]> git.ipfire.org Git - thirdparty/systemd.git/blob - test/units/testsuite-65.sh
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
test: rename assert.sh to util.sh
[thirdparty/systemd.git] / test / units / testsuite-65.sh
1 #!/usr/bin/env bash
2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
4 set -eux
5
6 # shellcheck source=test/units/util.sh
7 . "$(dirname "$0")"/util.sh
8
9 systemctl log-level debug
10 export SYSTEMD_LOG_LEVEL=debug
11
12 # Sanity checks
13 #
14 # We can't really test time, critical-chain and plot verbs here, as
15 # the testsuite service is a part of the boot transaction, so let's assume
16 # they fail
17 systemd-analyze || :
18 systemd-analyze time || :
19 systemd-analyze critical-chain || :
20 # blame
21 systemd-analyze blame
22 systemd-run --wait --user --pipe -M testuser@.host systemd-analyze blame
23 # plot
24 systemd-analyze plot >/dev/null || :
25 systemd-analyze plot --json=pretty >/dev/null || :
26 systemd-analyze plot --json=short >/dev/null || :
27 systemd-analyze plot --json=off >/dev/null || :
28 systemd-analyze plot --json=pretty --no-legend >/dev/null || :
29 systemd-analyze plot --json=short --no-legend >/dev/null || :
30 systemd-analyze plot --json=off --no-legend >/dev/null || :
31 systemd-analyze plot --table >/dev/null || :
32 systemd-analyze plot --table --no-legend >/dev/null || :
33 # legacy/deprecated options (moved to systemctl, but still usable from analyze)
34 systemd-analyze log-level
35 systemd-analyze log-level "$(systemctl log-level)"
36 systemd-analyze get-log-level
37 systemd-analyze set-log-level "$(systemctl log-level)"
38 systemd-analyze log-target
39 systemd-analyze log-target "$(systemctl log-target)"
40 systemd-analyze get-log-target
41 systemd-analyze set-log-target "$(systemctl log-target)"
42 systemd-analyze service-watchdogs
43 systemd-analyze service-watchdogs "$(systemctl service-watchdogs)"
44 # dot
45 systemd-analyze dot >/dev/null
46 systemd-analyze dot systemd-journald.service >/dev/null
47 systemd-analyze dot systemd-journald.service systemd-logind.service >/dev/null
48 systemd-analyze dot --from-pattern="*" --from-pattern="*.service" systemd-journald.service >/dev/null
49 systemd-analyze dot --to-pattern="*" --to-pattern="*.service" systemd-journald.service >/dev/null
50 systemd-analyze dot --from-pattern="*.service" --to-pattern="*.service" systemd-journald.service >/dev/null
51 systemd-analyze dot --order systemd-journald.service systemd-logind.service >/dev/null
52 systemd-analyze dot --require systemd-journald.service systemd-logind.service >/dev/null
53 systemd-analyze dot "systemd-*.service" >/dev/null
54 (! systemd-analyze dot systemd-journald.service systemd-logind.service "*" bbb ccc)
55 # dump
56 systemd-analyze dump >/dev/null
57 systemd-analyze dump "*" >/dev/null
58 systemd-analyze dump "*.socket" >/dev/null
59 systemd-analyze dump "*.socket" "*.service" aaaaaaa ... >/dev/null
60 systemd-analyze dump systemd-journald.service >/dev/null
61 systemd-analyze malloc >/dev/null
62 (! systemd-analyze dump "")
63 # unit-files
64 systemd-analyze unit-files >/dev/null
65 systemd-analyze unit-files systemd-journald.service >/dev/null
66 systemd-analyze unit-files "*" >/dev/null
67 systemd-analyze unit-files "*" aaaaaa "*.service" "*.target" >/dev/null
68 systemd-analyze unit-files --user >/dev/null
69 systemd-analyze unit-files --user "*" aaaaaa "*.service" "*.target" >/dev/null
70 # unit-paths
71 systemd-analyze unit-paths
72 systemd-analyze unit-paths --user
73 systemd-analyze unit-paths --global
74 # exist-status
75 systemd-analyze exit-status
