bbb4e7f39f
Ideally we would like to hide all other service's credentials for all services. That would imply for us to enable mount namespacing for all services, which is something we cannot do, both due to compatibility with the status quo ante, and because a number of services legitimately should be able to install mounts in the host hierarchy. Hence we do the second best thing, we hide the credentials automatically for all services that opt into mount namespacing otherwise. This is quite different from other mount sandboxing options: usually you have to explicitly opt into each. However, given that the credentials logic is a brand new concept we invented right here and now, and particularly security sensitive it's OK to reverse this, and by default hide credentials whenever we can (i.e. whenever mount namespacing is otherwise opt-ed in to). Long story short: if you want to hide other service's credentials, the most basic options is to just turn on PrivateMounts= and there you go, they should all be gone.
224 lines
6.5 KiB
C
224 lines
6.5 KiB
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
|
|
#include <fcntl.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/stat.h>
|
|
|
|
#include "alloc-util.h"
|
|
#include "fd-util.h"
|
|
#include "namespace.h"
|
|
#include "process-util.h"
|
|
#include "string-util.h"
|
|
#include "tests.h"
|
|
#include "user-util.h"
|
|
#include "util.h"
|
|
#include "virt.h"
|
|
|
|
static void test_namespace_cleanup_tmpdir(void) {
|
|
{
|
|
_cleanup_(namespace_cleanup_tmpdirp) char *dir;
|
|
assert_se(dir = strdup(RUN_SYSTEMD_EMPTY));
|
|
}
|
|
|
|
{
|
|
_cleanup_(namespace_cleanup_tmpdirp) char *dir;
|
|
assert_se(dir = strdup("/tmp/systemd-test-namespace.XXXXXX"));
|
|
assert_se(mkdtemp(dir));
|
|
}
|
|
}
|
|
|
|
static void test_tmpdir(const char *id, const char *A, const char *B) {
|
|
_cleanup_free_ char *a, *b;
|
|
struct stat x, y;
|
|
char *c, *d;
|
|
|
|
assert_se(setup_tmp_dirs(id, &a, &b) == 0);
|
|
|
|
assert_se(stat(a, &x) >= 0);
|
|
assert_se(stat(b, &y) >= 0);
|
|
|
|
assert_se(S_ISDIR(x.st_mode));
|
|
assert_se(S_ISDIR(y.st_mode));
|
|
|
|
if (!streq(a, RUN_SYSTEMD_EMPTY)) {
|
|
assert_se(startswith(a, A));
|
|
assert_se((x.st_mode & 01777) == 0700);
|
|
c = strjoina(a, "/tmp");
|
|
assert_se(stat(c, &x) >= 0);
|
|
assert_se(S_ISDIR(x.st_mode));
|
|
assert_se((x.st_mode & 01777) == 01777);
|
|
assert_se(rmdir(c) >= 0);
|
|
assert_se(rmdir(a) >= 0);
|
|
}
|
|
|
|
if (!streq(b, RUN_SYSTEMD_EMPTY)) {
|
|
assert_se(startswith(b, B));
|
|
assert_se((y.st_mode & 01777) == 0700);
|
|
d = strjoina(b, "/tmp");
|
|
assert_se(stat(d, &y) >= 0);
|
|
assert_se(S_ISDIR(y.st_mode));
|
|
assert_se((y.st_mode & 01777) == 01777);
|
|
assert_se(rmdir(d) >= 0);
|
|
assert_se(rmdir(b) >= 0);
|
|
}
|
|
}
|
|
|
|
static void test_netns(void) {
|
|
_cleanup_close_pair_ int s[2] = { -1, -1 };
|
|
pid_t pid1, pid2, pid3;
|
|
int r, n = 0;
|
|
siginfo_t si;
|
|
|
|
if (geteuid() > 0) {
|
|
(void) log_tests_skipped("not root");
|
|
return;
|
|
}
|
|
|
|
assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);
|
|
|
|
pid1 = fork();
|
|
assert_se(pid1 >= 0);
|
|
|
|
if (pid1 == 0) {
|
|
r = setup_netns(s);
|
|
assert_se(r >= 0);
|
|
_exit(r);
|
|
}
|
|
|
|
pid2 = fork();
|
|
assert_se(pid2 >= 0);
|
|
|
|
if (pid2 == 0) {
|
|
r = setup_netns(s);
|
|
assert_se(r >= 0);
|
|
exit(r);
|
|
}
|
|
|
|
pid3 = fork();
|
|
assert_se(pid3 >= 0);
|
|
|
|
if (pid3 == 0) {
|
|
r = setup_netns(s);
|
|
assert_se(r >= 0);
|
|
exit(r);
|
|
}
|
|
|
|
r = wait_for_terminate(pid1, &si);
|
|
assert_se(r >= 0);
|
|
assert_se(si.si_code == CLD_EXITED);
|
|
n += si.si_status;
|
|
|
|
r = wait_for_terminate(pid2, &si);
|
|
assert_se(r >= 0);
|
|
assert_se(si.si_code == CLD_EXITED);
|
|
n += si.si_status;
|
|
|
|
r = wait_for_terminate(pid3, &si);
|
|
assert_se(r >= 0);
|
|
assert_se(si.si_code == CLD_EXITED);
|
|
n += si.si_status;
|
|
|
|
assert_se(n == 1);
|
|
}
|
|
|
|
static void test_protect_kernel_logs(void) {
|
|
int r;
|
|
pid_t pid;
|
|
static const NamespaceInfo ns_info = {
|
|
.protect_kernel_logs = true,
|
|
};
|
|
|
|
if (geteuid() > 0) {
|
|
(void) log_tests_skipped("not root");
|
|
return;
|
|
}
|
|
|
|
/* In a container we likely don't have access to /dev/kmsg */
|
|
if (detect_container() > 0) {
|
|
(void) log_tests_skipped("in container");
|
|
return;
|
|
}
|
|
|
|
|
|
pid = fork();
|
|
assert_se(pid >= 0);
|
|
|
|
if (pid == 0) {
|
|
_cleanup_close_ int fd = -1;
|
|
|
|
fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC);
|
|
assert_se(fd > 0);
|
|
|
|
r = setup_namespace(NULL,
|
|
NULL,
|
|
NULL,
|
|
&ns_info,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL, 0,
|
|
NULL, 0,
|
|
NULL, 0,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
NULL,
|
|
0,
|
|
NULL);
|
|
assert_se(r == 0);
|
|
|
|
assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
|
|
assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0);
|
|
assert_se(errno == EACCES);
|
|
|
|
_exit(EXIT_SUCCESS);
|
|
}
|
|
|
|
assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
|
|
}
|
|
|
|
int main(int argc, char *argv[]) {
|
|
sd_id128_t bid;
|
|
char boot_id[SD_ID128_STRING_MAX];
|
|
_cleanup_free_ char *x = NULL, *y = NULL, *z = NULL, *zz = NULL;
|
|
|
|
test_setup_logging(LOG_INFO);
|
|
|
|
test_namespace_cleanup_tmpdir();
|
|
|
|
if (!have_namespaces()) {
|
|
log_tests_skipped("Don't have namespace support");
|
|
return EXIT_TEST_SKIP;
|
|
}
|
|
|
|
assert_se(sd_id128_get_boot(&bid) >= 0);
|
|
sd_id128_to_string(bid, boot_id);
|
|
|
|
x = strjoin("/tmp/systemd-private-", boot_id, "-abcd.service-");
|
|
y = strjoin("/var/tmp/systemd-private-", boot_id, "-abcd.service-");
|
|
assert_se(x && y);
|
|
|
|
test_tmpdir("abcd.service", x, y);
|
|
|
|
z = strjoin("/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
|
|
zz = strjoin("/var/tmp/systemd-private-", boot_id, "-sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device-");
|
|
|
|
assert_se(z && zz);
|
|
|
|
test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);
|
|
|
|
test_netns();
|
|
test_protect_kernel_logs();
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|