#include "env-util.h"
#include "errno-list.h"
#include "format-ifname.h"
+#include "hashmap.h"
#include "hexdecoct.h"
#include "hostname-setup.h"
#include "in-addr-util.h"
#include "nss-util.h"
#include "parse-util.h"
#include "path-util.h"
+#include "process-util.h"
+#include "seccomp-util.h"
#include "socket-util.h"
#include "string-util.h"
#include "strv.h"
int n_addresses = 0;
int r;
- test_setup_logging(LOG_INFO);
+ test_setup_logging(LOG_DEBUG);
r = parse_argv(argc, argv, &modules, &names, &addresses, &n_addresses);
if (r < 0)
assert_se(path_extract_directory(argv[0], &dir) >= 0);
+ if (geteuid() != 0 || !is_seccomp_available())
+ log_tests_skipped("Not privileged or seccomp is not available");
+ else {
+ /* Testing with several syscalls filtered, and check if the nss modules gracefully handle failures in
+ * masked syscalls. See issue #38582. */
+
+ ASSERT_OK(r = safe_fork("(with-seccomp)", FORK_LOG | FORK_WAIT, /* ret_pid = */ NULL));
+ if (r == 0) {
+ _cleanup_hashmap_free_ Hashmap *filter = NULL;
+ ASSERT_NOT_NULL(filter = hashmap_new(NULL));
+ FOREACH_STRING(s, "uname", "olduname", "oldolduname", "sigprocmask", "rt_sigprocmask", "osf_sigprocmask")
+ ASSERT_OK(seccomp_filter_set_add_by_name(filter, /* add = */ true, s));
+ ASSERT_OK(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, filter, SCMP_ACT_ERRNO(ENOSYS), /* log_missing = */ true));
+
+ /* To make assert_return() and friends not call abort(), even built as developer mode. */
+ ASSERT_OK_ERRNO(setenv("SYSTEMD_ASSERT_RETURN_IS_CRITICAL", "0", /* overwrite = */ true));
+ /* Let's also make nss modules output debugging logs. */
+ ASSERT_OK_ERRNO(setenv("SYSTEMD_LOG_LEVEL", "debug", /* overwrite = */ true));
+
+ STRV_FOREACH(module, modules)
+ ASSERT_OK(test_one_module(dir, *module, names, addresses, n_addresses));
+
+ _exit(EXIT_SUCCESS);
+ }
+ }
+
STRV_FOREACH(module, modules) {
r = test_one_module(dir, *module, names, addresses, n_addresses);
if (r < 0)
projects / thirdparty / systemd.git / commitdiff