76 systemd-analyze exit-status STDOUT BPF
77 systemd-analyze exit-status 0 1 {63..65}
78 (! systemd-analyze exit-status STDOUT BPF "hello*")
79 # capability
80 systemd-analyze capability
81 systemd-analyze capability cap_chown CAP_KILL
82 systemd-analyze capability 0 1 {30..32}
83 (! systemd-analyze capability cap_chown CAP_KILL "hello*")
84 # condition
85 mkdir -p /run/systemd/system
86 UNIT_NAME="analyze-condition-$RANDOM.service"
87 cat >"/run/systemd/system/$UNIT_NAME" <<EOF
88 [Unit]
89 AssertPathExists=/etc/os-release
90 AssertEnvironment=!FOOBAR
91 ConditionKernelVersion=>1.0
92 ConditionPathExists=/etc/os-release
93
94 [Service]
95 ExecStart=/bin/true
96 EOF
97 systemctl daemon-reload
98 systemd-analyze condition --unit="$UNIT_NAME"
99 systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \
100 'ConditionKernelVersion = >=3.1' \
101 'ConditionACPower=|false' \
102 'ConditionArchitecture=|!arm' \
103 'AssertPathExists=/etc/os-release'
104 (! systemd-analyze condition 'ConditionArchitecture=|!arm' 'AssertXYZ=foo')
105 (! systemd-analyze condition 'ConditionKernelVersion=<1.0')
106 (! systemd-analyze condition 'AssertKernelVersion=<1.0')
107 # syscall-filter
108 systemd-analyze syscall-filter >/dev/null
109 systemd-analyze syscall-filter @chown @sync
110 systemd-analyze syscall-filter @sync @sync @sync
111 (! systemd-analyze syscall-filter @chown @sync @foobar)
112 # filesystems (requires libbpf support)
113 if systemctl --version | grep "+BPF_FRAMEWORK"; then
114 systemd-analyze filesystems >/dev/null
115 systemd-analyze filesystems @basic-api
116 systemd-analyze filesystems @basic-api @basic-api @basic-api
117 (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api)
118 fi
119 # calendar
120 systemd-analyze calendar '*-2-29 0:0:0'
121 systemd-analyze calendar --iterations=5 '*-2-29 0:0:0'
122 systemd-analyze calendar '*-* *:*:*'
123 systemd-analyze calendar --iterations=5 '*-* *:*:*'
124 systemd-analyze calendar --iterations=50 '*-* *:*:*'
125 systemd-analyze calendar --iterations=0 '*-* *:*:*'
126 systemd-analyze calendar --iterations=5 '01-01-22 01:00:00'
127 systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*'
128 (! systemd-analyze calendar --iterations=0 '*-* 99:*:*')
129 (! systemd-analyze calendar --base-time=never '*-* *:*:*')
130 (! systemd-analyze calendar 1)
131 (! systemd-analyze calendar "")
132 # timestamp
133 systemd-analyze timestamp now
134 systemd-analyze timestamp -- -1
135 systemd-analyze timestamp yesterday now tomorrow
136 (! systemd-analyze timestamp yesterday never tomorrow)
137 (! systemd-analyze timestamp 1)
138 (! systemd-analyze timestamp '*-2-29 0:0:0')
139 (! systemd-analyze timestamp "")
140 # timespan
141 systemd-analyze timespan 1
142 systemd-analyze timespan 1s 300s '1year 0.000001s'
143 (! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s')
144 (! systemd-analyze timespan -- -1)
145 (! systemd-analyze timespan '*-2-29 0:0:0')
146 (! systemd-analyze timespan "")
147 # cat-config
148 systemd-analyze cat-config systemd/system.conf >/dev/null
149 systemd-analyze cat-config /etc/systemd/system.conf >/dev/null
150 systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null
151 systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null
152 systemd-analyze cat-config foo/bar
153 # security
154 systemd-analyze security
155 systemd-analyze security --json=off
156 systemd-analyze security --json=pretty | jq
157 systemd-analyze security --json=short | jq
158
159 if [[ ! -v ASAN_OPTIONS ]]; then
160 # check that systemd-analyze cat-config paths work in a chroot
161 mkdir -p /tmp/root
162 mount --bind / /tmp/root
