Merge pull request #8341 from yuwata/test-execute-ambient

test-execute: check capabilities before runnig tests
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2018-03-05 17:45:28 +0100
committer: GitHub <noreply@github.com> 2018-03-05 17:45:28 +0100
commit: de5fbba9e2dabd18027adb38157b2eab44e9d0a8 (patch)
tree: 8f4edea8ea69d434235e31da4d677e6768f236ac
parent: 8c6414be15bac95c34262b73766c64524c25772e (diff)
parent: e5ba1d324d3bda239907cd704a2f9646e777b820 (diff)
download: systemd-de5fbba9e2dabd18027adb38157b2eab44e9d0a8.tar.gz
8 files changed, 53 insertions, 39 deletions
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index d910471d1f..645e0b3d47 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -24,6 +24,7 @@
 #include <sys/prctl.h>
 #include <sys/types.h>
 
+#include "capability-util.h"
 #include "cpu-set-util.h"
 #include "errno-list.h"
 #include "fileio.h"
@@ -248,7 +249,7 @@ static void test_exec_privatedevices(Manager *m) {
          * properly set, so be sure that it exists */
         r = find_binary("capsh", NULL);
         if (r < 0) {
-                log_error_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
+                log_notice_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
                 return;
         }
 
@@ -272,7 +273,7 @@ static void test_exec_protectkernelmodules(Manager *m) {
 
         r = find_binary("capsh", NULL);
         if (r < 0) {
-                log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
+                log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
                 return;
         }
 
@@ -382,12 +383,12 @@ static void test_exec_systemcallfilter_system(Manager *m) {
         test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
 
         if (!check_nobody_user_and_group()) {
-                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
+                log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
         }
 
         if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
-                log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
+                log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
                 return;
         }
 
@@ -399,12 +400,12 @@ static void test_exec_user(Manager *m) {
         test(m, "exec-user.service", 0, CLD_EXITED);
 
         if (!check_nobody_user_and_group()) {
-                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
+                log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
         }
 
         if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
-                log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
+                log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
                 return;
         }
 
@@ -415,12 +416,12 @@ static void test_exec_group(Manager *m) {
         test(m, "exec-group.service", 0, CLD_EXITED);
 
         if (!check_nobody_user_and_group()) {
-                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
+                log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
         }
 
         if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) {
-                log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
+                log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
                 return;
         }
 
@@ -511,12 +512,12 @@ static void test_exec_runtimedirectory(Manager *m) {
         test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
 
         if (!check_nobody_user_and_group()) {
-                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
+                log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
         }
 
         if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) {
-                log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
+                log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__);
                 return;
         }
 
@@ -528,7 +529,14 @@ static void test_exec_capabilityboundingset(Manager *m) {
 
         r = find_binary("capsh", NULL);
         if (r < 0) {
-                log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
+                log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
+                return;
+        }
+
+        if (have_effective_cap(CAP_CHOWN) <= 0 ||
+            have_effective_cap(CAP_FOWNER) <= 0 ||
+            have_effective_cap(CAP_KILL) <= 0) {
+                log_notice("Skipping %s, this process does not have enough capabilities", __func__);
                 return;
         }
 
@@ -538,7 +546,7 @@ static void test_exec_capabilityboundingset(Manager *m) {
         test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED);
 }
 
-static void test_exec_capabilityambientset(Manager *m) {
+static void test_exec_ambientcapabilities(Manager *m) {
         int r;
 
         /* Check if the kernel has support for ambient capabilities. Run
@@ -547,25 +555,31 @@ static void test_exec_capabilityambientset(Manager *m) {
          * in the first place for the tests. */
         r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
         if (r < 0 && IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) {
-                log_error("Skipping %s, the kernel does not support ambient capabilities", __func__);
+                log_notice("Skipping %s, the kernel does not support ambient capabilities", __func__);
+                return;
+        }
+
+        if (have_effective_cap(CAP_CHOWN) <= 0 ||
+            have_effective_cap(CAP_NET_RAW) <= 0) {
+                log_notice("Skipping %s, this process does not have enough capabilities", __func__);
                 return;
         }
 
-        test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
-        test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
+        test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
+        test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);
 
         if (!check_nobody_user_and_group()) {
-                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
+                log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
         }
 
         if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) {
-                log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
+                log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__);
                 return;
         }
 
-        test(m, "exec-capabilityambientset-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
-        test(m, "exec-capabilityambientset-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
+        test(m, "exec-ambientcapabilities-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
+        test(m, "exec-ambientcapabilities-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED);
 }
 
 static void test_exec_privatenetwork(Manager *m) {
@@ -573,7 +587,7 @@ static void test_exec_privatenetwork(Manager *m) {
 
         r = find_binary("ip", NULL);
         if (r < 0) {
-                log_error_errno(r, "Skipping %s, could not find ip binary: %m", __func__);
+                log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__);
                 return;
         }
 
