]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
281e05b6 RC |
2 | /*** |
3 | This file is part of systemd. | |
4 | ||
5 | Copyright 2014 Ronny Chevalier | |
6 | ||
7 | systemd is free software; you can redistribute it and/or modify it | |
8 | under the terms of the GNU Lesser General Public License as published by | |
9 | the Free Software Foundation; either version 2.1 of the License, or | |
10 | (at your option) any later version. | |
11 | ||
12 | systemd is distributed in the hope that it will be useful, but | |
13 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
15 | Lesser General Public License for more details. | |
16 | ||
17 | You should have received a copy of the GNU Lesser General Public License | |
18 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
19 | ***/ | |
20 | ||
cc7fa4fb RC |
21 | #include <grp.h> |
22 | #include <pwd.h> | |
ff4ca461 | 23 | #include <stdio.h> |
70d7aea5 | 24 | #include <sys/prctl.h> |
ff4ca461 | 25 | #include <sys/types.h> |
281e05b6 | 26 | |
b4891260 | 27 | #include "errno-list.h" |
03bd70dd | 28 | #include "fileio.h" |
f4f15635 | 29 | #include "fs-util.h" |
281e05b6 | 30 | #include "macro.h" |
f4f15635 | 31 | #include "manager.h" |
281e05b6 | 32 | #include "mkdir.h" |
ff4ca461 | 33 | #include "path-util.h" |
c6878637 | 34 | #include "rm-rf.h" |
349cc4a5 | 35 | #if HAVE_SECCOMP |
83f12b27 FS |
36 | #include "seccomp-util.h" |
37 | #endif | |
34b86909 | 38 | #include "stat-util.h" |
8b3aa503 | 39 | #include "test-helper.h" |
cc100a5a | 40 | #include "tests.h" |
f4f15635 LP |
41 | #include "unit.h" |
42 | #include "util.h" | |
4dd4cb8f | 43 | #include "virt.h" |
281e05b6 RC |
44 | |
45 | typedef void (*test_function_t)(Manager *m); | |
46 | ||
47 | static void check(Manager *m, Unit *unit, int status_expected, int code_expected) { | |
48 | Service *service = NULL; | |
49 | usec_t ts; | |
8adb3d63 | 50 | usec_t timeout = 2 * USEC_PER_MINUTE; |
281e05b6 RC |
51 | |
52 | assert_se(m); | |
53 | assert_se(unit); | |
54 | ||
55 | service = SERVICE(unit); | |
56 | printf("%s\n", unit->id); | |
57 | exec_context_dump(&service->exec_context, stdout, "\t"); | |
58 | ts = now(CLOCK_MONOTONIC); | |
ec2ce0c5 | 59 | while (!IN_SET(service->state, SERVICE_DEAD, SERVICE_FAILED)) { |
281e05b6 RC |
60 | int r; |
61 | usec_t n; | |
62 | ||
63 | r = sd_event_run(m->event, 100 * USEC_PER_MSEC); | |
64 | assert_se(r >= 0); | |
65 | ||
66 | n = now(CLOCK_MONOTONIC); | |
67 | if (ts + timeout < n) { | |
68 | log_error("Test timeout when testing %s", unit->id); | |
69 | exit(EXIT_FAILURE); | |
70 | } | |
71 | } | |
72 | exec_status_dump(&service->main_exec_status, stdout, "\t"); | |
73 | assert_se(service->main_exec_status.status == status_expected); | |
74 | assert_se(service->main_exec_status.code == code_expected); | |
75 | } | |
76 | ||
6086d2da DP |
77 | static bool is_inaccessible_available(void) { |
78 | char *p; | |
79 | ||
80 | FOREACH_STRING(p, | |
81 | "/run/systemd/inaccessible/reg", | |
82 | "/run/systemd/inaccessible/dir", | |
83 | "/run/systemd/inaccessible/chr", | |
84 | "/run/systemd/inaccessible/blk", | |
