diff --git a/src/test/test-execute.c b/src/test/test-execute.c index b2d668dc89..d910471d1f 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -379,48 +379,52 @@ static void test_exec_systemcallfilter_system(Manager *m) { return; } + test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED); + if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__); + log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } - if (streq(NOBODY_USER_NAME, "nobody")) - test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED); - else if (streq(NOBODY_USER_NAME, "nfsnobody")) - test(m, "exec-systemcallfilter-system-user-nfsnobody.service", 0, CLD_EXITED); - else - log_error("Unsupported nobody user name '%s', skipping %s", NOBODY_USER_NAME, __func__); + if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { + log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); + return; + } + + test(m, "exec-systemcallfilter-system-user-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); #endif } static void test_exec_user(Manager *m) { + test(m, "exec-user.service", 0, CLD_EXITED); + if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__); + log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } - if (streq(NOBODY_USER_NAME, "nobody")) - test(m, "exec-user.service", 0, CLD_EXITED); - else if (streq(NOBODY_USER_NAME, "nfsnobody")) - test(m, "exec-user-nfsnobody.service", 0, CLD_EXITED); - else - log_error("Unsupported nobody user name '%s', skipping %s", NOBODY_USER_NAME, __func__); + if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { + log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); + return; + } + + test(m, "exec-user-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); } static void test_exec_group(Manager *m) { + test(m, "exec-group.service", 0, CLD_EXITED); + if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__); + log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } - if (streq(NOBODY_GROUP_NAME, "nobody")) - test(m, "exec-group.service", 0, CLD_EXITED); - else if (streq(NOBODY_GROUP_NAME, "nfsnobody")) - test(m, "exec-group-nfsnobody.service", 0, CLD_EXITED); - else if (streq(NOBODY_GROUP_NAME, "nogroup")) - test(m, "exec-group-nogroup.service", 0, CLD_EXITED); - else - log_error("Unsupported nobody group name '%s', skipping %s", NOBODY_GROUP_NAME, __func__); + if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) { + log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); + return; + } + + test(m, "exec-group-" NOBODY_GROUP_NAME ".service", 0, CLD_EXITED); } static void test_exec_supplementarygroups(Manager *m) { @@ -504,20 +508,19 @@ static void test_exec_umask(Manager *m) { static void test_exec_runtimedirectory(Manager *m) { test(m, "exec-runtimedirectory.service", 0, CLD_EXITED); test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED); + test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED); if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__); + log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } - if (streq(NOBODY_GROUP_NAME, "nobody")) - test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED); - else if (streq(NOBODY_GROUP_NAME, "nfsnobody")) - test(m, "exec-runtimedirectory-owner-nfsnobody.service", 0, CLD_EXITED); - else if (streq(NOBODY_GROUP_NAME, "nogroup")) - test(m, "exec-runtimedirectory-owner-nogroup.service", 0, CLD_EXITED); - else - log_error("Unsupported nobody group name '%s', skipping %s", NOBODY_GROUP_NAME, __func__); + if (!STR_IN_SET(NOBODY_GROUP_NAME, "nobody", "nfsnobody", "nogroup")) { + log_error("Unsupported nobody group name '%s', skipping remaining tests in %s", NOBODY_GROUP_NAME, __func__); + return; + } + + test(m, "exec-runtimedirectory-owner-" NOBODY_GROUP_NAME ".service", 0, CLD_EXITED); } static void test_exec_capabilityboundingset(Manager *m) { @@ -548,19 +551,21 @@ static void test_exec_capabilityambientset(Manager *m) { return; } + test(m, "exec-capabilityambientset.service", 0, CLD_EXITED); + test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED); + if (!check_nobody_user_and_group()) { - log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__); + log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__); return; } - if (streq(NOBODY_USER_NAME, "nobody")) { - test(m, "exec-capabilityambientset.service", 0, CLD_EXITED); - test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED); - } else if (streq(NOBODY_USER_NAME, "nfsnobody")) { - test(m, "exec-capabilityambientset-nfsnobody.service", 0, CLD_EXITED); - test(m, "exec-capabilityambientset-merge-nfsnobody.service", 0, CLD_EXITED); - } else - log_error("Unsupported nobody user name '%s', skipping %s", NOBODY_USER_NAME, __func__); + if (!STR_IN_SET(NOBODY_USER_NAME, "nobody", "nfsnobody")) { + log_error("Unsupported nobody user name '%s', skipping remaining tests in %s", NOBODY_USER_NAME, __func__); + return; + } + + test(m, "exec-capabilityambientset-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); + test(m, "exec-capabilityambientset-merge-" NOBODY_USER_NAME ".service", 0, CLD_EXITED); } static void test_exec_privatenetwork(Manager *m) { diff --git a/test/meson.build b/test/meson.build index 81591467bb..ac6a70d38d 100644 --- a/test/meson.build +++ b/test/meson.build @@ -47,8 +47,10 @@ test_data_files = ''' sysinit.target test-execute/exec-bindpaths.service test-execute/exec-capabilityambientset-merge-nfsnobody.service + test-execute/exec-capabilityambientset-merge-nobody.service test-execute/exec-capabilityambientset-merge.service test-execute/exec-capabilityambientset-nfsnobody.service + test-execute/exec-capabilityambientset-nobody.service test-execute/exec-capabilityambientset.service test-execute/exec-capabilityboundingset-invert.service test-execute/exec-capabilityboundingset-merge.service @@ -68,6 +70,7 @@ test_data_files = ''' test-execute/exec-environment.service test-execute/exec-environmentfile.service test-execute/exec-group-nfsnobody.service + test-execute/exec-group-nobody.service test-execute/exec-group-nogroup.service test-execute/exec-group.service test-execute/exec-ignoresigpipe-no.service @@ -113,6 +116,7 @@ test_data_files = ''' test-execute/exec-restrictnamespaces-yes.service test-execute/exec-runtimedirectory-mode.service test-execute/exec-runtimedirectory-owner-nfsnobody.service + test-execute/exec-runtimedirectory-owner-nobody.service test-execute/exec-runtimedirectory-owner-nogroup.service test-execute/exec-runtimedirectory-owner.service test-execute/exec-runtimedirectory.service @@ -134,6 +138,7 @@ test_data_files = ''' test-execute/exec-systemcallfilter-not-failing.service test-execute/exec-systemcallfilter-not-failing2.service test-execute/exec-systemcallfilter-system-user-nfsnobody.service + test-execute/exec-systemcallfilter-system-user-nobody.service test-execute/exec-systemcallfilter-system-user.service test-execute/exec-systemcallfilter-with-errno-name.service test-execute/exec-systemcallfilter-with-errno-number.service @@ -145,6 +150,7 @@ test_data_files = ''' test-execute/exec-umask-default.service test-execute/exec-unsetenvironment.service test-execute/exec-user-nfsnobody.service + test-execute/exec-user-nobody.service test-execute/exec-user.service test-execute/exec-workingdirectory.service test-path/basic.target diff --git a/test/test-execute/exec-capabilityambientset-merge-nobody.service b/test/test-execute/exec-capabilityambientset-merge-nobody.service new file mode 100644 index 0000000000..64964380e2 --- /dev/null +++ b/test/test-execute/exec-capabilityambientset-merge-nobody.service @@ -0,0 +1,9 @@ +[Unit] +Description=Test for AmbientCapabilities + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +Type=oneshot +User=nobody +AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset-merge.service b/test/test-execute/exec-capabilityambientset-merge.service index 64964380e2..22b4c6d49e 100644 --- a/test/test-execute/exec-capabilityambientset-merge.service +++ b/test/test-execute/exec-capabilityambientset-merge.service @@ -1,9 +1,9 @@ [Unit] -Description=Test for AmbientCapabilities +Description=Test for AmbientCapabilities (daemon) [Service] ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' Type=oneshot -User=nobody +User=daemon AmbientCapabilities=CAP_NET_ADMIN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset-nobody.service b/test/test-execute/exec-capabilityambientset-nobody.service new file mode 100644 index 0000000000..d63f884ef8 --- /dev/null +++ b/test/test-execute/exec-capabilityambientset-nobody.service @@ -0,0 +1,8 @@ +[Unit] +Description=Test for AmbientCapabilities + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +Type=oneshot +User=nobody +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW diff --git a/test/test-execute/exec-capabilityambientset.service b/test/test-execute/exec-capabilityambientset.service index d63f884ef8..0a3cfa4bf6 100644 --- a/test/test-execute/exec-capabilityambientset.service +++ b/test/test-execute/exec-capabilityambientset.service @@ -1,8 +1,8 @@ [Unit] -Description=Test for AmbientCapabilities +Description=Test for AmbientCapabilities (daemon) [Service] ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' Type=oneshot -User=nobody +User=daemon AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW diff --git a/test/test-execute/exec-group-nobody.service b/test/test-execute/exec-group-nobody.service new file mode 100644 index 0000000000..be7c796912 --- /dev/null +++ b/test/test-execute/exec-group-nobody.