@@ -633,8 +647,8 @@ static int run_tests(UnitFileScope scope, const test_function_t *tests) {
 int main(int argc, char *argv[]) {
         _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
         static const test_function_t user_tests[] = {
+                test_exec_ambientcapabilities,
                 test_exec_bindpaths,
-                test_exec_capabilityambientset,
                 test_exec_capabilityboundingset,
                 test_exec_cpuaffinity,
                 test_exec_environment,
diff --git a/test/meson.build b/test/meson.build
index ac6a70d38d..f86cf388e0 100644
--- a/test/meson.build
+++ b/test/meson.build
@@ -45,13 +45,13 @@ test_data_files = '''
         sockets.target
         son.service
         sysinit.target
+        test-execute/exec-ambientcapabilities-merge-nfsnobody.service
+        test-execute/exec-ambientcapabilities-merge-nobody.service
+        test-execute/exec-ambientcapabilities-merge.service
+        test-execute/exec-ambientcapabilities-nfsnobody.service
+        test-execute/exec-ambientcapabilities-nobody.service
+        test-execute/exec-ambientcapabilities.service
         test-execute/exec-bindpaths.service
-        test-execute/exec-capabilityambientset-merge-nfsnobody.service
-        test-execute/exec-capabilityambientset-merge-nobody.service
-        test-execute/exec-capabilityambientset-merge.service
-        test-execute/exec-capabilityambientset-nfsnobody.service
-        test-execute/exec-capabilityambientset-nobody.service
-        test-execute/exec-capabilityambientset.service
         test-execute/exec-capabilityboundingset-invert.service
         test-execute/exec-capabilityboundingset-merge.service
         test-execute/exec-capabilityboundingset-reset.service
diff --git a/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service
index 00bec581b5..d2cadebde4 100644
--- a/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service
+++ b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service
@@ -2,8 +2,8 @@
 Description=Test for AmbientCapabilities
 
 [Service]
-ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002001"'
 Type=oneshot
 User=nfsnobody
-AmbientCapabilities=CAP_NET_ADMIN
+AmbientCapabilities=CAP_CHOWN
 AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset-merge-nobody.service b/test/test-execute/exec-ambientcapabilities-merge-nobody.service
index 64964380e2..545081d629 100644
--- a/test/test-execute/exec-capabilityambientset-merge-nobody.service
+++ b/test/test-execute/exec-ambientcapabilities-merge-nobody.service
@@ -2,8 +2,8 @@
 Description=Test for AmbientCapabilities
 
 [Service]
-ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002001"'
 Type=oneshot
 User=nobody
-AmbientCapabilities=CAP_NET_ADMIN
+AmbientCapabilities=CAP_CHOWN
 AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset-merge.service b/test/test-execute/exec-ambientcapabilities-merge.service
index 22b4c6d49e..2e3fe59124 100644
--- a/test/test-execute/exec-capabilityambientset-merge.service
+++ b/test/test-execute/exec-ambientcapabilities-merge.service
@@ -2,8 +2,8 @@
 Description=Test for AmbientCapabilities (daemon)
 
 [Service]
-ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002001"'
 Type=oneshot
 User=daemon
-AmbientCapabilities=CAP_NET_ADMIN
+AmbientCapabilities=CAP_CHOWN
 AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-nfsnobody.service
index 614cfdd584..9377ee16b2 100644
--- a/test/test-execute/exec-capabilityambientset-nfsnobody.service
+++ b/test/test-execute/exec-ambientcapabilities-nfsnobody.service
@@ -2,7 +2,7 @@
 Description=Test for AmbientCapabilities
 
 [Service]
-ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002001"'
 Type=oneshot
 User=nfsnobody
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset-nobody.service b/test/test-execute/exec-ambientcapabilities-nobody.service
index d63f884ef8..07a6c7511d 100644
--- a/test/test-execute/exec-capabilityambientset-nobody.service
+++ b/test/test-execute/exec-ambientcapabilities-nobody.service
@@ -2,7 +2,7 @@
 Description=Test for AmbientCapabilities
 
 [Service]
-ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002001"'
 Type=oneshot
 User=nobody
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset.service b/test/test-execute/exec-ambientcapabilities.service
index 0a3cfa4bf6..d91cc09a48 100644
--- a/test/test-execute/exec-capabilityambientset.service
+++ b/test/test-execute/exec-ambientcapabilities.service
@@ -2,7 +2,7 @@
 Description=Test for AmbientCapabilities (daemon)
 
 [Service]
-ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002001"'
 Type=oneshot
 User=daemon
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2018-03-05 17:45:28 +0100
committer	GitHub <noreply@github.com>	2018-03-05 17:45:28 +0100
commit	de5fbba9e2dabd18027adb38157b2eab44e9d0a8 (patch)
tree	8f4edea8ea69d434235e31da4d677e6768f236ac
parent	8c6414be15bac95c34262b73766c64524c25772e (diff)
parent	e5ba1d324d3bda239907cd704a2f9646e777b820 (diff)
download	systemd-de5fbba9e2dabd18027adb38157b2eab44e9d0a8.tar.gz