85 | "/run/systemd/inaccessible/fifo", | |
86 | "/run/systemd/inaccessible/sock" | |
87 | ) { | |
88 | if (access(p, F_OK) < 0) | |
89 | return false; | |
90 | } | |
91 | ||
92 | return true; | |
93 | } | |
94 | ||
281e05b6 RC |
95 | static void test(Manager *m, const char *unit_name, int status_expected, int code_expected) { |
96 | Unit *unit; | |
97 | ||
98 | assert_se(unit_name); | |
99 | ||
100 | assert_se(manager_load_unit(m, unit_name, NULL, NULL, &unit) >= 0); | |
101 | assert_se(UNIT_VTABLE(unit)->start(unit) >= 0); | |
102 | check(m, unit, status_expected, code_expected); | |
103 | } | |
104 | ||
d053b72b YW |
105 | static void test_exec_bind_paths(Manager *m) { |
106 | assert_se(mkdir_p("/tmp/test-exec_bind_paths", 0755) >= 0); | |
107 | assert_se(mkdir_p("/tmp/test-exec_bind_readonly_paths", 0755) >= 0); | |
108 | ||
109 | test(m, "exec-bind-paths.service", 0, CLD_EXITED); | |
110 | ||
111 | (void) rm_rf("/tmp/test-exec_bind_paths", REMOVE_ROOT|REMOVE_PHYSICAL); | |
112 | (void) rm_rf("/tmp/test-exec_bind_readonly_paths", REMOVE_ROOT|REMOVE_PHYSICAL); | |
113 | } | |
114 | ||
281e05b6 RC |
115 | static void test_exec_workingdirectory(Manager *m) { |
116 | assert_se(mkdir_p("/tmp/test-exec_workingdirectory", 0755) >= 0); | |
117 | ||
118 | test(m, "exec-workingdirectory.service", 0, CLD_EXITED); | |
119 | ||
c6878637 | 120 | (void) rm_rf("/tmp/test-exec_workingdirectory", REMOVE_ROOT|REMOVE_PHYSICAL); |
281e05b6 RC |
121 | } |
122 | ||
123 | static void test_exec_personality(Manager *m) { | |
281e05b6 RC |
124 | #if defined(__x86_64__) |
125 | test(m, "exec-personality-x86-64.service", 0, CLD_EXITED); | |
7517f51e HB |
126 | |
127 | #elif defined(__s390__) | |
128 | test(m, "exec-personality-s390.service", 0, CLD_EXITED); | |
129 | ||
12591863 JS |
130 | #elif defined(__powerpc64__) |
131 | # if __BYTE_ORDER == __BIG_ENDIAN | |
132 | test(m, "exec-personality-ppc64.service", 0, CLD_EXITED); | |
133 | # else | |
134 | test(m, "exec-personality-ppc64le.service", 0, CLD_EXITED); | |
135 | # endif | |
136 | ||
137 | #elif defined(__aarch64__) | |
138 | test(m, "exec-personality-aarch64.service", 0, CLD_EXITED); | |
139 | ||
5798eb4c | 140 | #elif defined(__i386__) |
7517f51e | 141 | test(m, "exec-personality-x86.service", 0, CLD_EXITED); |
281e05b6 RC |
142 | #endif |
143 | } | |
144 | ||
145 | static void test_exec_ignoresigpipe(Manager *m) { | |
146 | test(m, "exec-ignoresigpipe-yes.service", 0, CLD_EXITED); | |
147 | test(m, "exec-ignoresigpipe-no.service", SIGPIPE, CLD_KILLED); | |
148 | } | |
149 | ||
150 | static void test_exec_privatetmp(Manager *m) { | |
151 | assert_se(touch("/tmp/test-exec_privatetmp") >= 0); | |
152 | ||
153 | test(m, "exec-privatetmp-yes.service", 0, CLD_EXITED); | |
154 | test(m, "exec-privatetmp-no.service", 0, CLD_EXITED); | |
155 | ||
156 | unlink("/tmp/test-exec_privatetmp"); | |
157 | } | |
158 | ||
159 | static void test_exec_privatedevices(Manager *m) { | |
4dd4cb8f | 160 | if (detect_container() > 0) { |
303c0bf8 | 161 | log_notice("testing in container, skipping %s", __func__); |
4dd4cb8f SM |
162 | return; |
163 | } | |
