diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-03-05 17:45:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-05 17:45:28 +0100 |
commit | de5fbba9e2dabd18027adb38157b2eab44e9d0a8 (patch) | |
tree | 8f4edea8ea69d434235e31da4d677e6768f236ac | |
parent | 8c6414be15bac95c34262b73766c64524c25772e (diff) | |
parent | e5ba1d324d3bda239907cd704a2f9646e777b820 (diff) | |
download | systemd-de5fbba9e2dabd18027adb38157b2eab44e9d0a8.tar.gz |
Merge pull request #8341 from yuwata/test-execute-ambient
test-execute: check capabilities before runnig tests
-rw-r--r-- | src/test/test-execute.c | 56 | ||||
-rw-r--r-- | test/meson.build | 12 | ||||
-rw-r--r-- | test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service (renamed from test/test-execute/exec-capabilityambientset-merge-nfsnobody.service) | 4 | ||||
-rw-r--r-- | test/test-execute/exec-ambientcapabilities-merge-nobody.service (renamed from test/test-execute/exec-capabilityambientset-merge-nobody.service) | 4 | ||||
-rw-r--r-- | test/test-execute/exec-ambientcapabilities-merge.service (renamed from test/test-execute/exec-capabilityambientset-merge.service) | 4 | ||||
-rw-r--r-- | test/test-execute/exec-ambientcapabilities-nfsnobody.service (renamed from test/test-execute/exec-capabilityambientset-nfsnobody.service) | 4 | ||||
-rw-r--r-- | test/test-execute/exec-ambientcapabilities-nobody.service (renamed from test/test-execute/exec-capabilityambientset-nobody.service) | 4 | ||||
-rw-r--r-- | test/test-execute/exec-ambientcapabilities.service (renamed from test/test-execute/exec-capabilityambientset.service) | 4 |
8 files changed, 53 insertions, 39 deletions
diff --git a/src/test/test-execute.c b/src/test/test-execute.c index d910471d1f..645e0b3d47 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -24,6 +24,7 @@ #include <sys/prctl.h> #include <sys/types.h> +#include "capability-util.h" #include "cpu-set-util.h" #include "errno-list.h" #include "fileio.h" @@ -248,7 +249,7 @@ static void test_exec_privatedevices(Manager *m) { * properly set, so be sure that it exists */ r = find_binary("capsh", NULL); if (r < 0) { - log_error_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__); + log_notice_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__); return; } @@ -272,7 +273,7 @@ static void test_exec_protectkernelmodules(Manager *m) { r = find_binary("capsh", NULL); if (r < 0) { - log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); + log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); return; } @@ -382,12 +383,12 @@ static void test_exec_systemcallfilter_system(Manager *m) { test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED); if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); + log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { - log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); + log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); return; } @@ -399,12 +400,12 @@ static void test_exec_user(Manager *m) { test(m, "exec-user.service", 0, CLD_EXITED); if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); + log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { - log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); + log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); return; } @@ -415,12 +416,12 @@ static void test_exec_group(Manager *m) { test(m, "exec-group.service", 0, CLD_EXITED); if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); + log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) { - log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); + log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); return; } @@ -511,12 +512,12 @@ static void test_exec_runtimedirectory(Manager *m) { test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED); if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); + log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) { - log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); + log_notice("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); return; } @@ -528,7 +529,14 @@ static void test_exec_capabilityboundingset(Manager *m) { r = find_binary("capsh", NULL); if (r < 0) { - log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); + log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); + return; + } + + if (have_effective_cap(CAP_CHOWN) <= 0 || + have_effective_cap(CAP_FOWNER) <= 0 || + have_effective_cap(CAP_KILL) <= 0) { + log_notice("Skipping %s, this process does not have enough capabilities", __func__); return; } @@ -538,7 +546,7 @@ static void test_exec_capabilityboundingset(Manager *m) { test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED); } -static void test_exec_capabilityambientset(Manager *m) { +static void test_exec_ambientcapabilities(Manager *m) { int r; /* Check if the kernel has support for ambient capabilities. Run @@ -547,25 +555,31 @@ static void test_exec_capabilityambientset(Manager *m) { * in the first place for the tests. */ r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); if (r < 0 && IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) { - log_error("Skipping %s, the kernel does not support ambient capabilities", __func__); + log_notice("Skipping %s, the kernel does not support ambient capabilities", __func__); + return; + } + + if (have_effective_cap(CAP_CHOWN) <= 