163 systemd-analyze cat-config systemd/system-preset >/tmp/out1
164 chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2
165 diff /tmp/out{1,2}
166 fi
167
168 # verify
169 mkdir -p /tmp/img/usr/lib/systemd/system/
170 mkdir -p /tmp/img/opt/
171
172 touch /tmp/img/opt/script0.sh
173 chmod +x /tmp/img/opt/script0.sh
174
175 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
176 [Service]
177 ExecStart = /opt/script0.sh
178 EOF
179
180 set +e
181 # Default behaviour is to recurse through all dependencies when unit is loaded
182 (! systemd-analyze verify --root=/tmp/img/ testfile.service)
183
184 # As above, recurses through all dependencies when unit is loaded
185 (! systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service)
186
187 # Recurses through unit file and its direct dependencies when unit is loaded
188 (! systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service)
189
190 set -e
191
192 # zero exit status since dependencies are ignored when unit is loaded
193 systemd-analyze verify --recursive-errors=no --root=/tmp/img/ testfile.service
194
195 rm /tmp/img/usr/lib/systemd/system/testfile.service
196
197 cat <<EOF >/tmp/testfile.service
198 [Unit]
199 foo = bar
200
201 [Service]
202 ExecStart = echo hello
203 EOF
204
205 cat <<EOF >/tmp/testfile2.service
206 [Unit]
207 Requires = testfile.service
208
209 [Service]
210 ExecStart = echo hello
211 EOF
212
213 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
214 systemd-analyze verify --recursive-errors=no /tmp/testfile2.service
215
216 set +e
217 # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
218 (! systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service)
219 set -e
220
221 rm /tmp/testfile.service
222 rm /tmp/testfile2.service
223
224 cat <<EOF >/tmp/testfile.service
225 [Service]
226 ExecStart = echo hello
227 DeviceAllow=/dev/sda
228 EOF
229
230 # Prevent regression from #13380 and #20859 where we can't verify hidden files
231 cp /tmp/testfile.service /tmp/.testfile.service
232
233 systemd-analyze verify /tmp/.testfile.service
234
235 rm /tmp/.testfile.service
236
237 # Alias a unit file's name on disk (see #20061)
238 cp /tmp/testfile.service /tmp/testsrvc
239
240 (! systemd-analyze verify /tmp/testsrvc)
241
242 systemd-analyze verify /tmp/testsrvc:alias.service
243
244 # Zero exit status since the value used for comparison determine exposure to security threats is by default 100
245 systemd-analyze security --offline=true /tmp/testfile.service
246
247 #The overall exposure level assigned to the unit is greater than the set threshold
248 (! systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service)
249
250 # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
251 systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
252
253 rm /tmp/testfile.service
254
255 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
256 [Service]
257 ExecStart = echo hello
258 PrivateNetwork = yes
259 PrivateDevices = yes
260 PrivateUsers = yes
261 EOF
262
263 # The new overall exposure level assigned to the unit is less than the set thresholds
264 # Verifies that the --offline= option works with --root=
265 systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service
266
267 # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed
268 # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in
269 # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight
270 # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is
271 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
272 # level for the unit file should decrease to account for that increased weight.
