mirror of
https://github.com/systemd/systemd
synced 2024-10-14 20:17:52 +00:00
test: add integration test for unpriv mountfsd/nsresourced
This commit is contained in:
parent
0af7e29434
commit
625646815b
|
@ -12,6 +12,15 @@ TEST_INSTALL_VERITY_MINIMAL=1
|
||||||
# shellcheck source=test/test-functions
|
# shellcheck source=test/test-functions
|
||||||
. "${TEST_BASE_DIR:?}/test-functions"
|
. "${TEST_BASE_DIR:?}/test-functions"
|
||||||
|
|
||||||
|
# On Ubuntu the BPF LSM is not enabled by default, so we need to do it via the
|
||||||
|
# kernel command line on boot
|
||||||
|
if [ "$LOOKS_LIKE_UBUNTU" = "yes" ]; then
|
||||||
|
KERNEL_OPTIONS=(
|
||||||
|
"lsm=lockdown,capability,landlock,yama,apparmor,bpf"
|
||||||
|
)
|
||||||
|
KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}"
|
||||||
|
fi
|
||||||
|
|
||||||
test_require_bin mksquashfs veritysetup sfdisk
|
test_require_bin mksquashfs veritysetup sfdisk
|
||||||
|
|
||||||
test_append_files() {
|
test_append_files() {
|
||||||
|
|
|
@ -39,6 +39,8 @@ os_release=$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os
|
||||||
# shellcheck source=/dev/null
|
# shellcheck source=/dev/null
|
||||||
source "$os_release"
|
source "$os_release"
|
||||||
[[ "$ID" == "debian" || " $ID_LIKE " == *" debian "* ]] && LOOKS_LIKE_DEBIAN=yes || LOOKS_LIKE_DEBIAN=no
|
[[ "$ID" == "debian" || " $ID_LIKE " == *" debian "* ]] && LOOKS_LIKE_DEBIAN=yes || LOOKS_LIKE_DEBIAN=no
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
[[ "$ID" == "ubuntu" ]] && LOOKS_LIKE_UBUNTU=yes || LOOKS_LIKE_UBUNTU=no
|
||||||
[[ "$ID" == "arch" || " $ID_LIKE " == *" arch "* ]] && LOOKS_LIKE_ARCH=yes || LOOKS_LIKE_ARCH=no
|
[[ "$ID" == "arch" || " $ID_LIKE " == *" arch "* ]] && LOOKS_LIKE_ARCH=yes || LOOKS_LIKE_ARCH=no
|
||||||
[[ "$ID" == "fedora" ]] && LOOKS_LIKE_FEDORA=yes || LOOKS_LIKE_FEDORA=no
|
[[ "$ID" == "fedora" ]] && LOOKS_LIKE_FEDORA=yes || LOOKS_LIKE_FEDORA=no
|
||||||
[[ " $ID_LIKE " == *" suse "* ]] && LOOKS_LIKE_SUSE=yes || LOOKS_LIKE_SUSE=no
|
[[ " $ID_LIKE " == *" suse "* ]] && LOOKS_LIKE_SUSE=yes || LOOKS_LIKE_SUSE=no
|
||||||
|
@ -733,6 +735,7 @@ install_verity_minimal() {
|
||||||
BASICTOOLS=(
|
BASICTOOLS=(
|
||||||
bash
|
bash
|
||||||
cat
|
cat
|
||||||
|
echo
|
||||||
grep
|
grep
|
||||||
mount
|
mount
|
||||||
sleep
|
sleep
|
||||||
|
|
|
@ -6,6 +6,9 @@
|
||||||
set -eux
|
set -eux
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
|
# shellcheck source=test/units/util.sh
|
||||||
|
. "$(dirname "$0")"/util.sh
|
||||||
|
|
||||||
export SYSTEMD_LOG_LEVEL=debug
|
export SYSTEMD_LOG_LEVEL=debug
|
||||||
|
|
||||||
cleanup_image_dir() {
|
cleanup_image_dir() {
|
||||||
|
@ -798,6 +801,62 @@ if command -v mksquashfs >/dev/null 2>&1; then
|
||||||
(! test -f /usr/waldo)
|
(! test -f /usr/waldo)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test -f /usr/lib/systemd/system/systemd-mountfsd.socket -a -f /usr/lib/systemd/system/systemd-nsresourced.socket && \
|
||||||
|
command -v command -v mksquashfs >/dev/null 2>&1 && \
|
||||||
|
grep -q bpf /sys/kernel/security/lsm && \
|
||||||
|
test "$(find /usr/lib* -name libbpf.so.1 2>/dev/null)" != "" ; then
|
||||||
|
|
||||||
|
cleanunprivfiles() {
|
||||||
|
umount -R /tmp/unpriv/mount
|
||||||
|
rmdir /tmp/unpriv
|
||||||
|
rm -f /tmp/test-50-unpriv-privkey.key /tmp/test-50-unpriv-cert.crt /run/verity.d/test-50-unpriv-cert.crt
