picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

test-execute: cleanup 

This makes rename the test units by a consistent naming scheme,
add several logs, and sort internal functions.
No functional change.
This commit is contained in:
Yu Watanabe 2017-12-06 00:36:55 +09:00
parent 1ff8b31d9b
commit f0e018e748
16 changed files with 135 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
src/test/test-execute.c
View File

@ -102,14 +102,14 @@ static void test(Manager *m, const char *unit_name, int status_expected, int cod
check(m, unit, status_expected, code_expected);
}
static void test_exec_bind_paths(Manager *m) {
assert_se(mkdir_p("/tmp/test-exec_bind_paths", 0755) >= 0);
assert_se(mkdir_p("/tmp/test-exec_bind_readonly_paths", 0755) >= 0);
static void test_exec_bindpaths(Manager *m) {
assert_se(mkdir_p("/tmp/test-exec-bindpaths", 0755) >= 0);
assert_se(mkdir_p("/tmp/test-exec-bindreadonlypaths", 0755) >= 0);
test(m, "exec-bind-paths.service", 0, CLD_EXITED);
test(m, "exec-bindpaths.service", 0, CLD_EXITED);
(void) rm_rf("/tmp/test-exec_bind_paths", REMOVE_ROOT|REMOVE_PHYSICAL);
(void) rm_rf("/tmp/test-exec_bind_readonly_paths", REMOVE_ROOT|REMOVE_PHYSICAL);
(void) rm_rf("/tmp/test-exec-bindpaths", REMOVE_ROOT|REMOVE_PHYSICAL);
(void) rm_rf("/tmp/test-exec-bindreadonlypaths", REMOVE_ROOT|REMOVE_PHYSICAL);
}
static void test_exec_workingdirectory(Manager *m) {
@ -139,6 +139,8 @@ static void test_exec_personality(Manager *m) {
#elif defined(__i386__)
test(m, "exec-personality-x86.service", 0, CLD_EXITED);
#else
log_notice("Unknown personality, skipping %s", __func__);
#endif
}
@ -157,36 +159,25 @@ static void test_exec_privatetmp(Manager *m) {
}
static void test_exec_privatedevices(Manager *m) {
int r;
if (detect_container() > 0) {
log_notice("testing in container, skipping %s", __func__);
log_notice("Testing in container, skipping %s", __func__);
return;
}
if (!is_inaccessible_available()) {
log_notice("testing without inaccessible, skipping %s", __func__);
log_notice("Testing without inaccessible, skipping %s", __func__);
return;
}
test(m, "exec-privatedevices-yes.service", 0, CLD_EXITED);
test(m, "exec-privatedevices-no.service", 0, CLD_EXITED);
}
static void test_exec_privatedevices_capabilities(Manager *m) {
int r;
if (detect_container() > 0) {
log_notice("testing in container, skipping %s", __func__);
return;
}
if (!is_inaccessible_available()) {
log_notice("testing without inaccessible, skipping %s", __func__);
return;
}
/* We use capsh to test if the capabilities are
* properly set, so be sure that it exists */
r = find_binary("capsh", NULL);
if (r < 0) {
log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
log_error_errno(r, "Could not find capsh binary, skipping remaining tests in %s: %m", __func__);
return;
}
@ -200,11 +191,11 @@ static void test_exec_protectkernelmodules(Manager *m) {
int r;
if (detect_container() > 0) {
log_notice("testing in container, skipping %s", __func__);
log_notice("Testing in container, skipping %s", __func__);
return;
}
if (!is_inaccessible_available()) {
log_notice("testing without inaccessible, skipping %s", __func__);
log_notice("Testing without inaccessible, skipping %s", __func__);
return;
}
@ -214,7 +205,6 @@ static void test_exec_protectkernelmodules(Manager *m) {
return;
}
test(m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED);
test(m, "exec-protectkernelmodules-yes-capabilities.service", 0, CLD_EXITED);
test(m, "exec-protectkernelmodules-yes-mount-propagation.service", 0, CLD_EXITED);
@ -222,8 +212,12 @@ static void test_exec_protectkernelmodules(Manager *m) {
static void test_exec_readonlypaths(Manager *m) {
if (path_is_read_only_fs("/var") > 0)
test(m, "exec-readonlypaths-simple.service", 0, CLD_EXITED);
if (path_is_read_only_fs("/var") > 0) {
log_notice("Directory /var is readonly, skipping remaining tests in %s", __func__);
return;
}
test(m, "exec-readonlypaths.service", 0, CLD_EXITED);
test(m, "exec-readonlypaths-mount-propagation.service", 0, CLD_EXITED);
@ -232,68 +226,80 @@ static void test_exec_readonlypaths(Manager *m) {
static void test_exec_readwritepaths(Manager *m) {
if (path_is_read_only_fs("/") > 0)
if (path_is_read_only_fs("/") > 0) {
log_notice("Root directory is readonly, skipping %s", __func__);
return;
}
test(m, "exec-readwritepaths-mount-propagation.service", 0, CLD_EXITED);
