summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorLuke Shumaker <lukeshu@sbcglobal.net>2016-12-17 03:11:52 -0500
committerLuke Shumaker <lukeshu@sbcglobal.net>2016-12-17 03:11:52 -0500
commitb849891b5dde5ee14ab8b7b7db74e65a4a38d993 (patch)
tree29bb0e6fda9b4b170041913de495da057bbe3621 /test
parent004efebf9cc559ea131bb9460ee0ee198e2d5da7 (diff)
parent881228ff72434a0e3401a16bd87f179ef0ab1619 (diff)
Merge branch 'notsystemd/postmove' into notsystemd/master
# Conflicts: # src/grp-journal/libjournal-core/.gitignore # src/grp-system/libcore/include/core/mount.h
Diffstat (limited to 'test')
-rw-r--r--test/Makefile32
-rwxr-xr-xtest/TEST-03-JOBS/test-jobs.sh28
-rwxr-xr-xtest/TEST-04-JOURNAL/test-journal.sh8
-rwxr-xr-xtest/TEST-13-NSPAWN-SMOKE/create-busybox-container53
-rwxr-xr-xtest/TEST-13-NSPAWN-SMOKE/test.sh123
-rwxr-xr-xtest/networkd-test.py190
-rw-r--r--test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service9
-rw-r--r--test/test-execute/exec-dynamicuser-fixeduser.service8
-rw-r--r--test/test-execute/exec-dynamicuser-supplementarygroups.service8
-rw-r--r--test/test-execute/exec-inaccessiblepaths-mount-propagation.service7
-rw-r--r--test/test-execute/exec-personality-aarch64.service7
-rw-r--r--test/test-execute/exec-personality-ppc64.service7
-rw-r--r--test/test-execute/exec-personality-ppc64le.service7
-rw-r--r--test/test-execute/exec-privatedevices-no-capability-mknod.service7
-rw-r--r--test/test-execute/exec-privatedevices-no-capability-sys-rawio.service7
-rw-r--r--test/test-execute/exec-privatedevices-yes-capability-mknod.service7
-rw-r--r--test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service7
-rw-r--r--test/test-execute/exec-protectkernelmodules-no-capabilities.service7
-rw-r--r--test/test-execute/exec-protectkernelmodules-yes-capabilities.service7
-rw-r--r--test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service7
-rw-r--r--test/test-execute/exec-readonlypaths-mount-propagation.service7
-rw-r--r--test/test-execute/exec-readonlypaths.service7
-rw-r--r--test/test-execute/exec-readwritepaths-mount-propagation.service7
-rw-r--r--test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service7
-rw-r--r--test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service8
-rw-r--r--test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service8
-rw-r--r--test/test-execute/exec-supplementarygroups-single-group-user.service9
-rw-r--r--test/test-execute/exec-supplementarygroups-single-group.service8
-rw-r--r--test/test-execute/exec-supplementarygroups.service7
-rw-r--r--test/test-functions1
-rwxr-xr-xtest/udev-test.pl15
31 files changed, 587 insertions, 33 deletions
diff --git a/test/Makefile b/test/Makefile
index 1d82497508..b651e94e99 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -139,6 +139,11 @@ tests += \
test-acl-util
endif # HAVE_ACL
+ifneq ($(HAVE_SECCOMP),)
+tests += \
+ test-seccomp
+endif
+
EXTRA_DIST += \
test/a.service \
test/basic.target \
@@ -196,15 +201,36 @@ EXTRA_DIST += \
test/test-execute/exec-passenvironment.service \
test/test-execute/exec-group.service \
test/test-execute/exec-group-nfsnobody.service \
+ test/test-execute/exec-supplementarygroups.service \
+ test/test-execute/exec-supplementarygroups-single-group.service \
+ test/test-execute/exec-supplementarygroups-single-group-user.service \
+ test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service \
+ test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service \
+ test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service \