273 cat <<EOF >/tmp/testfile.json
274 {"UserOrDynamicUser":
275 {"description_bad": "Service runs as root user",
276 "weight": 0,
277 "range": 10
278 },
279 "SupplementaryGroups":
280 {"description_good": "Service has no supplementary groups",
281 "description_bad": "Service runs with supplementary groups",
282 "description_na": "Service runs as root, option does not matter",
283 "weight": 200,
284 "range": 1
285 },
286 "PrivateDevices":
287 {"description_good": "Service has no access to hardware devices",
288 "description_bad": "Service potentially has access to hardware devices",
289 "weight": 1000,
290 "range": 1
291 },
292 "PrivateMounts":
293 {"description_good": "Service cannot install system mounts",
294 "description_bad": "Service may install system mounts",
295 "weight": 1000,
296 "range": 1
297 },
298 "PrivateNetwork":
299 {"description_good": "Service doesn't have access to the host's network",
300 "description_bad": "Service has access to the host's network",
301 "weight": 6000,
302 "range": 1
303 },
304 "PrivateTmp":
305 {"description_good": "Service has no access to other software's temporary files",
306 "description_bad": "Service has access to other software's temporary files",
307 "weight": 1000,
308 "range": 1
309 },
310 "PrivateUsers":
311 {"description_good": "Service does not have access to other users",
312 "description_bad": "Service has access to other users",
313 "weight": 1000,
314 "range": 1
315 },
316 "ProtectControlGroups":
317 {"description_good": "Service cannot modify the control group file system",
318 "description_bad": "Service may modify the control group file system",
319 "weight": 1000,
320 "range": 1
321 },
322 "ProtectKernelModules":
323 {"description_good": "Service cannot load or read kernel modules",
324 "description_bad": "Service may load or read kernel modules",
325 "weight": 1000,
326 "range": 1
327 },
328 "ProtectKernelTunables":
329 {"description_good": "Service cannot alter kernel tunables (/proc/sys, …)",
330 "description_bad": "Service may alter kernel tunables",
331 "weight": 1000,
332 "range": 1
333 },
334 "ProtectKernelLogs":
335 {"description_good": "Service cannot read from or write to the kernel log ring buffer",
336 "description_bad": "Service may read from or write to the kernel log ring buffer",
337 "weight": 1000,
338 "range": 1
339 },
340 "ProtectClock":
341 {"description_good": "Service cannot write to the hardware clock or system clock",
342 "description_bad": "Service may write to the hardware clock or system clock",
343 "weight": 1000,
344 "range": 1
345 },
346 "ProtectHome":
347 {"weight": 1000,
348 "range": 10
349 },
350 "ProtectHostname":
351 {"description_good": "Service cannot change system host/domainname",
352 "description_bad": "Service may change system host/domainname",
353 "weight": 50,
354 "range": 1
355 },
356 "ProtectSystem":
357 {"weight": 1000,
358 "range": 10
359 },
360 "RootDirectoryOrRootImage":
361 {"description_good": "Service has its own root directory/image",
362 "description_bad": "Service runs within the host's root directory",
363 "weight": 200,
364 "range": 1
365 },
366 "LockPersonality":
367 {"description_good": "Service cannot change ABI personality",
368 "description_bad": "Service may change ABI personality",
369 "weight": 100,
370 "range": 1
371 },
372 "MemoryDenyWriteExecute":
373 {"description_good": "Service cannot create writable executable memory mappings",
374 "description_bad": "Service may create writable executable memory mappings",
375 "weight": 100,
376 "range": 1
377 },
378 "NoNewPrivileges":
379 {"description_good": "Service processes cannot acquire new privileges",
380 "description_bad": "Service processes may acquire new privileges",
381 "weight": 1000,
382 "range": 1
383 },
384 "CapabilityBoundingSet_CAP_SYS_ADMIN":