0 || + have_effective_cap(CAP_NET_RAW) <= 0) { + log_notice("Skipping %s, this process does not have enough capabilities", __func__); return; } - test(m, "exec-capabilityambientset.service", 0, CLD_EXITED); - test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED); + test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED); + test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED); if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); + log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { - log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); + log_notice("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); return; } - test(m, "exec-capabilityambientset-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); - test(m, "exec-capabilityambientset-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); + test(m, "exec-ambientcapabilities-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); + test(m, "exec-ambientcapabilities-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); } static void test_exec_privatenetwork(Manager *m) { @@ -573,7 +587,7 @@ static void test_exec_privatenetwork(Manager *m) { r = find_binary("ip", NULL); if (r < 0) { - log_error_errno(r, "Skipping %s, could not find ip binary: %m", __func__); + log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__); return; } @@ -633,8 +647,8 @@ static int run_tests(UnitFileScope scope, const test_function_t *tests) { int main(int argc, char *argv[]) { _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL; static const test_function_t user_tests[] = { + test_exec_ambientcapabilities, test_exec_bindpaths, - test_exec_capabilityambientset, test_exec_capabilityboundingset, test_exec_cpuaffinity, test_exec_environment, diff --git a/test/meson.build b/test/meson.build index ac6a70d38d..f86cf388e0 100644 --- a/test/meson.build +++ b/test/meson.build @@ -45,13 +45,13 @@ test_data_files = ''' sockets.target son.service sysinit.target + test-execute/exec-ambientcapabilities-merge-nfsnobody.service + test-execute/exec-ambientcapabilities-merge-nobody.service + test-execute/exec-ambientcapabilities-merge.service + test-execute/exec-ambientcapabilities-nfsnobody.service + test-execute/exec-ambientcapabilities-nobody.service + test-execute/exec-ambientcapabilities.service test-execute/exec-bindpaths.service - test-execute/exec-capabilityambientset-merge-nfsnobody.service - test-execute/exec-capabilityambientset-merge-nobody.service - test-execute/exec-capabilityambientset-merge.service - test-execute/exec-capabilityambientset-nfsnobody.service - test-execute/exec-capabilityambientset-nobody.service - test-execute/exec-capabilityambientset.service test-execute/exec-capabilityboundingset-invert.service test-execute/exec-capabilityboundingset-merge.service test-execute/exec-capabilityboundingset-reset.service diff --git a/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service index 00bec581b5..d2cadebde4 100644 --- a/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service +++ b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service @@ -2,8 +2,8 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nfsnobody -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_CHOWN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset-merge-nobody.service b/test/test-execute/exec-ambientcapabilities-merge-nobody.service index 64964380e2..545081d629 100644 --- a/test/test-execute/exec-capabilityambientset-merge-nobody.service +++ b/test/test-execute/exec-ambientcapabilities-merge-nobody.service @@ -2,8 +2,8 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nobody -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_CHOWN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset-merge.service b/test/test-execute/exec-ambientcapabilities-merge.service index 22b4c6d49e..2e3fe59124 100644 --- a/test/test-execute/exec-capabilityambientset-merge.service +++ b/test/test-execute/exec-ambientcapabilities-merge.service @@ -2,8 +2,8 @@ Description=Test for AmbientCapabilities (daemon) [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=daemon -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_CHOWN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-nfsnobody.service index 614cfdd584..9377ee16b2 100644 --- a/test/test-execute/exec-capabilityambientset-nfsnobody.service +++ b/test/test-execute/exec-ambientcapabilities-nfsnobody.service @@ -2,7 +2,7 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nfsnobody -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset-nobody.service b/test/test-execute/exec-ambientcapabilities-nobody.service index d63f884ef8..07a6c7511d 100644 --- a/test/test-execute/exec-capabilityambientset-nobody.service +++ b/test/test-execute/exec-ambientcapabilities-nobody.service @@ -2,7 +2,7 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nobody -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset.service b/test/test-execute/exec-ambientcapabilities.service index 0a3cfa4bf6..d91cc09a48 100644 --- a/test/test-execute/exec-capabilityambientset.service +++ b/test/test-execute/exec-ambientcapabilities.service @@ -2,7 +2,7 @@ Description=Test for AmbientCapabilities (daemon) [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=daemon -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW |