2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
6 # shellcheck source=test/units/assert.sh
7 .
"$(dirname "$0")"/assert.sh
9 systemctl log-level debug
10 export SYSTEMD_LOG_LEVEL
=debug
14 # We can't really test time, blame, critical-chain and plot verbs here, as
15 # the testsuite service is a part of the boot transaction, so let's assume
18 systemd-analyze
time ||
:
19 systemd-analyze blame ||
:
20 systemd-analyze critical-chain ||
:
22 systemd-analyze plot
>/dev
/null ||
:
23 systemd-analyze plot
--json=pretty
>/dev
/null ||
:
24 systemd-analyze plot
--json=short
>/dev
/null ||
:
25 systemd-analyze plot
--json=off
>/dev
/null ||
:
26 systemd-analyze plot
--json=pretty
--no-legend >/dev
/null ||
:
27 systemd-analyze plot
--json=short
--no-legend >/dev
/null ||
:
28 systemd-analyze plot
--json=off
--no-legend >/dev
/null ||
:
29 systemd-analyze plot
--table >/dev
/null ||
:
30 systemd-analyze plot
--table --no-legend >/dev
/null ||
:
31 # legacy/deprecated options (moved to systemctl, but still usable from analyze)
32 systemd-analyze log-level
33 systemd-analyze log-level
"$(systemctl log-level)"
34 systemd-analyze get-log-level
35 systemd-analyze set-log-level
"$(systemctl log-level)"
36 systemd-analyze log-target
37 systemd-analyze log-target
"$(systemctl log-target)"
38 systemd-analyze get-log-target
39 systemd-analyze set-log-target
"$(systemctl log-target)"
40 systemd-analyze service-watchdogs
41 systemd-analyze service-watchdogs
"$(systemctl service-watchdogs)"
43 systemd-analyze dot
>/dev
/null
44 systemd-analyze dot systemd-journald.service
>/dev
/null
45 systemd-analyze dot systemd-journald.service systemd-logind.service
>/dev
/null
46 systemd-analyze dot
--from-pattern="*" --from-pattern="*.service" systemd-journald.service
>/dev
/null
47 systemd-analyze dot
--to-pattern="*" --to-pattern="*.service" systemd-journald.service
>/dev
/null
48 systemd-analyze dot
--from-pattern="*.service" --to-pattern="*.service" systemd-journald.service
>/dev
/null
49 systemd-analyze dot
--order systemd-journald.service systemd-logind.service
>/dev
/null
50 systemd-analyze dot
--require systemd-journald.service systemd-logind.service
>/dev
/null
51 systemd-analyze dot
"systemd-*.service" >/dev
/null
52 (! systemd-analyze dot systemd-journald.service systemd-logind.service
"*" bbb ccc
)
54 systemd-analyze dump
>/dev
/null
55 systemd-analyze dump
"*" >/dev
/null
56 systemd-analyze dump
"*.socket" >/dev
/null
57 systemd-analyze dump
"*.socket" "*.service" aaaaaaa ...
>/dev
/null
58 systemd-analyze dump systemd-journald.service
>/dev
/null
59 (! systemd-analyze dump
"")
61 systemd-analyze unit-files
>/dev
/null
62 systemd-analyze unit-files systemd-journald.service
>/dev
/null
63 systemd-analyze unit-files
"*" >/dev
/null
64 systemd-analyze unit-files
"*" aaaaaa
"*.service" "*.target" >/dev
/null
65 systemd-analyze unit-files
--user >/dev
/null
66 systemd-analyze unit-files
--user "*" aaaaaa
"*.service" "*.target" >/dev
/null
68 systemd-analyze unit-paths
69 systemd-analyze unit-paths
--user
70 systemd-analyze unit-paths
--global
72 systemd-analyze exit-status
73 systemd-analyze exit-status STDOUT BPF
74 systemd-analyze exit-status
0 1 {63.
.65}
75 (! systemd-analyze exit-status STDOUT BPF
"hello*")
77 systemd-analyze capability
78 systemd-analyze capability cap_chown CAP_KILL
79 systemd-analyze capability
0 1 {30.
.32}
80 (! systemd-analyze capability cap_chown CAP_KILL
"hello*")
82 mkdir
-p /run
/systemd
/system
83 UNIT_NAME
="analyze-condition-$RANDOM.service"
84 cat >"/run/systemd/system/$UNIT_NAME" <<EOF
86 AssertPathExists=/etc/os-release
87 AssertEnvironment=!FOOBAR
88 ConditionKernelVersion=>1.0
89 ConditionPathExists=/etc/os-release
94 systemctl daemon-reload
95 systemd-analyze condition
--unit="$UNIT_NAME"
96 systemd-analyze condition
'ConditionKernelVersion = ! <4.0' \
97 'ConditionKernelVersion = >=3.1' \
98 'ConditionACPower=|false' \
99 'ConditionArchitecture=|!arm' \
100 'AssertPathExists=/etc/os-release'
101 (! systemd-analyze condition
'ConditionArchitecture=|!arm' 'AssertXYZ=foo')
102 (! systemd-analyze condition
'ConditionKernelVersion=<1.0')
103 (! systemd-analyze condition
'AssertKernelVersion=<1.0')
105 systemd-analyze syscall-filter
>/dev
/null
106 systemd-analyze syscall-filter @chown @sync
107 systemd-analyze syscall-filter @sync @sync @sync
108 (! systemd-analyze syscall-filter @chown @sync @foobar
)
109 # filesystems (requires libbpf support)
110 if systemctl
--version |
grep "+BPF_FRAMEWORK"; then
111 systemd-analyze filesystems
>/dev
/null
112 systemd-analyze filesystems @basic-api
113 systemd-analyze filesystems @basic-api @basic-api @basic-api
114 (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api
)
117 systemd-analyze calendar
'*-2-29 0:0:0'
118 systemd-analyze calendar
--iterations=5 '*-2-29 0:0:0'
119 systemd-analyze calendar
'*-* *:*:*'
120 systemd-analyze calendar
--iterations=5 '*-* *:*:*'
121 systemd-analyze calendar
--iterations=50 '*-* *:*:*'
122 systemd-analyze calendar
--iterations=0 '*-* *:*:*'
123 systemd-analyze calendar
--iterations=5 '01-01-22 01:00:00'
124 systemd-analyze calendar
--base-time=yesterday
--iterations=5 '*-* *:*:*'
125 (! systemd-analyze calendar
--iterations=0 '*-* 99:*:*')
126 (! systemd-analyze calendar
--base-time=never
'*-* *:*:*')
127 (! systemd-analyze calendar
1)
128 (! systemd-analyze calendar
"")
130 systemd-analyze timestamp now
131 systemd-analyze timestamp
-- -1
132 systemd-analyze timestamp yesterday now tomorrow
133 (! systemd-analyze timestamp yesterday never tomorrow
)
134 (! systemd-analyze timestamp
1)
135 (! systemd-analyze timestamp
'*-2-29 0:0:0')
136 (! systemd-analyze timestamp
"")
138 systemd-analyze timespan
1
139 systemd-analyze timespan
1s
300s
'1year 0.000001s'
140 (! systemd-analyze timespan
1s
300s aaaaaa
'1year 0.000001s')
141 (! systemd-analyze timespan
-- -1)
142 (! systemd-analyze timespan
'*-2-29 0:0:0')
143 (! systemd-analyze timespan
"")
145 systemd-analyze cat-config systemd
/system.conf
>/dev
/null
146 systemd-analyze cat-config
/etc
/systemd
/system.conf
>/dev
/null
147 systemd-analyze cat-config systemd
/system.conf systemd
/journald.conf
>/dev
/null
148 systemd-analyze cat-config systemd
/system.conf foo
/bar systemd
/journald.conf
>/dev
/null
149 systemd-analyze cat-config foo
/bar
151 if [[ ! -v ASAN_OPTIONS
]]; then
152 # check that systemd-analyze cat-config paths work in a chroot
154 mount
--bind / /tmp
/root
155 systemd-analyze cat-config systemd
/system-preset
>/tmp
/out1
156 chroot
/tmp
/root systemd-analyze cat-config systemd
/system-preset
>/tmp
/out2
161 mkdir
-p /tmp
/img
/usr
/lib
/systemd
/system
/
162 mkdir
-p /tmp
/img
/opt
/
164 touch /tmp
/img
/opt
/script0.sh
165 chmod +x
/tmp
/img
/opt
/script0.sh
167 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
169 ExecStart = /opt/script0.sh
173 # Default behaviour is to recurse through all dependencies when unit is loaded
174 systemd-analyze verify
--root=/tmp
/img
/ testfile.service \
175 && { echo 'unexpected success'; exit 1; }
177 # As above, recurses through all dependencies when unit is loaded
178 systemd-analyze verify
--recursive-errors=yes --root=/tmp
/img
/ testfile.service \
179 && { echo 'unexpected success'; exit 1; }
181 # Recurses through unit file and its direct dependencies when unit is loaded
182 systemd-analyze verify
--recursive-errors=one
--root=/tmp
/img
/ testfile.service \
183 && { echo 'unexpected success'; exit 1; }
187 # zero exit status since dependencies are ignored when unit is loaded
188 systemd-analyze verify
--recursive-errors=no
