| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
I think this is easier to grok too.
|
| |
|
|
| |
Prompted by https://github.com/systemd/systemd/issues/26422#issuecomment-1435772839.
|
| |
|
|
|
| |
If an exotic network driver is loaded, there may exist an unexpected
network interface.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Before this, tests are split into two categories, system and user, but
both are running in fully privileged environment. Hence, unprivileged
user scope was mostly not covered by the test.
Let's run all tests in both system and user scopes, and drop capabilities
when Manager is running in user scope.
This also makes the host environment protected more from the test run.
|
| |
|
|
|
|
|
|
|
|
| |
(The one case that is left unchanged is '< <(subcommand)'.)
This way, the style with no gap was already dominant. This way, the reader
immediately knows that ' < ' is a comparison operator and ' << ' is a shift.
In a few cases, replace custom EOF replacement by just EOF. There is no point
in using someting like "_EOL" unless "EOF" appears in the text.
|
| |
|
|
| |
No functional change.
|
| |
|
|
|
|
|
|
|
|
| |
In my understanding user group "3" (aka "sys") is kept for historical reasons
but not really useful these days. That's probably explained why this group
isn't defined on openSUSE.
Hence let's drop reference to this user group, this shouldn't lessen the
revelance of the test since SupplementaryGroups= is still tested with 2 other
groups.
|
| |
|
|
| |
When building in a chroot there might not be any machine-id
|
| |
|
|
|
|
| |
This also moves the check for writable paths from test-execute to TEST-34.
Closes #10337.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
/bin/sh as a shell is punishing. There is no good reason to make
the occasional root login unpleasant.
Since /bin/sh is usually /bin/bash in compat mode, i.e. if one is
available, the other will be too, /bin/bash is almost as good as a default.
But to avoid a regression in the situation where /bin/bash (or
DEFAULT_USER_SHELL) is not installed, we check with access() and fall back
to /bin/sh. This should make this change in behaviour less risky.
(FWIW, e.g. Fedora/RHEL use /bin/bash as default for root.)
This is a follow-up of sorts for 53350c7bbade8c5f357aa3d1029ef9b2208ea675,
which added the default-user-shell option, but most likely with the idea
of using /bin/bash less ;)
Fixes #24369.
|
| |
|
|
|
|
|
|
| |
test-execute checks that only /var/lib/private/waldo is writable, but there are
some filesystems that are always writable and excluded. Add /sys/devices/system/cpu
which is created by lxcfs.
Fixes https://github.com/systemd/systemd/issues/23263
|
| |
|
|
| |
Resolves: #22549
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux 5.15 broke kernel API:
https://github.com/torvalds/linux/commit/e70344c05995a190a56bbd1a23dc2218bcc8c924
Previously setting IOPRIO_CLASS_NONE for a process would then report
IOPRIO_CLASS_NONE back. But since 5.15 it reports IOPRIO_CLASS_BE
instead. Since IOPRIO_CLASS_NONE is an alias for a special setting of
IOPRIO_CLASS_BE this makes some sense, but it's also a kernel API
breakage that our testsuite trips up on.
(I made some minimal effort to inform the kernel people about this API
breakage during the 5.15 rc phase, but noone was interested.)
Either way let's hadle this gracefully in our test suite and accept
"best-effort" too when "none" was set.
(This is only triggable if the tests are run on 5.15 with full privs)
|
| |
|
|
| |
Inspired by the test case described in #19899
|
| |
|
|
|
|
|
|
| |
Those are all consumed by our parser, so they all support comments.
I was considering whether they should have a license header at all,
but in the end I decided to add it because those files are often created
by copying parts of real unit files. And if the real ones have a license,
then those might as well. It's easier to add it than to make an exception.
|
| |
|
|
|
|
| |
This adds a high level test verifying that syscall filtering in
combination with a simple architecture filter for the "native"
architecture works fine.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
which binaries executed by Exec*= should be found
Currently there does not exist a way to specify a path relative to which
all binaries executed by Exec should be found. The only way is to
specify the absolute path.
This change implements the functionality to specify a path relative to which
binaries executed by Exec*= can be found.
Closes #6308
|
| | |
|
| |
|
|
|
| |
<< EOF → <<EOF
> foo < bar → >foo <bar
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.
Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib
Closes: #17942.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The cmp in ExecStartPost= was actually failing – ExecStartPost= has the
same StandardOutput as the rest of the service, so the output file is
truncated before cmp can compare it with the expected output – but the
test still passed because test_exec_standardoutput_truncate() calls
test(), which only checks the main result, rather than test_service(),
which checks the result of the whole service. Fix the test by merging
the ExecStartPost= into the ExecStart= – the cmp has to be part of the
same command line as the cat so that the file is not truncated between
the two processes.
|
| |
|
|
|
|
| |
This adds the ability to specify truncate:PATH for StandardOutput= and
StandardError=, similar to the existing append:PATH. The code is mostly
copied from the related append: code. Fixes #8983.
|
| |
|
|
|
| |
echo is a built-in, so we were testing execve in our own code, and not in
the running child.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define explicit action "kill" for SystemCallErrorNumber=.
