Tree - rpms/systemd - CentOS Git server

rpms / systemd

Blame 0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch

Blob History Raw

Adam Williamson	f41ff6	`From 4a43c2b3a1066247f26d8a6e52ebfc40852a5f7e Mon Sep 17 00:00:00 2001`
Adam Williamson	f41ff6	`From: Frantisek Sumsal <frantisek@sumsal.cz>`
Adam Williamson	f41ff6	`Date: Fri, 24 Nov 2023 16:00:15 +0100`
Adam Williamson	f41ff6	`Subject: [PATCH 3/3] test: add a couple of tests for RestrictFileSystems=`
Adam Williamson	f41ff6
Adam Williamson	f41ff6	`---`
Adam Williamson	f41ff6	`test/units/testsuite-07.exec-context.sh \| 31 +++++++++++++++++++++++++`
Adam Williamson	f41ff6	`test/units/util.sh \| 19 +++++++++++++++`
Adam Williamson	f41ff6	`2 files changed, 50 insertions(+)`
Adam Williamson	f41ff6
Adam Williamson	f41ff6	`diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh`
Adam Williamson	f41ff6	`index b4118d2fe8..10b425359d 100755`
Adam Williamson	f41ff6	`--- a/test/units/testsuite-07.exec-context.sh`
Adam Williamson	f41ff6	`+++ b/test/units/testsuite-07.exec-context.sh`
Adam Williamson	f41ff6	`@@ -4,6 +4,9 @@`
Adam Williamson	f41ff6	`set -eux`
Adam Williamson	f41ff6	`set -o pipefail`
Adam Williamson	f41ff6
Adam Williamson	f41ff6	`+# shellcheck source=test/units/util.sh`
Adam Williamson	f41ff6	`+. "$(dirname "$0")"/util.sh`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`# Make sure the unit's exec context matches its configuration`
Adam Williamson	f41ff6	`# See: https://github.com/systemd/systemd/pull/29552`
Adam Williamson	f41ff6
Adam Williamson	f41ff6	`@@ -284,6 +287,34 @@ systemd-run --wait --pipe "${ARGUMENTS[@]}" \`
Adam Williamson	f41ff6	`ulimit -R \|\| exit 0;`
Adam Williamson	f41ff6	`: RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];'`
Adam Williamson	f41ff6
Adam Williamson	f41ff6	`+# RestrictFileSystems=`
Adam Williamson	f41ff6	`+#`
Adam Williamson	f41ff6	`+# Note: running instrumented binaries requires at least /proc to be accessible, so let's`
Adam Williamson	f41ff6	`+# skip the test when we're running under sanitizers`
Adam Williamson	f41ff6	`+if [[ ! -v ASAN_OPTIONS ]] && systemctl --version \| grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then`
Adam Williamson	f41ff6	`+ ROOTFS="$(df --output=fstype /usr/bin \| sed --quiet 2p)"`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="" ls /`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls /`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /)`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="~" ls /`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys)`
Adam Williamson	f41ff6	`+ systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev)`
Adam Williamson	f41ff6	`+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys)`
Adam Williamson	f41ff6	`+fi`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`# Ensure that clean-up codepaths work correctly if activation ultimately fails`
Adam Williamson	f41ff6	`touch /run/not-a-directory`
Adam Williamson	f41ff6	`mkdir /tmp/root`
Adam Williamson	f41ff6	`diff --git a/test/units/util.sh b/test/units/util.sh`
Adam Williamson	f41ff6	`index fdfb91f8c6..b5ed73237c 100755`
Adam Williamson	f41ff6	`--- a/test/units/util.sh`
Adam Williamson	f41ff6	`+++ b/test/units/util.sh`
Adam Williamson	f41ff6	`@@ -197,3 +197,22 @@ openssl_supports_kdf() {`
Adam Williamson	f41ff6	`# but let's do that when/if the need arises`
Adam Williamson	f41ff6	`openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"`
Adam Williamson	f41ff6	`}`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`+kernel_supports_lsm() {`
Adam Williamson	f41ff6	`+ local lsm="${1:?}"`
Adam Williamson	f41ff6	`+ local items item`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`+ if [[ ! -e /sys/kernel/security/lsm ]]; then`
Adam Williamson	f41ff6	`+ echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported"`
Adam Williamson	f41ff6	`+ return 1`
Adam Williamson	f41ff6	`+ fi`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`+ mapfile -t -d, items`
Adam Williamson	f41ff6	`+ for item in "${items[@]}"; do`
Adam Williamson	f41ff6	`+ if [[ "$item" == "$lsm" ]]; then`
Adam Williamson	f41ff6	`+ return 0`
Adam Williamson	f41ff6	`+ fi`
Adam Williamson	f41ff6	`+ done`
Adam Williamson	f41ff6	`+`
Adam Williamson	f41ff6	`+ return 1`
Adam Williamson	f41ff6	`+}`
Adam Williamson	f41ff6	`--`
Adam Williamson	f41ff6	`2.43.0`
Adam Williamson	f41ff6

rpms / systemd

Source Code

Blame 0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch