-/***
- This file is part of systemd.
-
- Copyright 2013 Zbigniew Jędrzejewski-Szmek
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#include <fcntl.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#include "alloc-util.h"
#include "fd-util.h"
#include "namespace.h"
#include "process-util.h"
#include "string-util.h"
+#include "tests.h"
+#include "user-util.h"
#include "util.h"
+#include "virt.h"
+
+static void test_namespace_cleanup_tmpdir(void) {
+ {
+ _cleanup_(namespace_cleanup_tmpdirp) char *dir;
+ assert_se(dir = strdup(RUN_SYSTEMD_EMPTY));
+ }
+
+ {
+ _cleanup_(namespace_cleanup_tmpdirp) char *dir;
+ assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX"));
+ assert_se(mkdtemp(dir));
+ }
+}
static void test_tmpdir(const char *id, const char *A, const char *B) {
_cleanup_free_ char *a, *b;
char *c, *d;
assert_se(setup_tmp_dirs(id, &a, &b) == 0);
- assert_se(startswith(a, A));
- assert_se(startswith(b, B));
assert_se(stat(a, &x) >= 0);
assert_se(stat(b, &y) >= 0);
assert_se(S_ISDIR(x.st_mode));
assert_se(S_ISDIR(y.st_mode));
- assert_se((x.st_mode & 01777) == 0700);
- assert_se((y.st_mode & 01777) == 0700);
-
- c = strjoina(a, "/tmp");
- d = strjoina(b, "/tmp");
-
- assert_se(stat(c, &x) >= 0);
- assert_se(stat(d, &y) >= 0);
-
- assert_se(S_ISDIR(x.st_mode));
- assert_se(S_ISDIR(y.st_mode));
-
- assert_se((x.st_mode & 01777) == 01777);
- assert_se((y.st_mode & 01777) == 01777);
-
- assert_se(rmdir(c) >= 0);
- assert_se(rmdir(d) >= 0);
+ if (!streq(a, RUN_SYSTEMD_EMPTY)) {
+ assert_se(startswith(a, A));
+ assert_se((x.st_mode & 01777) == 0700);
+ c = strjoina(a, "/tmp");
+ assert_se(stat(c, &x) >= 0);
+ assert_se(S_ISDIR(x.st_mode));
+ assert_se((x.st_mode & 01777) == 01777);
+ assert_se(rmdir(c) >= 0);
+ assert_se(rmdir(a) >= 0);
+ }
- assert_se(rmdir(a) >= 0);
- assert_se(rmdir(b) >= 0);
+ if (!streq(b, RUN_SYSTEMD_EMPTY)) {
+ assert_se(startswith(b, B));
+ assert_se((y.st_mode & 01777) == 0700);
+ d = strjoina(b, "/tmp");
+ assert_se(stat(d, &y) >= 0);
+ assert_se(S_ISDIR(y.st_mode));
+ assert_se((y.st_mode & 01777) == 01777);
+ assert_se(rmdir(d) >= 0);
+ assert_se(rmdir(b) >= 0);
+ }
}
static void test_netns(void) {
siginfo_t si;
if (geteuid() > 0) {
- log_info("Skipping test: not root");
- exit(EXIT_TEST_SKIP);
+ (void) log_tests_skipped("not root");
+ return;
}
assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);
assert_se(n == 1);
}
+static void test_protect_kernel_logs(void) {
+ int r;
+ pid_t pid;
+ static const NamespaceInfo ns_info = {
+ .protect_kernel_logs = true,
+ };
+
+ if (geteuid() > 0) {
+ (void) log_tests_skipped("not root");
+ return;
+ }
+
+ /* In a container we likely don't have access to /dev/kmsg */
+ if (detect_container() > 0) {
+ (void) log_tests_skipped("in container");
+ return;
+ }
+
+
+ pid = fork();
+ assert_se(pid >= 0);
+
+ if (pid == 0) {
+ _cleanup_close_ int fd = -1;
+
+ fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC);
+ assert_se(fd > 0);
+
+ r = setup_namespace(NULL,
+ NULL,
+ NULL,
+ &ns_info,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL, 0,
+ NULL, 0,
+ NULL,
+ NULL,
+ NULL,
+ PROTECT_HOME_NO,
+ PROTECT_SYSTEM_NO,
+ 0,
+ NULL,
+ 0,
+ NULL,
+ NULL,
+ 0,
+ NULL,
+ NULL,
+ 0,
+ NULL);
+ assert_se(r == 0);
+
+ assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
+ assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0);
+ assert_se(errno == EACCES);
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
+}
+
int main(int argc, char *argv[]) {
sd_id128_t bid;
char boot_id[SD_ID128_STRING_MAX];
_cleanup_free_ char *x = NULL, *y = NULL, *z = NULL, *zz = NULL;
- log_parse_environment();
- log_open();
+ test_setup_logging(LOG_INFO);
+
+ test_namespace_cleanup_tmpdir();
+
+ if (!have_namespaces()) {
+ log_tests_skipped("Don't have namespace support");
+ return EXIT_TEST_SKIP;
+ }
assert_se(sd_id128_get_boot(&bid) >= 0);
sd_id128_to_string(bid, boot_id);
- x = strjoin("/tmp/systemd-private-", boot_id, "-abcd.service-", NULL);
- y = strjoin("/var/tmp/systemd-private-", boot_id, "-abcd.service-", NULL);
+ x = strjoin("/tmp/systemd-private-", boot_id, "-abcd.service-");
+ y = strjoin("/var/tmp/systemd-private-", boot_id, "-abcd.service-");
assert_se(x && y);
test_tmpdir("abcd.service", x, y);
- z = strjoin("/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-", NULL);
- zz = strjoin("/var/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-", NULL);
+ z = strjoin("/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
+ zz = strjoin("/var/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
assert_se(z && zz);
test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);
test_netns();
+ test_protect_kernel_logs();
- return 0;
+ return EXIT_SUCCESS;
}