From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 14 Oct 2023 17:25:28 +0000 (+0200)
Subject: core: don't downgrade multi-state settings to boolean
X-Git-Tag: v255-rc1~243
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=abcf59970d7564fe123c33da7d0fe6b7ffb76551;p=thirdparty%2Fsystemd.git

core: don't downgrade multi-state settings to boolean

Protect{Home,System,Proc,Subset}= are not booleans, so make sure we use
the intended value instead of just true/false.

See: https://github.com/systemd/systemd/pull/29552
Follow-up to: 79d956d
---

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 72aa05780e5..b6ab421a8d8 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -3163,10 +3163,10 @@ static int apply_mount_namespace(
                 /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
                 .mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),
 
-                .protect_home = needs_sandboxing && context->protect_home,
-                .protect_system = needs_sandboxing && context->protect_system,
-                .protect_proc = needs_sandboxing && context->protect_proc,
-                .proc_subset = needs_sandboxing && context->proc_subset,
+                .protect_home = needs_sandboxing ? context->protect_home : false,
+                .protect_system = needs_sandboxing ? context->protect_system : false,
+                .protect_proc = needs_sandboxing ? context->protect_proc : false,
+                .proc_subset = needs_sandboxing ? context->proc_subset : false,
         };
 
         r = setup_namespace(&parameters, error_path);
diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh
new file mode 100755
index 00000000000..ccda8639e69
--- /dev/null
+++ b/test/units/testsuite-07.exec-context.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# Make sure the unit's exec context matches its configuration
+# See: https://github.com/systemd/systemd/pull/29552
+
+# Even though hidepid= was introduced in kernel 3.3, we support only
+# the post 5.8 implementation that allows us to apply the option per-instance,
+# instead of the whole namespace. To distinguish between these two implementations
+# lets check if we can mount procfs with a named value (e.g. hidepid=off), since
+# support for this was introduced in the same commit as the per-instance stuff
+proc_supports_option() {
+    local option="${1:?}"
+    local proc_tmp ec
+
+    proc_tmp="$(mktemp -d)"
+    mount -t proc -o "$option" proc "$proc_tmp" && ec=0 || ec=$?
+    mountpoint -q "$proc_tmp" && umount -q "$proc_tmp"
+    rm -rf "$proc_tmp"
+
+    return $ec
+}
+
+systemd-run --wait --pipe -p ProtectSystem=yes \
+    bash -xec "test ! -w /usr; test ! -w /boot; test -w /etc; test -w /var"
+systemd-run --wait --pipe -p ProtectSystem=full \
+    bash -xec "test ! -w /usr; test ! -w /boot; test ! -w /etc; test -w /var"
+systemd-run --wait --pipe -p ProtectSystem=strict \
+    bash -xec "test ! -w /; test ! -w /etc; test ! -w /var; test -w /dev; test -w /proc"
+systemd-run --wait --pipe -p ProtectSystem=no \
+    bash -xec "test -w /; test -w /etc; test -w /var; test -w /dev; test -w /proc"
+
+MARK="$(mktemp /root/.exec-context.XXX)"
+systemd-run --wait --pipe -p ProtectHome=yes \
+    bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK"
+systemd-run --wait --pipe -p ProtectHome=read-only \
+    bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test -e $MARK"
+systemd-run --wait --pipe -p ProtectHome=tmpfs \
+    bash -xec "test -w /home; test -w /root; test -w /run/user; test ! -e $MARK"
+systemd-run --wait --pipe -p ProtectHome=no \
+    bash -xec "test -w /home; test -w /root; test -w /run/user; test -e $MARK"
+rm -f "$MARK"
+
+if proc_supports_option "hidepid=off"; then
+    systemd-run --wait --pipe -p ProtectProc=noaccess -p User=testuser \
+        bash -xec 'test -e /proc/1; test ! -r /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=invisible -p User=testuser \
+        bash -xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=ptraceable -p User=testuser \
+        bash -xec 'test ! -e /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=ptraceable -p User=testuser -p AmbientCapabilities=CAP_SYS_PTRACE \
+        bash -xec 'test -r /proc/1; test -r /proc/$$$$/comm'
+    systemd-run --wait --pipe -p ProtectProc=default -p User=testuser \
+        bash -xec 'test -r /proc/1; test -r /proc/$$$$/comm'
+fi
+
+if proc_supports_option "subset=pid"; then
+    systemd-run --wait --pipe -p ProcSubset=pid -p User=testuser \
+        bash -xec "test -r /proc/1/comm; test ! -e /proc/cpuinfo"
+    systemd-run --wait --pipe -p ProcSubset=all -p User=testuser \
+        bash -xec "test -r /proc/1/comm; test -r /proc/cpuinfo"
+fi
+
+if ! systemd-detect-virt -cq; then
+    systemd-run --wait --pipe -p ProtectKernelLogs=yes -p User=testuser \
+        bash -xec "test ! -r /dev/kmsg"
+    systemd-run --wait --pipe -p ProtectKernelLogs=no -p User=testuser \
+        bash -xec "test -r /dev/kmsg"
+fi