test/units/TEST-07-PID1.private-pids.sh

   1 #!/usr/bin/env bash
   2 # SPDX-License-Identifier: LGPL-2.1-or-later
   3 # shellcheck disable=SC2016
   4 set -eux
   5 set -o pipefail
   6
   7 # shellcheck source=test/units/test-control.sh
   8 . "$(dirname "$0")"/test-control.sh
   9 # shellcheck source=test/units/util.sh
  10 . "$(dirname "$0")"/util.sh
  11
  12 HAS_EXISTING_SCSI_MOUNT=no
  13 if findmnt --mountpoint /proc/scsi; then
  14     HAS_EXISTING_SCSI_MOUNT=yes
  15 fi
  16
  17 at_exit() {
  18     set +e
  19
  20     # Unmount any file systems
  21     if [[ "$HAS_EXISTING_SCSI_MOUNT" == "no" ]]; then
  22         umount /proc/scsi
  23     fi
  24     umount /tmp/TEST-07-PID1-private-pids-proc
  25     rm -rf /tmp/TEST-07-PID1-private-pids-proc
  26     # Remove any test files
  27     rm -rf /tmp/TEST-07-PID1-private-pids-services
  28     rm -rf /tmp/TEST-07-PID1-private-pids-root
  29     # Stop any test services
  30     systemctl kill --signal=KILL TEST-07-PID1-private-pid.service
  31     # Remove any failed transient units
  32     systemctl reset-failed
  33 }
  34
  35 trap at_exit EXIT
  36
  37 testcase_basic() {
  38     # Verify current process is PID1 in new namespace
  39     assert_eq "$(systemd-run -p PrivatePIDs=yes --wait --pipe readlink /proc/self)" "1"
  40     # Verify we are only processes in new namespace
  41     assert_eq "$(systemd-run -p PrivatePIDs=yes --wait --pipe ps aux --no-heading | wc -l)" "1"
  42     # Verify procfs mount
  43     systemd-run -p PrivatePIDs=yes --wait --pipe \
  44             bash -xec '[[ "$$(findmnt --mountpoint /proc --noheadings -o VFS-OPTIONS)" =~ rw ]];
  45                        [[ "$$(findmnt --mountpoint /proc --noheadings -o VFS-OPTIONS)" =~ nosuid ]];
  46                        [[ "$$(findmnt --mountpoint /proc --noheadings -o VFS-OPTIONS)" =~ nodev ]];
  47                        [[ "$$(findmnt --mountpoint /proc --noheadings -o VFS-OPTIONS)" =~ noexec ]];'
  48
  49     # Verify main PID is correct
  50     systemd-run -p PrivatePIDs=yes --remain-after-exit --unit TEST-07-PID1-private-pid sleep infinity
  51     # Wait for ExecMainPID to be correctly populated as there might be a race between spawning service
  52     # and actual exec child process
  53     timeout 10s bash -xec 'until [[ "$(cat /proc/$(systemctl show TEST-07-PID1-private-pid.service -p ExecMainPID --value)/comm)" == sleep ]]; do sleep .5; done'
  54     pid=$(systemctl show TEST-07-PID1-private-pid.service -p ExecMainPID --value)
  55     kill -9 "$pid"
  56     timeout 10s bash -xec 'while [[ "$(systemctl show -P SubState TEST-07-PID1-private-pid.service)" != "failed" ]]; do sleep .5; done'
  57     assert_eq "$(systemctl show -P Result TEST-07-PID1-private-pid.service)" "signal"
  58     assert_eq "$(systemctl show -P ExecMainStatus TEST-07-PID1-private-pid.service)" "9"
  59     systemctl reset-failed
  60 }
  61
  62 testcase_analyze() {
  63     mkdir -p /tmp/TEST-07-PID1-private-pids-services
  64
  65     # Verify other services are compatible with PrivatePIDs=yes
  66     cat <<EOF >/tmp/TEST-07-PID1-private-pids-services/oneshot-valid.service
  67 [Service]
  68 ExecStart=echo hello
  69 PrivatePIDs=yes
  70 Type=oneshot
  71 EOF
  72
  73     # Verify Type=forking services are not compatible with PrivatePIDs=yes
  74     cat <<EOF >/tmp/TEST-07-PID1-private-pids-services/forking-invalid.service
  75 [Service]
  76 ExecStart=echo hello
  77 PrivatePIDs=yes
  78 Type=forking
  79 EOF
  80
  81     systemd-analyze --recursive-errors=no verify /tmp/TEST-07-PID1-private-pids-services/oneshot-valid.service
  82     (! systemd-analyze --recursive-errors=no verify /tmp/TEST-07-PID1-private-pids-services/forking-invalid.service)
  83
  84