}
static void test_exec_inaccessiblepaths(Manager *m) {
if (path_is_read_only_fs("/") > 0)
return;
test(m, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED);
}
static void test_exec_inaccessiblepaths_proc(Manager *m) {
if (!is_inaccessible_available()) {
log_notice("testing without inaccessible, skipping %s", __func__);
log_notice("Testing without inaccessible, skipping %s", __func__);
return;
}
test(m, "exec-inaccessiblepaths-proc.service", 0, CLD_EXITED);
if (path_is_read_only_fs("/") > 0) {
log_notice("Root directory is readonly, skipping remaining tests in %s", __func__);
return;
}
test(m, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED);
}
static void test_exec_systemcallfilter(Manager *m) {
#if HAVE_SECCOMP
if (!is_seccomp_available())
if (!is_seccomp_available()) {
log_notice("Seccomp not available, skipping %s", __func__);
return;
}
test(m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED);
test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED);
test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED);
test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED);
test(m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED);
test(m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED);
#endif
}
static void test_exec_systemcallerrornumber(Manager *m) {
#if HAVE_SECCOMP
if (!is_seccomp_available())
if (!is_seccomp_available()) {
log_notice("Seccomp not available, skipping %s", __func__);
return;
}
test(m, "exec-systemcallerrornumber-name.service", errno_from_name("EACCES"), CLD_EXITED);
test(m, "exec-systemcallerrornumber-number.service", 255, CLD_EXITED);
#endif
}
static void test_exec_restrict_namespaces(Manager *m) {
static void test_exec_restrictnamespaces(Manager *m) {
#if HAVE_SECCOMP
if (!is_seccomp_available())
if (!is_seccomp_available()) {
log_notice("Seccomp not available, skipping %s", __func__);
return;
}
test(m, "exec-restrict-namespaces-no.service", 0, CLD_EXITED);
test(m, "exec-restrict-namespaces-yes.service", 1, CLD_EXITED);
test(m, "exec-restrict-namespaces-mnt.service", 0, CLD_EXITED);
test(m, "exec-restrict-namespaces-mnt-blacklist.service", 1, CLD_EXITED);
test(m, "exec-restrictnamespaces-no.service", 0, CLD_EXITED);
test(m, "exec-restrictnamespaces-yes.service", 1, CLD_EXITED);
test(m, "exec-restrictnamespaces-mnt.service", 0, CLD_EXITED);
test(m, "exec-restrictnamespaces-mnt-blacklist.service", 1, CLD_EXITED);
#endif
}
static void test_exec_systemcall_system_mode_with_user(Manager *m) {
static void test_exec_systemcallfilter_system(Manager *m) {
#if HAVE_SECCOMP
if (!is_seccomp_available())
if (!is_seccomp_available()) {
log_notice("Seccomp not available, skipping %s", __func__);
return;
}
if (getpwnam("nobody"))
test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
else if (getpwnam("nfsnobody"))
@ -321,7 +327,7 @@ static void test_exec_group(Manager *m) {
log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody group: %m", __func__);
}
static void test_exec_supplementary_groups(Manager *m) {
static void test_exec_supplementarygroups(Manager *m) {
test(m, "exec-supplementarygroups.service", 0, CLD_EXITED);
test(m, "exec-supplementarygroups-single-group.service", 0, CLD_EXITED);
test(m, "exec-supplementarygroups-single-group-user.service", 0, CLD_EXITED);
@ -330,11 +336,11 @@ static void test_exec_supplementary_groups(Manager *m) {
test(m, "exec-supplementarygroups-multiple-groups-withuid.service", 0, CLD_EXITED);
}
static void test_exec_dynamic_user(Manager *m) {
static void test_exec_dynamicuser(Manager *m) {
test(m, "exec-dynamicuser-fixeduser.service", 0, CLD_EXITED);
test(m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", 0, CLD_EXITED);
test(m, "exec-dynamicuser-supplementarygroups.service", 0, CLD_EXITED);
test(m, "exec-dynamicuser-state-dir.service", 0, CLD_EXITED);
test(m, "exec-dynamicuser-statedir.service", 0, CLD_EXITED);
}
static void test_exec_environment(Manager *m) {
@ -360,7 +366,7 @@ static void test_exec_environmentfile(Manager *m) {
test(m, "exec-environmentfile.service", 0, CLD_EXITED);
unlink("/tmp/test-exec_environmentfile.conf");
(void) unlink("/tmp/test-exec_environmentfile.conf");
}
static void test_exec_passenvironment(Manager *m) {
@ -426,17 +432,19 @@ static void test_exec_capabilityambientset(Manager *m) {