6086d2da | 164 | if (!is_inaccessible_available()) { |
303c0bf8 | 165 | log_notice("testing without inaccessible, skipping %s", __func__); |
6086d2da DP |
166 | return; |
167 | } | |
168 | ||
281e05b6 RC |
169 | test(m, "exec-privatedevices-yes.service", 0, CLD_EXITED); |
170 | test(m, "exec-privatedevices-no.service", 0, CLD_EXITED); | |
171 | } | |
172 | ||
615a1f4b | 173 | static void test_exec_privatedevices_capabilities(Manager *m) { |
0608ba98 ZJS |
174 | int r; |
175 | ||
615a1f4b | 176 | if (detect_container() > 0) { |
303c0bf8 | 177 | log_notice("testing in container, skipping %s", __func__); |
615a1f4b DH |
178 | return; |
179 | } | |
6086d2da | 180 | if (!is_inaccessible_available()) { |
303c0bf8 | 181 | log_notice("testing without inaccessible, skipping %s", __func__); |
6086d2da DP |
182 | return; |
183 | } | |
184 | ||
0608ba98 ZJS |
185 | /* We use capsh to test if the capabilities are |
186 | * properly set, so be sure that it exists */ | |
187 | r = find_binary("capsh", NULL); | |
188 | if (r < 0) { | |
189 | log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); | |
6086d2da DP |
190 | return; |
191 | } | |
192 | ||
615a1f4b DH |
193 | test(m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED); |
194 | test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED); | |
625d8769 DH |
195 | test(m, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED); |
196 | test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED); | |
615a1f4b DH |
197 | } |
198 | ||
4982dbcc | 199 | static void test_exec_protectkernelmodules(Manager *m) { |
0608ba98 ZJS |
200 | int r; |
201 | ||
3ae33295 | 202 | if (detect_container() > 0) { |
303c0bf8 | 203 | log_notice("testing in container, skipping %s", __func__); |
3ae33295 DH |
204 | return; |
205 | } | |
6086d2da | 206 | if (!is_inaccessible_available()) { |
303c0bf8 | 207 | log_notice("testing without inaccessible, skipping %s", __func__); |
6086d2da DP |
208 | return; |
209 | } | |
3ae33295 | 210 | |
0608ba98 ZJS |
211 | r = find_binary("capsh", NULL); |
212 | if (r < 0) { | |
213 | log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); | |
214 | return; | |
215 | } | |
216 | ||
217 | ||
3ae33295 DH |
218 | test(m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED); |
219 | test(m, "exec-protectkernelmodules-yes-capabilities.service", 0, CLD_EXITED); | |
4982dbcc | 220 | test(m, "exec-protectkernelmodules-yes-mount-propagation.service", 0, CLD_EXITED); |
3ae33295 DH |
221 | } |
222 | ||
f78b36f0 | 223 | static void test_exec_readonlypaths(Manager *m) { |
34b86909 LP |
224 | |
225 | if (path_is_read_only_fs("/var") > 0) | |
226 | return; | |
227 | ||
f78b36f0 | 228 | test(m, "exec-readonlypaths.service", 0, CLD_EXITED); |
cdfbd1fb | 229 | test(m, "exec-readonlypaths-mount-propagation.service", 0, CLD_EXITED); |
23fd04e9 | 230 | test(m, "exec-readonlypaths-with-bindpaths.service", 0, CLD_EXITED); |
cdfbd1fb DH |
231 | } |
232 | ||
233 | static void test_exec_readwritepaths(Manager *m) { | |
34b86909 LP |
234 | |
235 | if (path_is_read_only_fs("/") > 0) | |
236 | return; | |
237 | ||
cdfbd1fb DH |
