From cf906beaef38def8d965f0ec593666a71fb5cc90 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 16 Jun 2022 03:21:28 +0900
Subject: [PATCH] test: add syscall filter tests for analyze security

---
 test/units/testsuite-65.sh | 60 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index 393297b17f4..64ce629f3b4 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -3,6 +3,9 @@
 # shellcheck disable=SC2016
 set -eux
 
+# shellcheck source=test/units/assert.sh
+. "$(dirname "$0")"/assert.sh
+
 systemd-analyze log-level debug
 export SYSTEMD_LOG_LEVEL=debug
 
@@ -606,6 +609,63 @@ fi
 
 systemd-analyze --threshold=90 security systemd-journald.service
 
+# issue 23663
+check() {(
+    set +x
+    output=$(systemd-analyze security --offline="${2?}" "${3?}" | grep -F 'SystemCallFilter=')
+    assert_in "System call ${1?} list" "$output"
+    assert_in "[+â] SystemCallFilter=~@swap" "$output"
+    assert_in "[+â] SystemCallFilter=~@resources" "$output"
+    assert_in "[+â] SystemCallFilter=~@reboot" "$output"
+    assert_in "[+â] SystemCallFilter=~@raw-io" "$output"
+    assert_in "[-â] SystemCallFilter=~@privileged" "$output"
+    assert_in "[+â] SystemCallFilter=~@obsolete" "$output"
+    assert_in "[+â] SystemCallFilter=~@mount" "$output"
+    assert_in "[+â] SystemCallFilter=~@module" "$output"
+    assert_in "[+â] SystemCallFilter=~@debug" "$output"
+    assert_in "[+â] SystemCallFilter=~@cpu-emulation" "$output"
+    assert_in "[-â] SystemCallFilter=~@clock" "$output"
+)}
+
+export -n SYSTEMD_LOG_LEVEL
+
+mkdir -p /run/systemd/system
+cat >/run/systemd/system/allow-list.service <<EOF
+[Service]
+ExecStart=false
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources:ENOANO @privileged
+SystemCallFilter=@clock
+EOF
+
+cat >/run/systemd/system/deny-list.service <<EOF
+[Service]
+ExecStart=false
+SystemCallFilter=~@known
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources:ENOANO @privileged
+SystemCallFilter=@clock
+EOF
+
+systemctl daemon-reload
+
+check allow yes /run/systemd/system/allow-list.service
+check allow no allow-list.service
+check deny yes /run/systemd/system/deny-list.service
+check deny no deny-list.service
+
+output=$(systemd-run -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
+name=$(echo "$output" | awk '{ print $4 }')
+
+check allow yes /run/systemd/transient/"$name"
+check allow no "$name"
+
+output=$(systemd-run -p "SystemCallFilter=~@known" -p "SystemCallFilter=@system-service" -p "SystemCallFilter=~@resources:ENOANO @privileged" -p "SystemCallFilter=@clock" sleep 60 2>&1)
+name=$(echo "$output" | awk '{ print $4 }')
+
+check deny yes /run/systemd/transient/"$name"
+check deny no "$name"
+
 systemd-analyze log-level info
 
 echo OK >/testok
-- 
2.47.3