--root=/tmp
/img
/ testfile.service
190 rm /tmp
/img
/usr
/lib
/systemd
/system
/testfile.service
192 cat <<EOF >/tmp/testfile.service
197 ExecStart = echo hello
200 cat <<EOF >/tmp/testfile2.service
202 Requires = testfile.service
205 ExecStart = echo hello
208 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
209 systemd-analyze verify
--recursive-errors=no
/tmp
/testfile2.service
212 # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
213 systemd-analyze verify
--recursive-errors=yes /tmp
/testfile2.service \
214 && { echo 'unexpected success'; exit 1; }
217 rm /tmp
/testfile.service
218 rm /tmp
/testfile2.service
220 cat <<EOF >/tmp/testfile.service
222 ExecStart = echo hello
226 # Prevent regression from #13380 and #20859 where we can't verify hidden files
227 cp /tmp
/testfile.service
/tmp
/.testfile.service
229 systemd-analyze verify
/tmp
/.testfile.service
231 rm /tmp
/.testfile.service
233 # Alias a unit file's name on disk (see #20061)
234 cp /tmp
/testfile.service
/tmp
/testsrvc
236 systemd-analyze verify
/tmp
/testsrvc \
237 && { echo 'unexpected success'; exit 1; }
239 systemd-analyze verify
/tmp
/testsrvc
:alias.service
241 # Zero exit status since the value used for comparison determine exposure to security threats is by default 100
242 systemd-analyze security
--offline=true
/tmp
/testfile.service
245 #The overall exposure level assigned to the unit is greater than the set threshold
246 systemd-analyze security
--threshold=90 --offline=true
/tmp
/testfile.service \
247 && { echo 'unexpected success'; exit 1; }
250 # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
251 systemd-analyze security
--offline=true
/tmp
/testfile.service |
grep -q -F "/dev/sda"
253 rm /tmp
/testfile.service
255 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
257 ExecStart = echo hello
263 # The new overall exposure level assigned to the unit is less than the set thresholds
264 # Verifies that the --offline= option works with --root=
265 systemd-analyze security
--threshold=90 --offline=true
--root=/tmp
/img
/ testfile.service
267 # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed
268 # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in
269 # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight
270 # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is
271 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
272 # level for the unit file should decrease to account for that increased weight.
273 cat <<EOF >/tmp/testfile.json
274 {"UserOrDynamicUser":
275 {"description_bad": "Service runs as root user",
279 "SupplementaryGroups":
280 {"description_good": "Service has no supplementary groups",
281 "description_bad": "Service runs with supplementary groups",
282 "description_na": "Service runs as root, option does not matter",
287 {"description_good": "Service has no access to hardware devices",
288 "description_bad": "Service potentially has access to hardware devices",
293 {"description_good": "Service cannot install system mounts",
294 "description_bad": "Service may install system mounts",
299 {"description_good": "Service doesn't have access to the host's network",
300 "description_bad": "Service has access to the host's network",
305 {"description_good": "Service has no access to other software's temporary files",
306 "description_bad": "Service has access to other software's temporary files",
311 {"description_good": "Service does not have access to other users",
312 "description_bad": "Service has access to other users",
316 "ProtectControlGroups":
317 {"description_good": "Service cannot modify the control group file system",
318 "description_bad": "Service may modify the control group file system",
322 "ProtectKernelModules":
323 {"description_good": "Service cannot load or read kernel modules",
324 "description_bad": "Service may load or read kernel modules",
328 "ProtectKernelTunables":
329 {"description_good": "Service cannot alter kernel tunables (/proc/sys, …)",
330 "description_bad": "Service may alter kernel tunables",
335 {"description_good": "Service cannot read from or write to the kernel log ring buffer",
336 "description_bad": "Service may read from or write to the kernel log ring buffer",