* capabilities is fine, since we are expecting them to be unset
* in the first place for the tests. */
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
if (r >= 0 || errno != EINVAL) {
if (getpwnam("nobody")) {
test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
} else if (getpwnam("nfsnobody")) {
test(m, "exec-capabilityambientset-nfsnobody.service", 0, CLD_EXITED);
test(m, "exec-capabilityambientset-merge-nfsnobody.service", 0, CLD_EXITED);
} else
log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__);
if (r < 0 && IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) {
log_error("Skipping %s, the kernel does not support ambient capabilities", __func__);
return;
}
if (getpwnam("nobody")) {
test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
} else if (getpwnam("nfsnobody")) {
test(m, "exec-capabilityambientset-nfsnobody.service", 0, CLD_EXITED);
test(m, "exec-capabilityambientset-merge-nfsnobody.service", 0, CLD_EXITED);
} else
log_error_errno(errno, "Skipping %s, the kernel does not support ambient capabilities: %m", __func__);
log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__);
}
static void test_exec_privatenetwork(Manager *m) {
@ -463,29 +471,19 @@ static void test_exec_ioschedulingclass(Manager *m) {
test(m, "exec-ioschedulingclass-best-effort.service", 0, CLD_EXITED);
}
static void test_exec_spec_interpolation(Manager *m) {
test(m, "exec-spec-interpolation.service", 0, CLD_EXITED);
}
static void test_exec_read_only_path_suceed(Manager *m) {
test(m, "exec-read-only-path-succeed.service", 0, CLD_EXITED);
}
static void test_exec_unset_environment(Manager *m) {
test(m, "exec-unset-environment.service", 0, CLD_EXITED);
static void test_exec_unsetenvironment(Manager *m) {
test(m, "exec-unsetenvironment.service", 0, CLD_EXITED);
}
static void test_exec_specifier(Manager *m) {
test(m, "exec-specifier.service", 0, CLD_EXITED);
test(m, "exec-specifier@foo-bar.service", 0, CLD_EXITED);
test(m, "exec-specifier-interpolation.service", 0, CLD_EXITED);
}
static void test_exec_stdin_data(Manager *m) {
test(m, "exec-stdin-data.service", 0, CLD_EXITED);
}
static void test_exec_stdio_file(Manager *m) {
test(m, "exec-stdio-file.service", 0, CLD_EXITED);
static void test_exec_standardinput(Manager *m) {
test(m, "exec-standardinput-data.service", 0, CLD_EXITED);
test(m, "exec-standardinput-file.service", 0, CLD_EXITED);
}
static int run_tests(UnitFileScope scope, const test_function_t *tests) {
@ -513,45 +511,40 @@ static int run_tests(UnitFileScope scope, const test_function_t *tests) {
int main(int argc, char *argv[]) {
static const test_function_t user_tests[] = {
test_exec_bind_paths,
test_exec_workingdirectory,
test_exec_personality,
test_exec_bindpaths,
test_exec_capabilityambientset,
test_exec_capabilityboundingset,
test_exec_environment,
test_exec_environmentfile,
test_exec_group,
test_exec_ignoresigpipe,
test_exec_privatetmp,
test_exec_inaccessiblepaths,
test_exec_ioschedulingclass,
test_exec_oomscoreadjust,
test_exec_passenvironment,
test_exec_personality,
test_exec_privatedevices,
test_exec_privatedevices_capabilities,
test_exec_privatenetwork,
test_exec_privatetmp,
test_exec_protectkernelmodules,
test_exec_readonlypaths,
test_exec_readwritepaths,
test_exec_inaccessiblepaths,
test_exec_inaccessiblepaths_proc,
test_exec_privatenetwork,
test_exec_systemcallfilter,
test_exec_systemcallerrornumber,
test_exec_restrict_namespaces,
test_exec_user,
test_exec_group,
test_exec_supplementary_groups,
test_exec_environment,
test_exec_environmentfile,
test_exec_passenvironment,
test_exec_umask,
test_exec_restrictnamespaces,
test_exec_runtimedirectory,
test_exec_capabilityboundingset,
test_exec_capabilityambientset,
test_exec_oomscoreadjust,
test_exec_ioschedulingclass,
test_exec_spec_interpolation,
test_exec_read_only_path_suceed,
test_exec_unset_environment,
test_exec_stdin_data,
test_exec_stdio_file,
test_exec_standardinput,
test_exec_supplementarygroups,
test_exec_systemcallerrornumber,
test_exec_systemcallfilter,
test_exec_umask,
test_exec_unsetenvironment,
test_exec_user,
test_exec_workingdirectory,
NULL,
};
static const test_function_t system_tests[] = {
test_exec_systemcall_system_mode_with_user,
test_exec_dynamic_user,
test_exec_dynamicuser,
test_exec_specifier,
test_exec_systemcallfilter_system,
NULL,
};
int r;