|
||||||
|
rm -f /var/tmp/unpriv.raw /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree
|
||||||
|
rm -f /tmp/unpriv.out /tmp/unpriv.out2 /tmp/unpriv.out3
|
||||||
|
}
|
||||||
|
|
||||||
|
trap cleanunprivfiles EXIT
|
||||||
|
|
||||||
|
systemctl start systemd-mountfsd.socket systemd-nsresourced.socket
|
||||||
|
|
||||||
|
openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout /tmp/test-50-unpriv-privkey.key -out /tmp/test-50-unpriv-cert.crt
|
||||||
|
|
||||||
|
systemd-dissect --mkdir --mount "${image}.raw" /tmp/unpriv/mount
|
||||||
|
SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs systemd-repart -P -s /tmp/unpriv/mount --certificate=/tmp/test-50-unpriv-cert.crt --private-key=/tmp/test-50-unpriv-privkey.key /var/tmp/unpriv.raw
|
||||||
|
systemd-dissect --rmdir --umount /tmp/unpriv/mount
|
||||||
|
|
||||||
|
systemd-dissect --image-policy='root=unprotected:=absent+unused' /var/tmp/unpriv.raw
|
||||||
|
systemd-dissect --image-policy='root=unprotected:=absent+unused' --mtree /var/tmp/unpriv.raw | tee /tmp/unpriv.raw.mtree
|
||||||
|
|
||||||
|
# Run unpriv, should fail due to lack of privs
|
||||||
|
(! runas testuser systemd-dissect /var/tmp/unpriv.raw )
|
||||||
|
(! runas testuser systemd-dissect --mtree /var/tmp/unpriv.raw )
|
||||||
|
|
||||||
|
# Install key in keychain
|
||||||
|
cp /tmp/test-50-unpriv-cert.crt /run/verity.d
|
||||||
|
|
||||||
|
# Now run unpriv again, should be OK now.
|
||||||
|
runas testuser systemd-dissect /var/tmp/unpriv.raw
|
||||||
|
runas testuser systemd-dissect --mtree /var/tmp/unpriv.raw | tee /tmp/unpriv2.raw.mtree
|
||||||
|
|
||||||
|
# Check that unpriv and priv run yielded same results
|
||||||
|
cmp /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree
|
||||||
|
|
||||||
|
# Make sure nspawn works unpriv, too (for now do not nest)
|
||||||
|
if ! systemd-detect-virt -c ; then
|
||||||
|
systemd-nspawn --pipe -i /var/tmp/unpriv.raw --read-only echo thisisatest > /tmp/unpriv.out
|
||||||
|
echo thisisatest | cmp /tmp/unpriv.out -
|
||||||
|
|
||||||
|
# The unpriv user has no rights to lock the image or write to it. Let's
|
||||||
|
# turn off both for this test, so that we don't have to copy the image
|
||||||
|
# around.
|
||||||
|
systemd-run -M testuser@ --user --pipe -p Environment=SYSTEMD_NSPAWN_LOCK=0 -p Delegate=1 -p DelegateSubgroup=supervisor -p Environment=SYSTEMD_LOG_LEVEL=debug --wait systemd-nspawn --keep-unit -i /var/tmp/unpriv.raw --read-only --pipe echo thisisatest > /tmp/unpriv.out2
|
||||||
|
echo thisisatest | cmp /tmp/unpriv.out2 -
|
||||||
|
fi
|
||||||
|
|
||||||
|
systemd-run -M testuser@ --user --pipe -p RootImage=/var/tmp/unpriv.raw -p PrivateUsers=1 --wait echo thisisatest > /tmp/unpriv.out3
|
||||||
|
echo thisisatest | cmp /tmp/unpriv.out3 -
|
||||||
|
fi
|
||||||
|
|
||||||
# Sneak in a couple of expected-to-fail invocations to cover
|
# Sneak in a couple of expected-to-fail invocations to cover
|
||||||
# https://github.com/systemd/systemd/issues/29610
|
# https://github.com/systemd/systemd/issues/29610
|
||||||
(! systemd-run -P -p MountImages="/this/should/definitely/not/exist.img:/run/img2\:3:nosuid" false)
|
(! systemd-run -P -p MountImages="/this/should/definitely/not/exist.img:/run/img2\:3:nosuid" false)
|
||||||
|
|
Loading…
Reference in a new issue