+ test/test-execute/exec-dynamicuser-fixeduser.service \
+ test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service \
+ test/test-execute/exec-dynamicuser-supplementarygroups.service \
test/test-execute/exec-ignoresigpipe-no.service \
test/test-execute/exec-ignoresigpipe-yes.service \
test/test-execute/exec-personality-x86-64.service \
test/test-execute/exec-personality-x86.service \
test/test-execute/exec-personality-s390.service \
+ test/test-execute/exec-personality-ppc64.service \
+ test/test-execute/exec-personality-ppc64le.service \
+ test/test-execute/exec-personality-aarch64.service \
test/test-execute/exec-privatedevices-no.service \
test/test-execute/exec-privatedevices-yes.service \
+ test/test-execute/exec-privatedevices-no-capability-mknod.service \
+ test/test-execute/exec-privatedevices-yes-capability-mknod.service \
+ test/test-execute/exec-protectkernelmodules-no-capabilities.service \
+ test/test-execute/exec-protectkernelmodules-yes-capabilities.service \
+ test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service \
test/test-execute/exec-privatetmp-no.service \
test/test-execute/exec-privatetmp-yes.service \
+ test/test-execute/exec-readonlypaths.service \
+ test/test-execute/exec-readonlypaths-mount-propagation.service \
+ test/test-execute/exec-readwritepaths-mount-propagation.service \
+ test/test-execute/exec-inaccessiblepaths-mount-propagation.service \
test/test-execute/exec-spec-interpolation.service \
test/test-execute/exec-systemcallerrornumber.service \
test/test-execute/exec-systemcallfilter-failing2.service \
@@ -580,6 +606,12 @@ test_acl_util_SOURCES = \
test_acl_util_LDADD = \
libsystemd-shared.la
+test_seccomp_SOURCES = \
+ src/test/test-seccomp.c
+
+test_seccomp_LDADD = \
+ libsystemd-shared.la
+
test_namespace_LDADD = \
libcore.la
diff --git a/test/TEST-03-JOBS/test-jobs.sh b/test/TEST-03-JOBS/test-jobs.sh
index 0c7d4439a2..fa6cf4181a 100755
--- a/test/TEST-03-JOBS/test-jobs.sh
+++ b/test/TEST-03-JOBS/test-jobs.sh
@@ -49,4 +49,32 @@ systemctl stop --job-mode=replace-irreversibly unstoppable.service || exit 1
# Shutdown of the container/VM will hang if not.
systemctl start unstoppable.service || exit 1
+# Test waiting for a started unit(s) to terminate again
+cat <<EOF > /run/systemd/system/wait2.service
+[Unit]
+Description=Wait for 2 seconds
+[Service]
+ExecStart=/bin/sh -ec 'sleep 2'
+EOF
+cat <<EOF > /run/systemd/system/wait5fail.service
+[Unit]
+Description=Wait for 5 seconds and fail
+[Service]
+ExecStart=/bin/sh -ec 'sleep 5; false'
+EOF
+
+# wait2 succeeds
+START_SEC=$(date -u '+%s')
+systemctl start --wait wait2.service || exit 1
+END_SEC=$(date -u '+%s')
+ELAPSED=$(($END_SEC-$START_SEC))
+[[ "$ELAPSED" -ge 2 ]] && [[ "$ELAPSED" -le 3 ]] || exit 1
+
+# wait5fail fails, so systemctl should fail
+START_SEC=$(date -u '+%s')
+! systemctl start --wait wait2.service wait5fail.service || exit 1
+END_SEC=$(date -u '+%s')
+ELAPSED=$(($END_SEC-$START_SEC))
+[[ "$ELAPSED" -ge 5 ]] && [[ "$ELAPSED" -le 7 ]] || exit 1
+
touch /testok
diff --git a/test/TEST-04-JOURNAL/test-journal.sh b/test/TEST-04-JOURNAL/test-journal.sh
index 6646eccfa7..493ff00ce0 100755
--- a/test/TEST-04-JOURNAL/test-journal.sh
+++ b/test/TEST-04-JOURNAL/test-journal.sh
@@ -59,4 +59,12 @@ sleep 3
systemctl stop forever-print-hola
[[ ! -f "/i-lose-my-logs" ]]
+# https://github.com/systemd/systemd/issues/4408
+rm -f /i-lose-my-logs
+systemctl start forever-print-hola
+sleep 3
+systemctl kill --signal=SIGKILL systemd-journald
+sleep 3