385 {"description_good": "Service has no administrator privileges",
386 "description_bad": "Service has administrator privileges",
387 "weight": 1500,
388 "range": 1
389 },
390 "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP":
391 {"description_good": "Service cannot change UID/GID identities/capabilities",
392 "description_bad": "Service may change UID/GID identities/capabilities",
393 "weight": 1500,
394 "range": 1
395 },
396 "CapabilityBoundingSet_CAP_SYS_PTRACE":
397 {"description_good": "Service has no ptrace() debugging abilities",
398 "description_bad": "Service has ptrace() debugging abilities",
399 "weight": 1500,
400 "range": 1
401 },
402 "CapabilityBoundingSet_CAP_SYS_TIME":
403 {"description_good": "Service processes cannot change the system clock",
404 "description_bad": "Service processes may change the system clock",
405 "weight": 1000,
406 "range": 1
407 },
408 "CapabilityBoundingSet_CAP_NET_ADMIN":
409 {"description_good": "Service has no network configuration privileges",
410 "description_bad": "Service has network configuration privileges",
411 "weight": 1000,
412 "range": 1
413 },
414 "CapabilityBoundingSet_CAP_SYS_RAWIO":
415 {"description_good": "Service has no raw I/O access",
416 "description_bad": "Service has raw I/O access",
417 "weight": 1000,
418 "range": 1
419 },
420 "CapabilityBoundingSet_CAP_SYS_MODULE":
421 {"description_good": "Service cannot load kernel modules",
422 "description_bad": "Service may load kernel modules",
423 "weight": 1000,
424 "range": 1
425 },
426 "CapabilityBoundingSet_CAP_AUDIT":
427 {"description_good": "Service has no audit subsystem access",
428 "description_bad": "Service has audit subsystem access",
429 "weight": 500,
430 "range": 1
431 },
432 "CapabilityBoundingSet_CAP_SYSLOG":
433 {"description_good": "Service has no access to kernel logging",
434 "description_bad": "Service has access to kernel logging",
435 "weight": 500,
436 "range": 1
437 },
438 "CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE":
439 {"description_good": "Service has no privileges to change resource use parameters",
440 "description_bad": "Service has privileges to change resource use parameters",
441 "weight": 500,
442 "range": 1
443 },
444 "CapabilityBoundingSet_CAP_MKNOD":
445 {"description_good": "Service cannot create device nodes",
446 "description_bad": "Service may create device nodes",
447 "weight": 500,
448 "range": 1
449 },
450 "CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP":
451 {"description_good": "Service cannot change file ownership/access mode/capabilities",
452 "description_bad": "Service may change file ownership/access mode/capabilities unrestricted",
453 "weight": 1000,
454 "range": 1
455 },
456 "CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER":
457 {"description_good": "Service cannot override UNIX file/IPC permission checks",
458 "description_bad": "Service may override UNIX file/IPC permission checks",
459 "weight": 1000,
460 "range": 1
461 },
462 "CapabilityBoundingSet_CAP_KILL":
463 {"description_good": "Service cannot send UNIX signals to arbitrary processes",
464 "description_bad": "Service may send UNIX signals to arbitrary processes",
465 "weight": 500,
466 "range": 1
467 },
468 "CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW":
469 {"description_good": "Service has no elevated networking privileges",
470 "description_bad": "Service has elevated networking privileges",
471 "weight": 500,
472 "range": 1
473 },
474 "CapabilityBoundingSet_CAP_SYS_BOOT":
475 {"description_good": "Service cannot issue reboot()",
476 "description_bad": "Service may issue reboot()",
477 "weight": 100,
478 "range": 1
479 },
480 "CapabilityBoundingSet_CAP_MAC":
481 {"description_good": "Service cannot adjust SMACK MAC",
482 "description_bad": "Service may adjust SMACK MAC",
483 "weight": 100,
484 "range": 1
485 },
486 "CapabilityBoundingSet_CAP_LINUX_IMMUTABLE":
487 {"description_good": "Service cannot mark files immutable",
488 "description_bad": "Service may mark files immutable",
489 "weight": 75,
490 "range": 1
491 },
492 "CapabilityBoundingSet_CAP_IPC_LOCK":
493 {"description_good": "Service cannot lock memory into RAM",
494 "description_bad": "Service may lock memory into RAM",
495 "weight": 50,
496 "range": 1
497 },
498 "CapabilityBoundingSet_CAP_SYS_CHROOT":
499 {"description_good": "Service cannot issue chroot()",
500 "description_bad": "Service may issue chroot()",
501 "weight": 50,
502 "range": 1
503 },
504 "CapabilityBoundingSet_CAP_BLOCK_SUSPEND":
505 {"description_good": "Service cannot establish wake locks",
506 "description_bad": "Service may establish wake locks",
507 "weight": 25,
508 "range": 1
509 },
510 "CapabilityBoundingSet_CAP_WAKE_ALARM":
511 {"description_good": "Service cannot program timers that wake up the system",
512 "description_bad": "Service may program timers that wake up the system",
513 "weight": 25,
514 "range": 1
515 },
516 "CapabilityBoundingSet_CAP_LEASE":
517 {"description_good": "Service cannot create file leases",
518 "description_bad": "Service may create file leases",
519 "weight": 25,
520 "range": 1
521 },
522 "CapabilityBoundingSet_CAP_SYS_TTY_CONFIG":
523 {"description_good": "Service cannot issue vhangup()",
524 "description_bad": "Service may issue vhangup()",
525 "weight": 25,
526 "range": 1
527 },
528 "CapabilityBoundingSet_CAP_SYS_PACCT":
529 {"description_good": "Service cannot use acct()",
530 "description_bad": "Service may use acct()",
531 "weight": 25,
532 "range": 1
533 },
534 "UMask":
535 {"weight": 100,
536 "range": 10
537 },
538 "KeyringMode":
539 {"description_good": "Service doesn't share key material with other services",
540 "description_bad": "Service shares key material with other service",
541 "weight": 1000,
542 "range": 1
543 },
544 "ProtectProc":
545 {"description_good": "Service has restricted access to process tree(/proc hidepid=)",
546 "description_bad": "Service has full access to process tree(/proc hidepid=)",
547 "weight": 1000,
548 "range": 3
549 },
550 "ProcSubset":
551 {"description_good": "Service has no access to non-process/proc files(/proc subset=)",
552 "description_bad": "Service has full access to non-process/proc files(/proc subset=)",
553 "weight": 10,
554 "range": 1
555 },
556 "NotifyAccess":
557 {"description_good": "Service child processes cannot alter service state",
558 "description_bad": "Service child processes may alter service state",
559 "weight": 1000,
560 "range": 1
561 },
562 "RemoveIPC":
563 {"description_good": "Service user cannot leave SysV IPC objects around",
564 "description_bad": "Service user may leave SysV IPC objects around",
565 "description_na": "Service runs as root, option does not apply",
566 "weight": 100,
567 "range": 1
568 },
569 "Delegate":
570 {"description_good": "Service does not maintain its own delegated control group subtree",
571 "description_bad": "Service maintains its own delegated control group subtree",
572 "weight": 100,
573 "range": 1
574 },
575 "RestrictRealtime":
576 {"description_good": "Service realtime scheduling access is restricted",
577 "description_bad": "Service may acquire realtime scheduling",
578 "weight": 500,
579 "range": 1
580 },
581 "RestrictSUIDSGID":
582 {"description_good": "SUID/SGIDfilecreationbyserviceisrestricted",
583 "description_bad": "ServicemaycreateSUID/SGIDfiles",
584 "weight": 1000,
585 "range": 1
586 },
587 "RestrictNamespaces_user":
588 {"description_good": "Servicecannotcreateusernamespaces",
589 "description_bad": "Servicemaycreateusernamespaces",
590 "weight": 1500,
591 "range": 1
592 },
593 "RestrictNamespaces_mnt":
594 {"description_good": "Service cannot create file system namespaces",