22
test/meson.build
View File

@ -45,7 +45,7 @@ test_data_files = '''
sockets.target
son.service
sysinit.target
test-execute/exec-bind-paths.service
test-execute/exec-bindpaths.service
test-execute/exec-capabilityambientset-merge-nfsnobody.service
test-execute/exec-capabilityambientset-merge.service
test-execute/exec-capabilityambientset-nfsnobody.service
@ -56,7 +56,7 @@ test_data_files = '''
test-execute/exec-capabilityboundingset-simple.service
test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
test-execute/exec-dynamicuser-fixeduser.service
test-execute/exec-dynamicuser-state-dir.service
test-execute/exec-dynamicuser-statedir.service
test-execute/exec-dynamicuser-supplementarygroups.service
test-execute/exec-environment-empty.service
test-execute/exec-environment-multiple.service
@ -96,24 +96,24 @@ test_data_files = '''
test-execute/exec-protectkernelmodules-no-capabilities.service
test-execute/exec-protectkernelmodules-yes-capabilities.service
test-execute/exec-protectkernelmodules-yes-mount-propagation.service
test-execute/exec-read-only-path-succeed.service
test-execute/exec-readonlypaths-mount-propagation.service
test-execute/exec-readonlypaths-simple.service
test-execute/exec-readonlypaths-with-bindpaths.service
test-execute/exec-readonlypaths.service
test-execute/exec-readwritepaths-mount-propagation.service
test-execute/exec-restrict-namespaces-mnt-blacklist.service
test-execute/exec-restrict-namespaces-mnt.service
test-execute/exec-restrict-namespaces-no.service
test-execute/exec-restrict-namespaces-yes.service
test-execute/exec-restrictnamespaces-mnt-blacklist.service
test-execute/exec-restrictnamespaces-mnt.service
test-execute/exec-restrictnamespaces-no.service
test-execute/exec-restrictnamespaces-yes.service
test-execute/exec-runtimedirectory-mode.service
test-execute/exec-runtimedirectory-owner-nfsnobody.service
test-execute/exec-runtimedirectory-owner.service
test-execute/exec-runtimedirectory.service
test-execute/exec-spec-interpolation.service
test-execute/exec-specifier-interpolation.service
test-execute/exec-specifier.service
test-execute/exec-specifier@.service
test-execute/exec-stdin-data.service
test-execute/exec-stdio-file.service
test-execute/exec-standardinput-data.service
test-execute/exec-standardinput-file.service
test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
test-execute/exec-supplementarygroups-multiple-groups-withgid.service
test-execute/exec-supplementarygroups-multiple-groups-withuid.service
@ -132,7 +132,7 @@ test_data_files = '''
test-execute/exec-systemcallfilter-with-errno-number.service
test-execute/exec-umask-0177.service
test-execute/exec-umask-default.service
test-execute/exec-unset-environment.service
test-execute/exec-unsetenvironment.service
test-execute/exec-user-nfsnobody.service
test-execute/exec-user.service
test-execute/exec-workingdirectory.service

