAllow":
727 {"weight": 1000,
728 "range": 10
729 },
730 "AmbientCapabilities":
731 {"description_good": "Service process does not receive ambient capabilities",
732 "description_bad": "Service process receives ambient capabilities",
733 "weight": 500,
734 "range": 1
735 },
736 "INVALID_ID":
737 {"weight": 1000,
738 "range": 10
739 }
740 }
741 EOF
742
743 # Reads in custom security requirements from the parsed .json file and uses these for comparison
744 systemd-analyze security --threshold=90 --offline=true \
745 --security-policy=/tmp/testfile.json \
746 --root=/tmp/img/ testfile.service
747
748 # The strict profile adds a lot of sanboxing options
749 systemd-analyze security --threshold=25 --offline=true \
750 --security-policy=/tmp/testfile.json \
751 --profile=strict \
752 --root=/tmp/img/ testfile.service
753
754 # The trusted profile doesn't add any sanboxing options
755 (! systemd-analyze security --threshold=25 --offline=true \
756 --security-policy=/tmp/testfile.json \
757 --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
758 --root=/tmp/img/ testfile.service)
759
760 (! systemd-analyze security --threshold=50 --offline=true \
761 --security-policy=/tmp/testfile.json \
762 --root=/tmp/img/ testfile.service)
763
764 rm /tmp/img/usr/lib/systemd/system/testfile.service
765
766 if systemd-analyze --version | grep -q -F "+ELFUTILS"; then
767 systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"'
768 fi
769
770 systemd-analyze --threshold=90 security systemd-journald.service
771
772 # issue 23663
773 check() {(
774 set +x
775 output=$(systemd-analyze security --offline="${2?}" "${3?}" | grep -F 'SystemCallFilter=')
776 assert_in "System call ${1?} list" "$output"
777 assert_in "[+✓] SystemCallFilter=~@swap" "$output"
778 assert_in "[+✓] SystemCallFilter=~@resources" "$output"
779 assert_in "[+✓] SystemCallFilter=~@reboot" "$output"
780 assert_in "[+✓] SystemCallFilter=~@raw-io" "$output"
781 assert_in "[-✗] SystemCallFilter=~@privileged" "$output"
782 assert_in "[+✓] SystemCallFilter=~@obsolete" "$output"
783 assert_in "[+✓] SystemCallFilter=~@mount" "$output"
784 assert_in "[+✓] SystemCallFilter=~@module" "$output"
785 assert_in "[+✓] SystemCallFilter=~@debug" "$output"
786 assert_in "[+✓] SystemCallFilter=~@cpu-emulation" "$output"
787 assert_in "[-✗] SystemCallFilter=~@clock" "$output"
788 )}
789
790 export -n SYSTEMD_LOG_LEVEL
791
792 mkdir -p /run/systemd/system
793 cat >/run/systemd/system/allow-list.service <<EOF
794 [Service]
795 ExecStart=false
796 SystemCallFilter=@system-service
797 SystemCallFilter=~@resources:ENOANO @privileged
798 SystemCallFilter=@clock
799 EOF
800
801 cat >/run/systemd/system/deny-list.service <<EOF
802 [Service]
803 ExecStart=false
804 SystemCallFilter=~@known
805 SystemCallFilter=@system-service
806 SystemCallFilter=~@resources:ENOANO @privileged
807 SystemCallFilter=@clock
808 EOF
809
810 systemctl daemon-reload
811
812 check allow yes /run/systemd/system/allow-list.service
813 check allow no allow-list.service
814 check deny yes /run/systemd/system/deny-list.service
815 check deny no deny-list.service
816
817 output=$(systemd-run -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
818 name=$(echo "$output" | awk '{ print $4 }')
819
820 check allow yes /run/systemd/transient/"$name"
821 check allow no "$name"
822
823 output=$(systemd-run -p "SystemCallFilter=~@known" -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
824 name=$(echo "$output" | awk '{ print $4 }')
825
826 check deny yes /run/systemd/transient/"$name"
827 check deny no "$name"
828
829 # Let's also test the "image-policy" verb
830
831 systemd-analyze image-policy '*' 2>&1 | grep -q -F "Long form: =verity+signed+encrypted+unprotected+unused+absent"
832 systemd-analyze image-policy '-' 2>&1 | grep -q -F "Long form: =unused+absent"
833 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -F "Long form: usr=verity:home=encrypted:=unused+absent"
834 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^home \+encrypted \+'
835 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr \+verity \+'
836 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^root \+ignore \+'
837 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr-verity \+unprotected \+'
838
839 (! systemd-analyze image-policy 'doedel')
840
841 # Output is very hard to predict, but let's run it for coverage anyway
842 systemd-analyze pcrs
843 systemd-analyze pcrs --json=pretty
844 systemd-analyze pcrs 14 7 0 ima
845
846 systemd-analyze log-level info
847
848 touch /testok
Unnamed repository; edit this file 'description' to name the repository.