595 "description_bad": "Service may create file system namespaces",
596 "weight": 500,
597 "range": 1
598 },
599 "RestrictNamespaces_ipc":
600 {"description_good": "Service cannot create IPC namespaces",
601 "description_bad": "Service may create IPC namespaces",
602 "weight": 500,
603 "range": 1
604 },
605 "RestrictNamespaces_pid":
606 {"description_good": "Service cannot create process namespaces",
607 "description_bad": "Service may create process namespaces",
608 "weight": 500,
609 "range": 1
610 },
611 "RestrictNamespaces_cgroup":
612 {"description_good": "Service cannot create cgroup namespaces",
613 "description_bad": "Service may create cgroup namespaces",
614 "weight": 500,
615 "range": 1
616 },
617 "RestrictNamespaces_net":
618 {"description_good": "Service cannot create network namespaces",
619 "description_bad": "Service may create network namespaces",
620 "weight": 500,
621 "range": 1
622 },
623 "RestrictNamespaces_uts":
624 {"description_good": "Service cannot create hostname namespaces",
625 "description_bad": "Service may create hostname namespaces",
626 "weight": 100,
627 "range": 1
628 },
629 "RestrictAddressFamilies_AF_INET_INET6":
630 {"description_good": "Service cannot allocate Internet sockets",
631 "description_bad": "Service may allocate Internet sockets",
632 "weight": 1500,
633 "range": 1
634 },
635 "RestrictAddressFamilies_AF_UNIX":
636 {"description_good": "Service cannot allocate local sockets",
637 "description_bad": "Service may allocate local sockets",
638 "weight": 25,
639 "range": 1
640 },
641 "RestrictAddressFamilies_AF_NETLINK":
642 {"description_good": "Service cannot allocate netlink sockets",
643 "description_bad": "Service may allocate netlink sockets",
644 "weight": 200,
645 "range": 1
646 },
647 "RestrictAddressFamilies_AF_PACKET":
648 {"description_good": "Service cannot allocate packet sockets",
649 "description_bad": "Service may allocate packet sockets",
650 "weight": 1000,
651 "range": 1
652 },
653 "RestrictAddressFamilies_OTHER":
654 {"description_good": "Service cannot allocate exotic sockets",
655 "description_bad": "Service may allocate exotic sockets",
656 "weight": 1250,
657 "range": 1
658 },
659 "SystemCallArchitectures":
660 {"weight": 1000,
661 "range": 10
662 },
663 "SystemCallFilter_swap":
664 {"weight": 1000,
665 "range": 10
666 },
667 "SystemCallFilter_obsolete":
668 {"weight": 250,
669 "range": 10
670 },
671 "SystemCallFilter_clock":
672 {"weight": 1000,
673 "range": 10
674 },
675 "SystemCallFilter_cpu_emulation":
676 {"weight": 250,
677 "range": 10
678 },
679 "SystemCallFilter_debug":
680 {"weight": 1000,
681 "range": 10
682 },
683 "SystemCallFilter_mount":
684 {"weight": 1000,
685 "range": 10
686 },
687 "SystemCallFilter_module":
688 {"weight": 1000,
689 "range": 10
690 },
691 "SystemCallFilter_raw_io":
692 {"weight": 1000,
693 "range": 10
694 },
695 "SystemCallFilter_reboot":
696 {"weight": 1000,
697 "range": 10
698 },
699 "SystemCallFilter_privileged":
700 {"weight": 700,
701 "range": 10
702 },
703 "SystemCallFilter_resources":
704 {"weight": 700,
705 "range": 10
706 },
707 "IPAddressDeny":
708 {"weight": 1000,
709 "range": 10
710 },
711 "DeviceAllow":
712 {"weight": 1000,
713 "range": 10
714 },
715 "AmbientCapabilities":
716 {"description_good": "Service process does not receive ambient capabilities",
717 "description_bad": "Service process receives ambient capabilities",
718 "weight": 500,
719 "range": 1
720 },
721 "INVALID_ID":
722 {"weight": 1000,
723 "range": 10
724 }
725 }
726 EOF
727
728 # Reads in custom security requirements from the parsed .json file and uses these for comparison
729 systemd-analyze security --threshold=90 --offline=true \
730 --security-policy=/tmp/testfile.json \
731 --root=/tmp/img/ testfile.service
732
733 # The strict profile adds a lot of sanboxing options