238 | test(m, "exec-readwritepaths-mount-propagation.service", 0, CLD_EXITED); |
239 | } | |
240 | ||
241 | static void test_exec_inaccessiblepaths(Manager *m) { | |
34b86909 LP |
242 | |
243 | if (path_is_read_only_fs("/") > 0) | |
244 | return; | |
245 | ||
cdfbd1fb | 246 | test(m, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED); |
f78b36f0 DH |
247 | } |
248 | ||
c090d74d | 249 | static void test_exec_inaccessiblepaths_proc(Manager *m) { |
af4af186 EV |
250 | if (!is_inaccessible_available()) { |
251 | log_notice("testing without inaccessible, skipping %s", __func__); | |
252 | return; | |
253 | } | |
254 | ||
c090d74d TR |
255 | test(m, "exec-inaccessiblepaths-proc.service", 0, CLD_EXITED); |
256 | } | |
257 | ||
281e05b6 | 258 | static void test_exec_systemcallfilter(Manager *m) { |
349cc4a5 | 259 | #if HAVE_SECCOMP |
83f12b27 FS |
260 | if (!is_seccomp_available()) |
261 | return; | |
281e05b6 RC |
262 | test(m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED); |
263 | test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED); | |
264 | test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED); | |
265 | test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED); | |
b4891260 YW |
266 | test(m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED); |
267 | test(m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED); | |
83f12b27 | 268 | |
281e05b6 RC |
269 | #endif |
270 | } | |
271 | ||
272 | static void test_exec_systemcallerrornumber(Manager *m) { | |
349cc4a5 | 273 | #if HAVE_SECCOMP |
7a18854f YW |
274 | if (!is_seccomp_available()) |
275 | return; | |
276 | test(m, "exec-systemcallerrornumber-name.service", errno_from_name("EACCES"), CLD_EXITED); | |
277 | test(m, "exec-systemcallerrornumber-number.service", 255, CLD_EXITED); | |
281e05b6 RC |
278 | #endif |
279 | } | |
280 | ||
97e60383 | 281 | static void test_exec_restrict_namespaces(Manager *m) { |
349cc4a5 | 282 | #if HAVE_SECCOMP |
97e60383 DH |
283 | if (!is_seccomp_available()) |
284 | return; | |
285 | ||
286 | test(m, "exec-restrict-namespaces-no.service", 0, CLD_EXITED); | |
287 | test(m, "exec-restrict-namespaces-yes.service", 1, CLD_EXITED); | |
288 | test(m, "exec-restrict-namespaces-mnt.service", 0, CLD_EXITED); | |
289 | test(m, "exec-restrict-namespaces-mnt-blacklist.service", 1, CLD_EXITED); | |
290 | #endif | |
291 | } | |
292 | ||
19c0b0b9 | 293 | static void test_exec_systemcall_system_mode_with_user(Manager *m) { |
349cc4a5 | 294 | #if HAVE_SECCOMP |
83f12b27 FS |
295 | if (!is_seccomp_available()) |
296 | return; | |
19c0b0b9 RC |
297 | if (getpwnam("nobody")) |
298 | test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED); | |
50f130c2 RC |
299 | else if (getpwnam("nfsnobody")) |
300 | test(m, "exec-systemcallfilter-system-user-nfsnobody.service", 0, CLD_EXITED); | |
19c0b0b9 | 301 | else |
303c0bf8 | 302 | log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__); |
19c0b0b9 RC |
303 | #endif |
304 | } | |
305 | ||
281e05b6 | 306 | static void test_exec_user(Manager *m) { |
cc7fa4fb RC |
307 | if (getpwnam("nobody")) |
308 | test(m, "exec-user.service", 0, CLD_EXITED); | |