341 {"description_good": "Service cannot write to the hardware clock or system clock",
342 "description_bad": "Service may write to the hardware clock or system clock",
351 {"description_good": "Service cannot change system host/domainname",
352 "description_bad": "Service may change system host/domainname",
360 "RootDirectoryOrRootImage":
361 {"description_good": "Service has its own root directory/image",
362 "description_bad": "Service runs within the host's root directory",
367 {"description_good": "Service cannot change ABI personality",
368 "description_bad": "Service may change ABI personality",
372 "MemoryDenyWriteExecute":
373 {"description_good": "Service cannot create writable executable memory mappings",
374 "description_bad": "Service may create writable executable memory mappings",
379 {"description_good": "Service processes cannot acquire new privileges",
380 "description_bad": "Service processes may acquire new privileges",
384 "CapabilityBoundingSet_CAP_SYS_ADMIN":
385 {"description_good": "Service has no administrator privileges",
386 "description_bad": "Service has administrator privileges",
390 "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP":
391 {"description_good": "Service cannot change UID/GID identities/capabilities",
392 "description_bad": "Service may change UID/GID identities/capabilities",
396 "CapabilityBoundingSet_CAP_SYS_PTRACE":
397 {"description_good": "Service has no ptrace() debugging abilities",
398 "description_bad": "Service has ptrace() debugging abilities",
402 "CapabilityBoundingSet_CAP_SYS_TIME":
403 {"description_good": "Service processes cannot change the system clock",
404 "description_bad": "Service processes may change the system clock",
408 "CapabilityBoundingSet_CAP_NET_ADMIN":
409 {"description_good": "Service has no network configuration privileges",
410 "description_bad": "Service has network configuration privileges",
414 "CapabilityBoundingSet_CAP_SYS_RAWIO":
415 {"description_good": "Service has no raw I/O access",
416 "description_bad": "Service has raw I/O access",
420 "CapabilityBoundingSet_CAP_SYS_MODULE":
421 {"description_good": "Service cannot load kernel modules",
422 "description_bad": "Service may load kernel modules",
426 "CapabilityBoundingSet_CAP_AUDIT":
427 {"description_good": "Service has no audit subsystem access",
428 "description_bad": "Service has audit subsystem access",
432 "CapabilityBoundingSet_CAP_SYSLOG":
433 {"description_good": "Service has no access to kernel logging",
434 "description_bad": "Service has access to kernel logging",
438 "CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE":
439 {"description_good": "Service has no privileges to change resource use parameters",
440 "description_bad": "Service has privileges to change resource use parameters",
444 "CapabilityBoundingSet_CAP_MKNOD":
445 {"description_good": "Service cannot create device nodes",
446 "description_bad": "Service may create device nodes",
450 "CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP":
451 {"description_good": "Service cannot change file ownership/access mode/capabilities",
452 "description_bad": "Service may change file ownership/access mode/capabilities unrestricted",
456 "CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER":
457 {"description_good": "Service cannot override UNIX file/IPC permission checks",
458 "description_bad": "Service may override UNIX file/IPC permission checks",
462 "CapabilityBoundingSet_CAP_KILL":
463 {"description_good": "Service cannot send UNIX signals to arbitrary processes",
464 "description_bad": "Service may send UNIX signals to arbitrary processes",
468 "CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW":
469 {"description_good": "Service has no elevated networking privileges",
470 "description_bad": "Service has elevated networking privileges",
474 "CapabilityBoundingSet_CAP_SYS_BOOT":
475 {"description_good": "Service cannot issue reboot()",
476 "description_bad": "Service may issue reboot()",
480 "CapabilityBoundingSet_CAP_MAC":
481 {"description_good": "Service cannot adjust SMACK MAC",
482 "description_bad": "Service may adjust SMACK MAC",
486 "CapabilityBoundingSet_CAP_LINUX_IMMUTABLE":