  85     rm -rf /tmp/TEST-07-PID1-private-pids-services
  86 }
  87
  88 testcase_multiple_features() {
  89     unsquashfs -no-xattrs -d /tmp/TEST-07-PID1-private-pids-root /usr/share/minimal_0.raw
  90
  91     systemd-run \
  92         -p PrivatePIDs=yes \
  93         -p RootDirectory=/tmp/TEST-07-PID1-private-pids-root \
  94         -p ProcSubset=pid \
  95         -p BindReadOnlyPaths=/usr/share \
  96         -p NoNewPrivileges=yes \
  97         -p ProtectSystem=strict \
  98         -p User=testuser\
  99         -p Group=testuser \
 100         -p RuntimeDirectory=abc \
 101         -p StateDirectory=qed \
 102         -p InaccessiblePaths=/usr/include \
 103         -p TemporaryFileSystem=/home \
 104         -p PrivateTmp=yes \
 105         -p PrivateDevices=yes \
 106         -p PrivateNetwork=yes \
 107         -p PrivateUsersEx=self \
 108         -p PrivateIPC=yes \
 109         -p ProtectHostname=yes \
 110         -p ProtectClock=yes \
 111         -p ProtectKernelTunables=yes \
 112         -p ProtectKernelModules=yes \
 113         -p ProtectKernelLogs=yes \
 114         -p ProtectControlGroupsEx=private \
 115         -p LockPersonality=yes \
 116         -p Environment=ABC=QED \
 117         --wait \
 118         --pipe \
 119         grep MARKER=1 /etc/os-release
 120
 121     rm -rf /tmp/TEST-07-PID1-private-pids-root
 122 }
 123
 124 testcase_unpriv() {
 125     if [ ! -f /usr/lib/systemd/user/dbus.socket ] && [ ! -f /etc/systemd/user/dbus.socket ]; then
 126         echo "Per-user instances are not supported, skipping unprivileged PrivatePIDs=yes test"
 127         return 0
 128     fi
 129
 130     if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
 131         echo "Cannot create unprivileged user namespaces, skipping unprivileged PrivatePIDs=yes test"
 132         return 0
 133     fi
 134
 135     # IMPORTANT: For /proc/ to be remounted in pid namespace within an unprivileged user namespace, there needs to
 136     # be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is
 137     # over-mounted with tmpfs), then mounting a new /proc/ will fail.
 138     #
 139     # Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary
 140     # directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully.
 141     mkdir -p /tmp/TEST-07-PID1-private-pids-proc
 142     mount -t proc proc /tmp/TEST-07-PID1-private-pids-proc
 143
 144     # Verify running as unprivileged user can unshare PID namespace and mounts /proc properly.
 145     assert_eq "$(runas testuser systemd-run --wait --user --pipe -p PrivatePIDs=yes readlink /proc/self)" "1"
 146     assert_eq "$(runas testuser systemd-run --wait --user --pipe -p PrivatePIDs=yes ps aux --no-heading | wc -l)" "1"
 147
 148     umount /tmp/TEST-07-PID1-private-pids-proc
 149     rm -rf /tmp/TEST-07-PID1-private-pids-proc
 150
 151     # Now we will mask /proc/ by mounting tmpfs over /proc/scsi. This will guarantee that mounting /proc/ will fail
 152     # for unprivileged users when using PrivatePIDs=yes. Now units should fail as PrivatePIDs=yes has no graceful
 153     # fallback.
 154     #
 155     # Note some kernels do not have /proc/scsi so we verify the directory exists prior to running the test.
 156     if [ ! -d /proc/scsi ]; then
 157         echo "/proc/scsi does not exist, skipping unprivileged PrivatePIDs=yes test with masked /proc/"
 158         return 0
 159     fi
 160
 161     if [[ "$HAS_EXISTING_SCSI_MOUNT" == "no" ]]; then
 162         mount -t tmpfs tmpfs /proc/scsi
 163     fi
 164
 165     (! runas testuser systemd-run --wait --user --pipe -p PrivatePIDs=yes true)
 166
 167     if [[ "$HAS_EXISTING_SCSI_MOUNT" == "no" ]]; then
 168         umount /proc/scsi
 169     fi
 170 }
 171
 172 run_testcases