picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

core: add test case for PrivateUsers=true in user manager 

The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs}
directives work as expected when PrivateUsers=yes in a user manager.

Some code is also added to test-functions to help set up test cases that
exercise the user manager.
This commit is contained in:
Filipe Brandenburger 2019-11-13 10:32:24 -08:00 committed by Anita Zhang
parent 5749f855a7
commit a49ad4c482
4 changed files with 163 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
test/TEST-43-PRIVATEUSER-UNPRIV/Makefile Normal file
View File

@ -0,0 +1,9 @@
BUILD_DIR=$(shell ../../tools/find-build-dir.sh)
all setup run:
@basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --$@
clean clean-again:
@basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --clean
.PHONY: all setup run clean clean-again

45
test/TEST-43-PRIVATEUSER-UNPRIV/test.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
set -e
TEST_DESCRIPTION="Test PrivateUsers=yes on user manager"
. $TEST_BASE_DIR/test-functions
test_setup() {
create_empty_image_rootdir
(
LOG_LEVEL=5
eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
setup_basic_environment
mask_supporting_services
usermod --root $initdir -d /home/nobody -s /bin/bash nobody
mkdir $initdir/home $initdir/home/nobody
# Ubuntu's equivalent is nogroup
chown nobody:nobody $initdir/home/nobody || chown nobody:nogroup $initdir/home/nobody
enable_user_manager nobody
nobody_uid=$(id -u nobody)
# setup the testsuite service
cat >$initdir/etc/systemd/system/testsuite.service <<EOF
[Unit]
Description=Testsuite service
After=systemd-logind.service user@$nobody_uid.service
[Service]
ExecStart=/testsuite.sh
Type=oneshot
EOF
cp testsuite.sh $initdir/
setup_testsuite
)
setup_nspawn_root
}
has_user_dbus_socket || exit 0
do_test "$@"

61
test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
set -ex
set -o pipefail
systemd-analyze log-level debug
runas() {
declare userid=$1
shift
su "$userid" -c 'XDG_RUNTIME_DIR=/run/user/$UID "$@"' -- sh "$@"
}
runas nobody systemctl --user --wait is-system-running
runas nobody systemd-run --user --unit=test-private-users \
-p PrivateUsers=yes -P echo hello
runas nobody systemd-run --user --unit=test-private-tmp-innerfile \
-p PrivateUsers=yes -p PrivateTmp=yes \
-P touch /tmp/innerfile.txt
# File should not exist outside the job's tmp directory.
test ! -e /tmp/innerfile.txt
touch /tmp/outerfile.txt
# File should not appear in unit's private tmp.
runas nobody systemd-run --user --unit=test-private-tmp-outerfile \
-p PrivateUsers=yes -p PrivateTmp=yes \
-P test ! -e /tmp/outerfile.txt
# Confirm that creating a file in home works
runas nobody systemd-run --user --unit=test-unprotected-home \
-P touch /home/nobody/works.txt
test -e /home/nobody/works.txt
# Confirm that creating a file in home is blocked under read-only
runas nobody systemd-run --user --unit=test-protect-home-read-only \
-p PrivateUsers=yes -p ProtectHome=read-only \
-P bash -c '
test -e /home/nobody/works.txt
! touch /home/nobody/blocked.txt
'
test ! -e /home/nobody/blocked.txt
# Check that tmpfs hides the whole directory
runas nobody systemd-run --user --unit=test-protect-home-tmpfs \
-p PrivateUsers=yes -p ProtectHome=tmpfs \
-P test ! -e /home/nobody
# Confirm we cannot change groups because we only have one mapping in the user
# namespace (no CAP_SETGID in the parent namespace to write the additional
# mapping of the user supplied group and thus cannot change groups to an
# unmapped group ID)
! runas nobody systemd-run --user --unit=test-group-fail \
-p PrivateUsers=yes -p Group=daemon \
-P true
systemd-analyze log-level info
echo OK > /testok
exit 0

49
test/test-functions
View File

@ -787,7 +787,7 @@ install_libnss() {
install_dbus() {
inst $ROOTLIBDIR/system/dbus.socket
# Newer Fedora versions use dbus-broker by default. Let's install it is available.
# Newer Fedora versions use dbus-broker by default. Let's install it if it's available.
if [ -f $ROOTLIBDIR/system/dbus-broker.service ]; then
inst $ROOTLIBDIR/system/dbus-broker.service
inst_symlink /etc/systemd/system/dbus.service
@ -809,6 +809,31 @@ install_dbus() {
done
}
install_user_dbus() {
inst $ROOTLIBDIR/user/dbus.socket
inst_symlink /usr/lib/systemd/user/sockets.target.wants/dbus.socket || inst_symlink /etc/systemd/user/sockets.target.wants/dbus.socket
# Append the After= dependency on dbus in case it isn't already set up
mkdir -p "$initdir/etc/systemd/system/user@.service.d/"
cat <<EOF >"$initdir/etc/systemd/system/user@.service.d/dbus.conf"
[Unit]
After=dbus.service
EOF
# Newer Fedora versions use dbus-broker by default. Let's install it if it's available.
if [ -f $ROOTLIBDIR/user/dbus-broker.service ]; then
inst $ROOTLIBDIR/user/dbus-broker.service
inst_symlink /etc/systemd/user/dbus.service
elif [ -f $ROOTLIBDIR/system/dbus-daemon.service ]; then
# Fedora rawhide replaced dbus.service with dbus-daemon.service
inst $ROOTLIBDIR/user/dbus-daemon.service
# Alias symlink
inst_symlink /etc/systemd/user/dbus.service
else
inst $ROOTLIBDIR/user/dbus.service
fi
}
install_pam() {
(
if [[ "$LOOKS_LIKE_DEBIAN" ]] && type -p dpkg-architecture &>/dev/null; then
@ -879,6 +904,28 @@ install_terminfo() {
dracut_install -o ${_terminfodir}/l/linux
}
has_user_dbus_socket() {
if [ -f /usr/lib/systemd/user/dbus.socket ] || [ -f /etc/systemd/user/dbus.socket ]; then
return 0
else
echo "Per-user instances are not supported. Skipping..."
return 1
fi
}
enable_user_manager() {
has_user_dbus_socket || return 0
local _userid
[[ $# -gt 0 ]] || set -- nobody
mkdir -p "$initdir/var/lib/systemd/linger"
for _userid; do
touch "$initdir/var/lib/systemd/linger/$_userid"
done
dracut_install su
install_user_dbus
}
setup_testsuite() {
cp $TEST_BASE_DIR/testsuite.target $initdir/etc/systemd/system/
cp $TEST_BASE_DIR/end.service $initdir/etc/systemd/system/