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for Group + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nobody"' +Type=oneshot +Group=nobody diff --git a/test/test-execute/exec-group.service b/test/test-execute/exec-group.service index be7c796912..be55992395 100644 --- a/test/test-execute/exec-group.service +++ b/test/test-execute/exec-group.service @@ -1,7 +1,7 @@ [Unit] -Description=Test for Group +Description=Test for Group (daemon) [Service] -ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nobody"' +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"' Type=oneshot -Group=nobody +Group=daemon diff --git a/test/test-execute/exec-runtimedirectory-owner-nobody.service b/test/test-execute/exec-runtimedirectory-owner-nobody.service new file mode 100644 index 0000000000..54782f9bbd --- /dev/null +++ b/test/test-execute/exec-runtimedirectory-owner-nobody.service @@ -0,0 +1,9 @@ +[Unit] +Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set) + +[Service] +ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nobody"' +Type=oneshot +Group=nobody +User=root +RuntimeDirectory=test-exec_runtimedirectory-owner diff --git a/test/test-execute/exec-runtimedirectory-owner.service b/test/test-execute/exec-runtimedirectory-owner.service index 54782f9bbd..07dd7ca3af 100644 --- a/test/test-execute/exec-runtimedirectory-owner.service +++ b/test/test-execute/exec-runtimedirectory-owner.service @@ -2,8 +2,8 @@ Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set) [Service] -ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nobody"' +ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner-daemon); test "$$group" = "daemon"' Type=oneshot -Group=nobody +Group=daemon User=root -RuntimeDirectory=test-exec_runtimedirectory-owner +RuntimeDirectory=test-exec_runtimedirectory-owner-daemon diff --git a/test/test-execute/exec-systemcallfilter-system-user-nobody.service b/test/test-execute/exec-systemcallfilter-system-user-nobody.service new file mode 100644 index 0000000000..da129a30e4 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-system-user-nobody.service @@ -0,0 +1,11 @@ +[Unit] +Description=Test for SystemCallFilter in system mode with User set + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +User=nobody +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/test-execute/exec-systemcallfilter-system-user.service b/test/test-execute/exec-systemcallfilter-system-user.service index da129a30e4..488a3bb79e 100644 --- a/test/test-execute/exec-systemcallfilter-system-user.service +++ b/test/test-execute/exec-systemcallfilter-system-user.service @@ -1,10 +1,10 @@ [Unit] -Description=Test for SystemCallFilter in system mode with User set +Description=Test for SystemCallFilter in system mode with User set (daemon) [Service] ExecStart=/bin/sh -c 'echo "Foo bar"' Type=oneshot -User=nobody +User=daemon SystemCallFilter=~read write open execve ioperm SystemCallFilter=ioctl SystemCallFilter=read write open execve diff --git a/test/test-execute/exec-user-nobody.service b/test/test-execute/exec-user-nobody.service new file mode 100644 index 0000000000..0a00c1abc4 --- /dev/null +++ b/test/test-execute/exec-user-nobody.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for User + +[Service] +ExecStart=/bin/sh -x -c 'test "$$USER" = "nobody"' +Type=oneshot +User=nobody diff --git a/test/test-execute/exec-user.service b/test/test-execute/exec-user.service index 0a00c1abc4..d315a828d4 100644 --- a/test/test-execute/exec-user.service +++ b/test/test-execute/exec-user.service @@ -1,7 +1,7 @@ [Unit] -Description=Test for User +Description=Test for User (daemon) [Service] -ExecStart=/bin/sh -x -c 'test "$$USER" = "nobody"' +ExecStart=/bin/sh -x -c 'test "$$USER" = "daemon"' Type=oneshot -User=nobody +User=daemon