50f130c2 RC |
309 | else if (getpwnam("nfsnobody")) |
310 | test(m, "exec-user-nfsnobody.service", 0, CLD_EXITED); | |
ff4ca461 | 311 | else |
303c0bf8 | 312 | log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__); |
281e05b6 RC |
313 | } |
314 | ||
315 | static void test_exec_group(Manager *m) { | |
cc7fa4fb RC |
316 | if (getgrnam("nobody")) |
317 | test(m, "exec-group.service", 0, CLD_EXITED); | |
50f130c2 RC |
318 | else if (getgrnam("nfsnobody")) |
319 | test(m, "exec-group-nfsnobody.service", 0, CLD_EXITED); | |
ff4ca461 | 320 | else |
303c0bf8 | 321 | log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody group: %m", __func__); |
281e05b6 RC |
322 | } |
323 | ||
86b838ea DH |
324 | static void test_exec_supplementary_groups(Manager *m) { |
325 | test(m, "exec-supplementarygroups.service", 0, CLD_EXITED); | |
bf9ace96 DH |
326 | test(m, "exec-supplementarygroups-single-group.service", 0, CLD_EXITED); |
327 | test(m, "exec-supplementarygroups-single-group-user.service", 0, CLD_EXITED); | |
50ca7a35 DH |
328 | test(m, "exec-supplementarygroups-multiple-groups-default-group-user.service", 0, CLD_EXITED); |
329 | test(m, "exec-supplementarygroups-multiple-groups-withgid.service", 0, CLD_EXITED); | |
330 | test(m, "exec-supplementarygroups-multiple-groups-withuid.service", 0, CLD_EXITED); | |
86b838ea DH |
331 | } |
332 | ||
2b9ac11e DH |
333 | static void test_exec_dynamic_user(Manager *m) { |
334 | test(m, "exec-dynamicuser-fixeduser.service", 0, CLD_EXITED); | |
335 | test(m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", 0, CLD_EXITED); | |
5c67067f | 336 | test(m, "exec-dynamicuser-supplementarygroups.service", 0, CLD_EXITED); |
8adb3d63 | 337 | test(m, "exec-dynamicuser-state-dir.service", 0, CLD_EXITED); |
2b9ac11e DH |
338 | } |
339 | ||
281e05b6 RC |
340 | static void test_exec_environment(Manager *m) { |
341 | test(m, "exec-environment.service", 0, CLD_EXITED); | |
342 | test(m, "exec-environment-multiple.service", 0, CLD_EXITED); | |
343 | test(m, "exec-environment-empty.service", 0, CLD_EXITED); | |
344 | } | |
345 | ||
03bd70dd RC |
346 | static void test_exec_environmentfile(Manager *m) { |
347 | static const char e[] = | |
348 | "VAR1='word1 word2'\n" | |
349 | "VAR2=word3 \n" | |
350 | "# comment1\n" | |
351 | "\n" | |
352 | "; comment2\n" | |
353 | " ; # comment3\n" | |
354 | "line without an equal\n" | |
355 | "VAR3='$word 5 6'\n"; | |
356 | int r; | |
357 | ||
358 | r = write_string_file("/tmp/test-exec_environmentfile.conf", e, WRITE_STRING_FILE_CREATE); | |
359 | assert_se(r == 0); | |
360 | ||
361 | test(m, "exec-environmentfile.service", 0, CLD_EXITED); | |
362 | ||
363 | unlink("/tmp/test-exec_environmentfile.conf"); | |
364 | } | |
365 | ||
4c80d201 | 366 | static void test_exec_passenvironment(Manager *m) { |
e1abca2e FB |
367 | /* test-execute runs under MANAGER_USER which, by default, forwards all |
368 | * variables present in the environment, but only those that are | |
369 | * present _at the time it is created_! | |
370 | * | |
371 | * So these PassEnvironment checks are still expected to work, since we | |
372 | * are ensuring the variables are not present at manager creation (they | |
373 | * are unset explicitly in main) and are only set here. | |
374 | * | |
375 | * This is still a good approximation of how a test for MANAGER_SYSTEM | |
376 | * would work. | |
377 | */ | |
4c80d201 FB |
378 | assert_se(setenv("VAR1", "word1 word2", 1) == 0); |
379 | assert_se(setenv("VAR2", "word3", 1) == 0); | |
380 | assert_se(setenv("VAR3", "$word 5 6", 1) == 0); | |
381 | test(m, "exec-passenvironment.service", 0, CLD_EXITED); | |
382 | test(m, "exec-passenvironment-repeated.service", 0, CLD_EXITED); | |
383 | test(m, "exec-passenvironment-empty.service", 0, CLD_EXITED); | |
384 | assert_se(unsetenv("VAR1") == 0); | |
385 | assert_se(unsetenv("VAR2") == 0); | |
386 | assert_se(unsetenv("VAR3") == 0); | |
387 | test(m, "exec-passenvironment-absent.service", 0, CLD_EXITED); | |
388 | } | |
389 | ||
27c5347c RC |
390 | static void test_exec_umask(Manager *m) { |
391 | test(m, "exec-umask-default.service", 0, CLD_EXITED); | |
392 | test(m, "exec-umask-0177.service", 0, CLD_EXITED); | |
393 | } | |
394 | ||
cc3ddc85 RC |
395 | static void test_exec_runtimedirectory(Manager *m) { |
396 | test(m, "exec-runtimedirectory.service", 0, CLD_EXITED); | |
397 | test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED); | |
cc7fa4fb RC |
398 | if (getgrnam("nobody")) |
399 | test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED); | |
50f130c2 RC |
400 | else if (getgrnam("nfsnobody")) |
401 | test(m, "exec-runtimedirectory-owner-nfsnobody.service", 0, CLD_EXITED); | |
ff4ca461 | 402 | else |
303c0bf8 | 403 | log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody group: %m", __func__); |
ff4ca461 RC |
404 | } |
405 | ||
406 | static void test_exec_capabilityboundingset(Manager *m) { | |
407 | int r; | |
408 | ||
ff4ca461 RC |
409 | r = find_binary("capsh", NULL); |
410 | if (r < 0) { | |
0608ba98 | 411 | log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); |
ff4ca461 RC |
412 | return; |
413 | } | |
414 | ||
415 | test(m, "exec-capabilityboundingset-simple.service", 0, CLD_EXITED); | |
416 | test(m, "exec-capabilityboundingset-reset.service", 0, CLD_EXITED); | |
417 | test(m, "exec-capabilityboundingset-merge.service", 0, CLD_EXITED); | |
418 | test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED); | |
cc3ddc85 RC |
419 | } |
420 | ||
70d7aea5 IP |
421 | static void test_exec_capabilityambientset(Manager *m) { |
422 | int r; | |
423 | ||
424 | /* Check if the kernel has support for ambient capabilities. Run | |
425 | * the tests only if that's the case. Clearing all ambient | |
426 | * capabilities is fine, since we are expecting them to be unset | |
427 | * in the first place for the tests. */ | |
428 | r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); | |
429 | if (r >= 0 || errno != EINVAL) { | |
50f130c2 | 430 | if (getpwnam("nobody")) { |
50f130c2 RC |
431 | test(m, "exec-capabilityambientset.service", 0, CLD_EXITED); |
432 | test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED); | |
34f5ff46 RC |
433 | } else if (getpwnam("nfsnobody")) { |
