diff options
| author | Kevin Kuehler <keur@xcf.berkeley.edu> | 2019-11-13 16:38:33 -0800 |
|---|---|---|
| committer | Kevin Kuehler <keur@xcf.berkeley.edu> | 2019-11-15 00:59:51 -0800 |
| commit | 806aea3879ca86355af24a7c36cdbf7432b0c7c7 (patch) | |
| tree | 61ef5e7a4118435ffecb690bc48d18aa3567df71 /src/test/test-namespace.c | |
| parent | d916e35b9f1cd03c02ca8acc34f56a156dcc5868 (diff) | |
| download | systemd-806aea3879ca86355af24a7c36cdbf7432b0c7c7.tar.gz | |
test-namespace: Add test for ProtectKernelLogs=
Diffstat (limited to 'src/test/test-namespace.c')
| -rw-r--r-- | src/test/test-namespace.c | 73 |
1 files changed, 68 insertions, 5 deletions
diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c index 73ad2b25dd..41ea733b7e 100644 --- a/src/test/test-namespace.c +++ b/src/test/test-namespace.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: LGPL-2.1+ */ +#include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> @@ -9,7 +10,9 @@ #include "process-util.h" #include "string-util.h" #include "tests.h" +#include "user-util.h" #include "util.h" +#include "virt.h" static void test_tmpdir(const char *id, const char *A, const char *B) { _cleanup_free_ char *a, *b; @@ -48,14 +51,16 @@ static void test_tmpdir(const char *id, const char *A, const char *B) { assert_se(rmdir(b) >= 0); } -static int test_netns(void) { +static void test_netns(void) { _cleanup_close_pair_ int s[2] = { -1, -1 }; pid_t pid1, pid2, pid3; int r, n = 0; siginfo_t si; - if (geteuid() > 0) - return log_tests_skipped("not root"); + if (geteuid() > 0) { + (void) log_tests_skipped("not root"); + return; + } assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0); @@ -102,7 +107,62 @@ static int test_netns(void) { n += si.si_status; assert_se(n == 1); - return EXIT_SUCCESS; +} + +static void test_protect_kernel_logs(void) { + int r; + pid_t pid; + static const NamespaceInfo ns_info = { + .protect_kernel_logs = true, + }; + + if (geteuid() > 0) { + (void) log_tests_skipped("not root"); + return; + } + + /* In a container we likely don't have access to /dev/kmsg */ + if (detect_container() > 0) { + (void) log_tests_skipped("in container"); + return; + } + + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + _cleanup_close_ int fd = -1; + + fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC); + assert_se(fd > 0); + + r = setup_namespace(NULL, + NULL, + &ns_info, + NULL, + NULL, + NULL, + NULL, + NULL, 0, + NULL, 0, + NULL, + NULL, + PROTECT_HOME_NO, + PROTECT_SYSTEM_NO, + 0, + 0, + NULL); + assert_se(r == 0); + + assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0); + assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0); + assert_se(errno == EACCES); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS); } int main(int argc, char *argv[]) { @@ -133,5 +193,8 @@ int main(int argc, char *argv[]) { test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz); - return test_netns(); + test_netns(); + test_protect_kernel_logs(); + + return EXIT_SUCCESS; } |