487 {"description_good": "Service cannot mark files immutable",
488 "description_bad": "Service may mark files immutable",
492 "CapabilityBoundingSet_CAP_IPC_LOCK":
493 {"description_good": "Service cannot lock memory into RAM",
494 "description_bad": "Service may lock memory into RAM",
498 "CapabilityBoundingSet_CAP_SYS_CHROOT":
499 {"description_good": "Service cannot issue chroot()",
500 "description_bad": "Service may issue chroot()",
504 "CapabilityBoundingSet_CAP_BLOCK_SUSPEND":
505 {"description_good": "Service cannot establish wake locks",
506 "description_bad": "Service may establish wake locks",
510 "CapabilityBoundingSet_CAP_WAKE_ALARM":
511 {"description_good": "Service cannot program timers that wake up the system",
512 "description_bad": "Service may program timers that wake up the system",
516 "CapabilityBoundingSet_CAP_LEASE":
517 {"description_good": "Service cannot create file leases",
518 "description_bad": "Service may create file leases",
522 "CapabilityBoundingSet_CAP_SYS_TTY_CONFIG":
523 {"description_good": "Service cannot issue vhangup()",
524 "description_bad": "Service may issue vhangup()",
528 "CapabilityBoundingSet_CAP_SYS_PACCT":
529 {"description_good": "Service cannot use acct()",
530 "description_bad": "Service may use acct()",
539 {"description_good": "Service doesn't share key material with other services",
540 "description_bad": "Service shares key material with other service",
545 {"description_good": "Service has restricted access to process tree(/proc hidepid=)",
546 "description_bad": "Service has full access to process tree(/proc hidepid=)",
551 {"description_good": "Service has no access to non-process/proc files(/proc subset=)",
552 "description_bad": "Service has full access to non-process/proc files(/proc subset=)",
557 {"description_good": "Service child processes cannot alter service state",
558 "description_bad": "Service child processes may alter service state",
563 {"description_good": "Service user cannot leave SysV IPC objects around",
564 "description_bad": "Service user may leave SysV IPC objects around",
565 "description_na": "Service runs as root, option does not apply",
570 {"description_good": "Service does not maintain its own delegated control group subtree",
571 "description_bad": "Service maintains its own delegated control group subtree",
576 {"description_good": "Service realtime scheduling access is restricted",
577 "description_bad": "Service may acquire realtime scheduling",
582 {"description_good": "SUID/SGIDfilecreationbyserviceisrestricted",
583 "description_bad": "ServicemaycreateSUID/SGIDfiles",
587 "RestrictNamespaces_user":
588 {"description_good": "Servicecannotcreateusernamespaces",
589 "description_bad": "Servicemaycreateusernamespaces",
593 "RestrictNamespaces_mnt":
594 {"description_good": "Service cannot create file system namespaces",
595 "description_bad": "Service may create file system namespaces",
599 "RestrictNamespaces_ipc":
600 {"description_good": "Service cannot create IPC namespaces",
601 "description_bad": "Service may create IPC namespaces",
605 "RestrictNamespaces_pid":
606 {"description_good": "Service cannot create process namespaces",
607 "description_bad": "Service may create process namespaces",
611 "RestrictNamespaces_cgroup":
612 {"description_good": "Service cannot create cgroup namespaces",
613 "description_bad": "Service may create cgroup namespaces",
617 "RestrictNamespaces_net":
618 {"description_good": "Service cannot create network namespaces",
619 "description_bad": "Service may create network namespaces",
623 "RestrictNamespaces_uts":
624 {"description_good": "Service cannot create hostname namespaces",
625 "description_bad": "Service may create hostname namespaces",
629 "RestrictAddressFamilies_AF_INET_INET6":
630 {"description_good": "Service cannot allocate Internet sockets",
631 "description_bad": "Service may allocate Internet sockets",
635 "RestrictAddressFamilies_AF_UNIX":
636 {"description_good": "Service cannot allocate local sockets",
637 "description_bad": "Service may allocate local sockets",
641 "RestrictAddressFamilies_AF_NETLINK":
642 {"description_good": "Service cannot allocate netlink sockets",