434 | test(m, "exec-capabilityambientset-nfsnobody.service", 0, CLD_EXITED); | |
435 | test(m, "exec-capabilityambientset-merge-nfsnobody.service", 0, CLD_EXITED); | |
50f130c2 | 436 | } else |
303c0bf8 | 437 | log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__); |
50f130c2 | 438 | } else |
303c0bf8 | 439 | log_error_errno(errno, "Skipping %s, the kernel does not support ambient capabilities: %m", __func__); |
70d7aea5 IP |
440 | } |
441 | ||
63447f11 RC |
442 | static void test_exec_privatenetwork(Manager *m) { |
443 | int r; | |
444 | ||
445 | r = find_binary("ip", NULL); | |
446 | if (r < 0) { | |
303c0bf8 | 447 | log_error_errno(r, "Skipping %s, could not find ip binary: %m", __func__); |
63447f11 RC |
448 | return; |
449 | } | |
450 | ||
451 | test(m, "exec-privatenetwork-yes.service", 0, CLD_EXITED); | |
452 | } | |
453 | ||
c388dfea RC |
454 | static void test_exec_oomscoreadjust(Manager *m) { |
455 | test(m, "exec-oomscoreadjust-positive.service", 0, CLD_EXITED); | |
456 | test(m, "exec-oomscoreadjust-negative.service", 0, CLD_EXITED); | |
457 | } | |
458 | ||
a6226758 RC |
459 | static void test_exec_ioschedulingclass(Manager *m) { |
460 | test(m, "exec-ioschedulingclass-none.service", 0, CLD_EXITED); | |
461 | test(m, "exec-ioschedulingclass-idle.service", 0, CLD_EXITED); | |
462 | test(m, "exec-ioschedulingclass-realtime.service", 0, CLD_EXITED); | |
463 | test(m, "exec-ioschedulingclass-best-effort.service", 0, CLD_EXITED); | |
464 | } | |
465 | ||
25254999 EV |
466 | static void test_exec_spec_interpolation(Manager *m) { |
467 | test(m, "exec-spec-interpolation.service", 0, CLD_EXITED); | |
468 | } | |
469 | ||
6818c54c LP |
470 | static void test_exec_read_only_path_suceed(Manager *m) { |
471 | test(m, "exec-read-only-path-succeed.service", 0, CLD_EXITED); | |
472 | } | |
473 | ||
42cc99d5 LP |
474 | static void test_exec_unset_environment(Manager *m) { |
475 | test(m, "exec-unset-environment.service", 0, CLD_EXITED); | |
476 | } | |
477 | ||
9672b583 LP |
478 | static void test_exec_specifier(Manager *m) { |
479 | test(m, "exec-specifier.service", 0, CLD_EXITED); | |
480 | } | |
481 | ||
ea9cfad1 LP |
482 | static int run_tests(UnitFileScope scope, const test_function_t *tests) { |
483 | const test_function_t *test = NULL; | |
19c0b0b9 RC |
484 | Manager *m = NULL; |
485 | int r; | |
486 | ||
487 | assert_se(tests); | |
488 | ||
e0a3da1f | 489 | r = manager_new(scope, MANAGER_TEST_RUN_MINIMAL, &m); |
19c0b0b9 | 490 | if (MANAGER_SKIP_TEST(r)) { |
2179fd10 | 491 | log_notice_errno(r, "Skipping test: manager_new: %m"); |
19c0b0b9 RC |
492 | return EXIT_TEST_SKIP; |
493 | } | |
494 | assert_se(r >= 0); | |
495 | assert_se(manager_startup(m, NULL, NULL) >= 0); | |
496 | ||
497 | for (test = tests; test && *test; test++) | |
498 | (*test)(m); | |
499 | ||
500 | manager_free(m); | |
501 | ||
502 | return 0; | |
503 | } | |
504 | ||
281e05b6 | 505 | int main(int argc, char *argv[]) { |
ea9cfad1 | 506 | static const test_function_t user_tests[] = { |
d053b72b | 507 | test_exec_bind_paths, |
281e05b6 RC |
508 | test_exec_workingdirectory, |