In addition to errno code, allow specifying "kill" as action for
SystemCallFilter=.
---
v7: seccomp_parse_errno_or_action() returns -EINVAL if !HAVE_SECCOMP
v6: use streq_ptr(), let errno_to_name() handle bad values, kill processes,
init syscall_errno
v5: actually use seccomp_errno_or_action_to_string(), don't fail bus unit
parsing without seccomp
v4: fix build without seccomp
v3: drop log action
v2: action -> number
|
| |
|
|
|
|
|
|
|
| |
All backslashes that should be single in shell syntax need to be written as "\\" because
our parser will remove one level of quoting. Also, single quotes were doubly nested, which
cannot work.
Should fix the following message:
test-execute/exec-dynamicuser-statedir.service:16: Ignoring unknown escape sequences: "test $$(find / \( -path /var/tmp -o -path /tmp -o -path /proc -o -path /dev/mqueue -o -path /dev/shm -o -path /sys/fs/bpf -o -path /dev/.lxc \) -prune -o -type d -writable -print 2>/dev/null | sort -u | tr -d \\n) = /var/lib/private/quux/pief/var/lib/private/waldo"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://tools.ietf.org/html/draft-knodel-terminology-02
https://lwn.net/Articles/823224/
This gets rid of most but not occasions of these loaded terms:
1. scsi_id and friends are something that is supposed to be removed from
our tree (see #7594)
2. The test suite defines an API used by the ubuntu CI. We can remove
this too later, but this needs to be done in sync with the ubuntu CI.
3. In some cases the terms are part of APIs we call or where we expose
concepts the kernel names the way it names them. (In particular all
remaining uses of the word "slave" in our codebase are like this,
it's used by the POSIX PTY layer, by the network subsystem, the mount
API and the block device subsystem). Getting rid of the term in these
contexts would mean doing some major fixes of the kernel ABI first.
Regarding the replacements: when whitelist/blacklist is used as noun we
replace with with allow list/deny list, and when used as verb with
allow-list/deny-list.
|
| |
|
|
|
| |
Both hostname and uname utilities boil down to uname(2) syscall. Reduce
tests dependency footprint by using uname for checking hostname too.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libcap v2.33 introduces a new capability set called IAB[0] which is shown
in the output of `capsh --print` and interferes with the test checks. Let's
drop the IAB set from the output, for now, to mitigate this.
This could be (and probably should be) replaced in the future by the
newly introduced testing options[1][2] in libcap v2.32, namely:
--has-p=xxx
--has-i=xxx
--has-a=xxx
but this needs to wait until the respective libcap version gets a wider
adoption. Until then, let's stick with the relatively ugly sed.
Fixes: #15046
[0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7
[2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
|
| |
|
|
|
|
|
|
| |
The man pages state that the '+' prefix in Exec* directives should
ignore filesystem namespacing options such as PrivateTmp. Now it does.
This is very similar to #8842, just with PrivateTmp instead of
PrivateDevices.
|
| |
|
|
|
|
|
| |
Since libcap v2.29 the format of cap_to_text() has been changed which
makes certain `test-execute` subtest fail. Let's remove the offending
part of the output (dropped capabilities) to make it compatible with
both the old and the new libcap.
|
| | |
|
| |
|
|
|
|
| |
For root, group enforcement needs to come after PrivateDevices=y set up
according to 096424d1230e0a0339735c51b43949809e972430. Add a test to
verify this is the case.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some containers unshare() is made unavailable entirely. Let's deal
with this that more gracefully and disable our sandboxing of services
then, so that we work in a container, under the assumption the container
manager is then responsible for sandboxing if we can't do it ourselves.
Previously, we'd insist on sandboxing as soon as any form of BindPath=
is used. With this change we only insist on it if we have a setting like
that where source and destination differ, i.e. there's a mapping
established that actually rearranges things, and thus would result in
systematically different behaviour if skipped (as opposed to mappings
that just make stuff read-only/writable that otherwise arent').
(Let's also update a test that intended to test for this behaviour with
a more specific configuration that still triggers the behaviour with
this change in place)
Fixes: #13955
(For testing purposes unshare() can easily be blocked with
systemd-nspawn --system-call-filter=~unshare.)
|
| | |
|
| | |
|
| |
|
|
|
|
| |
It appears in nested LXC containers and broke the test in Ubuntu CI.
BugLink: https://bugs.launchpad.net/bugs/1845337
|
| |
|
|
| |
Closes #10596
|
| |
|
|
|
|
|
|
|
|
| |
Before only one comparison was allowed. Let's make this more flexible:
ConditionKernelVersion = ">=4.0" "<=4.5"
Fixes #12881.
This also fixes expressions like "ConditionKernelVersion=>" which would
evaluate as true.
|
| | |
|
| |
|
|
|
|
| |
These services are likely to coredump, and we expect that but aren't
interested in the coredump. Hence let's turn off processing by setting
RLIMIT_CORE to 0/0.
|
| |
|
|
|
| |
As explained in the previous commit, blocking /proc can cause us
to go into a long loop or fail the test.
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #10934.
|
| | |
|