643 "description_bad": "Service may allocate netlink sockets",
647 "RestrictAddressFamilies_AF_PACKET":
648 {"description_good": "Service cannot allocate packet sockets",
649 "description_bad": "Service may allocate packet sockets",
653 "RestrictAddressFamilies_OTHER":
654 {"description_good": "Service cannot allocate exotic sockets",
655 "description_bad": "Service may allocate exotic sockets",
659 "SystemCallArchitectures":
663 "SystemCallFilter_swap":
667 "SystemCallFilter_obsolete":
671 "SystemCallFilter_clock":
675 "SystemCallFilter_cpu_emulation":
679 "SystemCallFilter_debug":
683 "SystemCallFilter_mount":
687 "SystemCallFilter_module":
691 "SystemCallFilter_raw_io":
695 "SystemCallFilter_reboot":
699 "SystemCallFilter_privileged":
703 "SystemCallFilter_resources":
715 "AmbientCapabilities":
716 {"description_good": "Service process does not receive ambient capabilities",
717 "description_bad": "Service process receives ambient capabilities",
728 # Reads in custom security requirements from the parsed .json file and uses these for comparison
729 systemd-analyze security
--threshold=90 --offline=true \
730 --security-policy=/tmp
/testfile.json \
731 --root=/tmp
/img
/ testfile.service
733 # The strict profile adds a lot of sanboxing options
734 systemd-analyze security
--threshold=25 --offline=true \
735 --security-policy=/tmp
/testfile.json \
737 --root=/tmp
/img
/ testfile.service
740 # The trusted profile doesn't add any sanboxing options
741 systemd-analyze security
--threshold=25 --offline=true \
742 --security-policy=/tmp
/testfile.json \
743 --profile=/usr
/lib
/systemd
/portable
/profile
/trusted
/service.conf \
744 --root=/tmp
/img
/ testfile.service \
745 && { echo 'unexpected success'; exit 1; }
747 systemd-analyze security
--threshold=50 --offline=true \
748 --security-policy=/tmp
/testfile.json \
749 --root=/tmp
/img
/ testfile.service \
750 && { echo 'unexpected success'; exit 1; }
753 rm /tmp
/img
/usr
/lib
/systemd
/system
/testfile.service
755 if systemd-analyze
--version |
grep -q -F "+ELFUTILS"; then
756 systemd-analyze inspect-elf
--json=short
/lib
/systemd
/systemd |
grep -q -F '"elfType":"executable"'
759 systemd-analyze
--threshold=90 security systemd-journald.service
764 output
=$
(systemd-analyze security
--offline="${2?}" "${3?}" |
grep -F 'SystemCallFilter=')
765 assert_in
"System call ${1?} list" "$output"
766 assert_in
"[+✓] SystemCallFilter=~@swap" "$output"
767 assert_in
"[+✓] SystemCallFilter=~@resources" "$output"
768 assert_in
"[+✓] SystemCallFilter=~@reboot" "$output"
769 assert_in
"[+✓] SystemCallFilter=~@raw-io" "$output"
770 assert_in
"[-✗] SystemCallFilter=~@privileged" "$output"
771 assert_in
"[+✓] SystemCallFilter=~@obsolete" "$output"
772 assert_in
"[+✓] SystemCallFilter=~@mount" "$output"
773 assert_in
"[+✓] SystemCallFilter=~@module" "$output"
774 assert_in
"[+✓] SystemCallFilter=~@debug" "$output"
775 assert_in
"[+✓] SystemCallFilter=~@cpu-emulation" "$output"
776 assert_in
"[-✗] SystemCallFilter=~@clock" "$output"
779 export -n SYSTEMD_LOG_LEVEL
781 mkdir
-p /run
/systemd
/system
782 cat >/run
/systemd
/system
/allow-list.service
<<EOF
785 SystemCallFilter=@system-service
786 SystemCallFilter=~@resources:ENOANO @privileged
787 SystemCallFilter=@clock
790 cat >/run
/systemd
/system
/deny-list.service
<<EOF
793 SystemCallFilter=~@known
794 SystemCallFilter=@system-service
795 SystemCallFilter=~@resources:ENOANO @privileged
796 SystemCallFilter=@clock
799 systemctl daemon-reload
801 check allow
yes /run
/systemd
/system
/allow-list.service
802 check allow no allow-list.service
803 check deny
yes /run
/systemd
/system
/deny-list.service
804 check deny no deny-list.service
806 output
=$
(systemd-run
-p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
807 name
=$
(echo "$output" |
awk '{ print $4 }')
809 check allow
yes /run
/systemd
/transient
/"$name"
810 check allow no
"$name"
812 output
=$
(systemd-run
-p "SystemCallFilter=~@known" -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
813 name
=$
(echo "$output" |
awk '{ print $4 }')
815 check deny
yes /run
/systemd
/transient
/"$name"
816 check deny no
"$name"
818 systemd-analyze log-level info