# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"
+# On Ubuntu the BPF LSM is not enabled by default, so we need to do it via the
+# kernel command line on boot
+if [ "$LOOKS_LIKE_UBUNTU" = "yes" ]; then
+ KERNEL_OPTIONS=(
+ "lsm=lockdown,capability,landlock,yama,apparmor,bpf"
+ )
+ KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}"
+fi
+
test_require_bin mksquashfs veritysetup sfdisk
test_append_files() {
set -eux
set -o pipefail
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
export SYSTEMD_LOG_LEVEL=debug
cleanup_image_dir() {
(! test -f /usr/waldo)
fi
+if test -f /usr/lib/systemd/system/systemd-mountfsd.socket -a -f /usr/lib/systemd/system/systemd-nsresourced.socket && \
+ command -v command -v mksquashfs >/dev/null 2>&1 && \
+ grep -q bpf /sys/kernel/security/lsm && \
+ test "$(find /usr/lib* -name libbpf.so.1 2>/dev/null)" != "" ; then
+
+ cleanunprivfiles() {
+ umount -R /tmp/unpriv/mount
+ rmdir /tmp/unpriv
+ rm -f /tmp/test-50-unpriv-privkey.key /tmp/test-50-unpriv-cert.crt /run/verity.d/test-50-unpriv-cert.crt
+ rm -f /var/tmp/unpriv.raw /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree
+ rm -f /tmp/unpriv.out /tmp/unpriv.out2 /tmp/unpriv.out3
+ }
+
+ trap cleanunprivfiles EXIT
+
+ systemctl start systemd-mountfsd.socket systemd-nsresourced.socket
+
+ openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout /tmp/test-50-unpriv-privkey.key -out /tmp/test-50-unpriv-cert.crt
+
+ systemd-dissect --mkdir --mount "${image}.raw" /tmp/unpriv/mount
+ SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs systemd-repart -P -s /tmp/unpriv/mount --certificate=/tmp/test-50-unpriv-cert.crt --private-key=/tmp/test-50-unpriv-privkey.key /var/tmp/unpriv.raw
+ systemd-dissect --rmdir --umount /tmp/unpriv/mount
+
+ systemd-dissect --image-policy='root=unprotected:=absent+unused' /var/tmp/unpriv.raw
+ systemd-dissect --image-policy='root=unprotected:=absent+unused' --mtree /var/tmp/unpriv.raw | tee /tmp/unpriv.raw.mtree
+
+ # Run unpriv, should fail due to lack of privs
+ (! runas testuser systemd-dissect /var/tmp/unpriv.raw )
+ (! runas testuser systemd-dissect --mtree /var/tmp/unpriv.raw )
+
+ # Install key in keychain
+ cp /tmp/test-50-unpriv-cert.crt /run/verity.d
+
+ # Now run unpriv again, should be OK now.
+ runas testuser systemd-dissect /var/tmp/unpriv.raw
+ runas testuser systemd-dissect --mtree /var/tmp/unpriv.raw | tee /tmp/unpriv2.raw.mtree
+
+ # Check that unpriv and priv run yielded same results
+ cmp /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree
+
+ # Make sure nspawn works unpriv, too (for now do not nest)
+ if ! systemd-detect-virt -c ; then
+ systemd-nspawn --pipe -i /var/tmp/unpriv.raw --read-only echo thisisatest > /tmp/unpriv.out
+ echo thisisatest | cmp /tmp/unpriv.out -
+
+ # The unpriv user has no rights to lock the image or write to it. Let's
+ # turn off both for this test, so that we don't have to copy the image
+ # around.
+ systemd-run -M testuser@ --user --pipe -p Environment=SYSTEMD_NSPAWN_LOCK=0 -p Delegate=1 -p DelegateSubgroup=supervisor -p Environment=SYSTEMD_LOG_LEVEL=debug --wait systemd-nspawn --keep-unit -i /var/tmp/unpriv.raw --read-only --pipe echo thisisatest > /tmp/unpriv.out2
+ echo thisisatest | cmp /tmp/unpriv.out2 -
+ fi
+
+ systemd-run -M testuser@ --user --pipe -p RootImage=/var/tmp/unpriv.raw -p PrivateUsers=1 --wait echo thisisatest > /tmp/unpriv.out3
+ echo thisisatest | cmp /tmp/unpriv.out3 -
+fi
+
# Sneak in a couple of expected-to-fail invocations to cover
# https://github.com/systemd/systemd/issues/29610
(! systemd-run -P -p MountImages="/this/should/definitely/not/exist.img:/run/img2\:3:nosuid" false)
projects / thirdparty / systemd.git / commitdiff