734 systemd-analyze security --threshold=25 --offline=true \
735 --security-policy=/tmp/testfile.json \
736 --profile=strict \
737 --root=/tmp/img/ testfile.service
738
739 # The trusted profile doesn't add any sanboxing options
740 (! systemd-analyze security --threshold=25 --offline=true \
741 --security-policy=/tmp/testfile.json \
742 --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
743 --root=/tmp/img/ testfile.service)
744
745 (! systemd-analyze security --threshold=50 --offline=true \
746 --security-policy=/tmp/testfile.json \
747 --root=/tmp/img/ testfile.service)
748
749 rm /tmp/img/usr/lib/systemd/system/testfile.service
750
751 if systemd-analyze --version | grep -q -F "+ELFUTILS"; then
752 systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"'
753 fi
754
755 systemd-analyze --threshold=90 security systemd-journald.service
756
757 # issue 23663
758 check() {(
759 set +x
760 output=$(systemd-analyze security --offline="${2?}" "${3?}" | grep -F 'SystemCallFilter=')
761 assert_in "System call ${1?} list" "$output"
762 assert_in "[+✓] SystemCallFilter=~@swap" "$output"
763 assert_in "[+✓] SystemCallFilter=~@resources" "$output"
764 assert_in "[+✓] SystemCallFilter=~@reboot" "$output"
765 assert_in "[+✓] SystemCallFilter=~@raw-io" "$output"
766 assert_in "[-✗] SystemCallFilter=~@privileged" "$output"
767 assert_in "[+✓] SystemCallFilter=~@obsolete" "$output"
768 assert_in "[+✓] SystemCallFilter=~@mount" "$output"
769 assert_in "[+✓] SystemCallFilter=~@module" "$output"
770 assert_in "[+✓] SystemCallFilter=~@debug" "$output"
771 assert_in "[+✓] SystemCallFilter=~@cpu-emulation" "$output"
772 assert_in "[-✗] SystemCallFilter=~@clock" "$output"
773 )}
774
775 export -n SYSTEMD_LOG_LEVEL
776
777 mkdir -p /run/systemd/system
778 cat >/run/systemd/system/allow-list.service <<EOF
779 [Service]
780 ExecStart=false
781 SystemCallFilter=@system-service
782 SystemCallFilter=~@resources:ENOANO @privileged
783 SystemCallFilter=@clock
784 EOF
785
786 cat >/run/systemd/system/deny-list.service <<EOF
787 [Service]
788 ExecStart=false
789 SystemCallFilter=~@known
790 SystemCallFilter=@system-service
791 SystemCallFilter=~@resources:ENOANO @privileged
792 SystemCallFilter=@clock
793 EOF
794
795 systemctl daemon-reload
796
797 check allow yes /run/systemd/system/allow-list.service
798 check allow no allow-list.service
799 check deny yes /run/systemd/system/deny-list.service
800 check deny no deny-list.service
801
802 output=$(systemd-run -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
803 name=$(echo "$output" | awk '{ print $4 }')
804
805 check allow yes /run/systemd/transient/"$name"
806 check allow no "$name"
807
808 output=$(systemd-run -p "SystemCallFilter=~@known" -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
809 name=$(echo "$output" | awk '{ print $4 }')
810
811 check deny yes /run/systemd/transient/"$name"
812 check deny no "$name"
813
814 # Let's also test the "image-policy" verb
815
816 systemd-analyze image-policy '*' 2>&1 | grep -q -F "Long form: =verity+signed+encrypted+unprotected+unused+absent"
817 systemd-analyze image-policy '-' 2>&1 | grep -q -F "Long form: =unused+absent"
818 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -F "Long form: usr=verity:home=encrypted:=unused+absent"
819 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^home \+encrypted \+'
820 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr \+verity \+'
821 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^root \+ignore \+'
822 systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr-verity \+unprotected \+'
823
824 (! systemd-analyze image-policy 'doedel')
825
826 systemd-analyze log-level info
827
828 echo OK >/testok
829
830 exit 0
Unnamed repository; edit this file 'description' to name the repository.