509 | test_exec_personality, | |
510 | test_exec_ignoresigpipe, | |
511 | test_exec_privatetmp, | |
512 | test_exec_privatedevices, | |
615a1f4b | 513 | test_exec_privatedevices_capabilities, |
4982dbcc | 514 | test_exec_protectkernelmodules, |
f78b36f0 | 515 | test_exec_readonlypaths, |
cdfbd1fb DH |
516 | test_exec_readwritepaths, |
517 | test_exec_inaccessiblepaths, | |
c090d74d | 518 | test_exec_inaccessiblepaths_proc, |
63447f11 | 519 | test_exec_privatenetwork, |
281e05b6 RC |
520 | test_exec_systemcallfilter, |
521 | test_exec_systemcallerrornumber, | |
97e60383 | 522 | test_exec_restrict_namespaces, |
281e05b6 RC |
523 | test_exec_user, |
524 | test_exec_group, | |
86b838ea | 525 | test_exec_supplementary_groups, |
281e05b6 | 526 | test_exec_environment, |
03bd70dd | 527 | test_exec_environmentfile, |
4c80d201 | 528 | test_exec_passenvironment, |
27c5347c | 529 | test_exec_umask, |
cc3ddc85 | 530 | test_exec_runtimedirectory, |
ff4ca461 | 531 | test_exec_capabilityboundingset, |
70d7aea5 | 532 | test_exec_capabilityambientset, |
c388dfea | 533 | test_exec_oomscoreadjust, |
a6226758 | 534 | test_exec_ioschedulingclass, |
25254999 | 535 | test_exec_spec_interpolation, |
6818c54c | 536 | test_exec_read_only_path_suceed, |
42cc99d5 | 537 | test_exec_unset_environment, |
281e05b6 RC |
538 | NULL, |
539 | }; | |
ea9cfad1 | 540 | static const test_function_t system_tests[] = { |
19c0b0b9 | 541 | test_exec_systemcall_system_mode_with_user, |
8adb3d63 | 542 | test_exec_dynamic_user, |
9672b583 | 543 | test_exec_specifier, |
19c0b0b9 RC |
544 | NULL, |
545 | }; | |
281e05b6 RC |
546 | int r; |
547 | ||
469830d1 | 548 | log_set_max_level(LOG_DEBUG); |
281e05b6 RC |
549 | log_parse_environment(); |
550 | log_open(); | |
551 | ||
607ff5f9 DH |
552 | /* It is needed otherwise cgroup creation fails */ |
553 | if (getuid() != 0) { | |
651d47d1 | 554 | puts("Skipping test: not root"); |
607ff5f9 DH |
555 | return EXIT_TEST_SKIP; |
556 | } | |
557 | ||
651d47d1 ZJS |
558 | r = enter_cgroup_subroot(); |
559 | if (r == -ENOMEDIUM) { | |
560 | puts("Skipping test: cgroupfs not available"); | |
561 | return EXIT_TEST_SKIP; | |
562 | } | |
8c759b33 | 563 | |
cc3ddc85 | 564 | assert_se(setenv("XDG_RUNTIME_DIR", "/tmp/", 1) == 0); |
cc100a5a | 565 | assert_se(set_unit_path(get_testdata_dir("/test-execute")) >= 0); |
281e05b6 | 566 | |
e1abca2e FB |
567 | /* Unset VAR1, VAR2 and VAR3 which are used in the PassEnvironment test |
568 | * cases, otherwise (and if they are present in the environment), | |
569 | * `manager_default_environment` will copy them into the default | |
570 | * environment which is passed to each created job, which will make the | |
571 | * tests that expect those not to be present to fail. | |
572 | */ | |
573 | assert_se(unsetenv("VAR1") == 0); | |
574 | assert_se(unsetenv("VAR2") == 0); | |
575 | assert_se(unsetenv("VAR3") == 0); | |
576 | ||
463d0d15 | 577 | r = run_tests(UNIT_FILE_USER, user_tests); |
19c0b0b9 RC |
578 | if (r != 0) |
579 | return r; | |
281e05b6 | 580 | |
463d0d15 | 581 | return run_tests(UNIT_FILE_SYSTEM, system_tests); |
281e05b6 | 582 | } |