14
test/test-execute/exec-bind-paths.service
View File

@ -1,14 +0,0 @@
[Service]
Type=oneshot
# Create a file in /tmp/test-exec_bind_paths
ExecStart=/bin/sh -c 'touch /tmp/test-exec_bind_paths/thisisasimpletest'
# Then, the file can be access through /tmp
ExecStart=/bin/sh -c 'test -f /tmp/thisisasimpletest'
# Also, through /tmp/test-exec_bind_readonly_paths
ExecStart=/bin/sh -c 'test -f /tmp/test-exec_bind_readonly_paths/thisisasimpletest'
# The file cannot modify through /tmp/test-exec_bind_readonly_paths
ExecStart=/bin/sh -x -c '! touch /tmp/test-exec_bind_readonly_paths/thisisasimpletest'
# Cleanup
ExecStart=/bin/sh -c 'rm /tmp/thisisasimpletest'
BindPaths=/tmp:/tmp/test-exec_bind_paths
BindReadOnlyPaths=/tmp:/tmp/test-exec_bind_readonly_paths

17
test/test-execute/exec-bindpaths.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=Test for BindPaths= and BindReadOnlyPaths=
[Service]
Type=oneshot
# Create a file in /tmp/test-exec-bindpaths
ExecStart=/bin/sh -c 'touch /tmp/test-exec-bindpaths/thisisasimpletest'
# Then, the file can be access through /tmp
ExecStart=/bin/sh -c 'test -f /tmp/thisisasimpletest'
# Also, through /tmp/test-exec-bindreadonlypaths
ExecStart=/bin/sh -c 'test -f /tmp/test-exec-bindreadonlypaths/thisisasimpletest'
# The file cannot modify through /tmp/test-exec-bindreadonlypaths
ExecStart=/bin/sh -x -c '! touch /tmp/test-exec-bindreadonlypaths/thisisasimpletest'
# Cleanup
ExecStart=/bin/sh -c 'rm /tmp/thisisasimpletest'
BindPaths=/tmp:/tmp/test-exec-bindpaths
BindReadOnlyPaths=/tmp:/tmp/test-exec-bindreadonlypaths

0
test/test-execute/exec-dynamicuser-state-dir.service → test/test-execute/exec-dynamicuser-statedir.service
View File

3
test/test-execute/exec-read-only-path-succeed.service → test/test-execute/exec-readonlypaths-simple.service
View File

@ -1,3 +1,6 @@
[Unit]
Description=Test for ReadOnlyPaths=
[Service]
Type=oneshot
# This should work, as we explicitly disable the effect of ReadOnlyPaths=

0
test/test-execute/exec-restrict-namespaces-mnt-blacklist.service → test/test-execute/exec-restrictnamespaces-mnt-blacklist.service
View File

0
test/test-execute/exec-restrict-namespaces-mnt.service → test/test-execute/exec-restrictnamespaces-mnt.service
View File

0
test/test-execute/exec-restrict-namespaces-no.service → test/test-execute/exec-restrictnamespaces-no.service
View File

0
test/test-execute/exec-restrict-namespaces-yes.service → test/test-execute/exec-restrictnamespaces-yes.service
View File

0
test/test-execute/exec-spec-interpolation.service → test/test-execute/exec-specifier-interpolation.service
View File

3
test/test-execute/exec-specifier.service
View File

@ -1,3 +1,6 @@
[Unit]
Description=Test for specifiers
[Service]
Type=oneshot
ExecStart=/usr/bin/test %n = exec-specifier.service

3
test/test-execute/exec-specifier@.service
View File

@ -1,3 +1,6 @@
[Unit]
Description=Test for specifiers (template unit)
[Service]
Type=oneshot
ExecStart=/usr/bin/test %n = exec-specifier@foo-bar.service

0
test/test-execute/exec-stdin-data.service → test/test-execute/exec-standardinput-data.service
View File

0
test/test-execute/exec-stdio-file.service → test/test-execute/exec-standardinput-file.service
View File

0
test/test-execute/exec-unset-environment.service → test/test-execute/exec-unsetenvironment.service
View File