+[[ ! -f "/i-lose-my-logs" ]]
+
touch /testok
diff --git a/test/TEST-13-NSPAWN-SMOKE/create-busybox-container b/test/TEST-13-NSPAWN-SMOKE/create-busybox-container
new file mode 100755
index 0000000000..868dfd852a
--- /dev/null
+++ b/test/TEST-13-NSPAWN-SMOKE/create-busybox-container
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -e
+set -u
+set -o pipefail
+
+root="${1:?Usage $0 container-root}"
+mkdir -p "$root"
+mkdir "$root/bin"
+cp $(type -P busybox) "$root/bin"
+
+mkdir -p "$root/usr/lib"
+touch "$root/usr/lib/os-release"
+
+ln -s busybox "$root/bin/sh"
+ln -s busybox "$root/bin/cat"
+ln -s busybox "$root/bin/tr"
+ln -s busybox "$root/bin/ps"
+ln -s busybox "$root/bin/ip"
+
+mkdir -p "$root/sbin"
+cat <<'EOF' >"$root/sbin/init"
+#!/bin/sh
+
+printf "ps aufx:\n"
+ps aufx
+
+printf "/proc/1/cmdline:\n"
+printf "%s\n\n" "$(tr '\0' ' ' </proc/1/cmdline)"
+
+printf "/proc/1/environ:\n"
+printf "%s\n\n" "$(tr '\0' '\n' </proc/1/environ)"
+
+printf "/proc/1/mountinfo:\n"
+cat /proc/self/mountinfo
+printf "\n"
+
+printf "/proc/1/cgroup:\n"
+printf "%s\n\n" "$(cat /proc/1/cgroup)"
+
+printf "/proc/1/uid_map:\n"
+printf "%s\n\n" "$(cat /proc/1/uid_map)"
+
+printf "/proc/1/setgroups:\n"
+printf "%s\n\n" "$(cat /proc/1/setgroups)"
+
+printf "/proc/1/gid_map:\n"
+printf "%s\n\n" "$(cat /proc/1/gid_map)"
+
+printf "ip link:\n"
+ip link
+EOF
+chmod +x "$root/sbin/init"
diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh
new file mode 100755
index 0000000000..e6977a7f1c
--- /dev/null
+++ b/test/TEST-13-NSPAWN-SMOKE/test.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+TEST_DESCRIPTION="systemd-nspawn smoke test"
+SKIP_INITRD=yes
+. $TEST_BASE_DIR/test-functions
+
+check_result_qemu() {
+ ret=1
+ mkdir -p $TESTDIR/root
+ mount ${LOOPDEV}p1 $TESTDIR/root
+ [[ -e $TESTDIR/root/testok ]] && ret=0
+ [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
+ cp -a $TESTDIR/root/var/log/journal $TESTDIR
+ umount $TESTDIR/root
+ [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
+ ls -l $TESTDIR/journal/*/*.journal
+ test -s $TESTDIR/failed && ret=$(($ret+1))
+ return $ret
+}
+
+test_run() {
+ if run_qemu; then
+ check_result_qemu || return 1
+ else
+ dwarn "can't run QEMU, skipping"
+ fi
+ return 0
+}
+
+test_setup() {
+ create_empty_image
+ mkdir -p $TESTDIR/root
+ mount ${LOOPDEV}p1 $TESTDIR/root
+
+ # Create what will eventually be our root filesystem onto an overlay
+ (
+ LOG_LEVEL=5
+ eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+ setup_basic_environment
+ dracut_install busybox chmod rmdir
+
+ cp create-busybox-container $initdir/
+
+ # setup the testsuite service
+ cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+After=multi-user.target
+
+[Service]
+ExecStart=/test-nspawn.sh
+Type=oneshot
+EOF
+
+ cat >$initdir/test-nspawn.sh <<'EOF'
+#!/bin/bash
+set -x
+set -e
+set -u
+set -o pipefail
+
+export SYSTEMD_LOG_LEVEL=debug
+
+# check cgroup-v2
+is_v2_supported=no
+mkdir -p /tmp/cgroup2
+if mount -t cgroup2 cgroup2 /tmp/cgroup2; then
+ is_v2_supported=yes
+ umount /tmp/cgroup2
+fi
+rmdir /tmp/cgroup2
+
+# check cgroup namespaces
+is_cgns_supported=no
+if [[ -f /proc/1/ns/cgroup ]]; then
+ is_cgns_supported=yes
+fi
+
+function run {
+ if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
+ printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
+ return 0
+ fi
+ if [[ "$2" = "yes" && "$is_cgns_supported" = "no" ]]; then
+ printf "Cgroup namespaces are not supported. Skipping.\n" >&2
+ return 0
+ fi
+
+ local _root="/var/lib/machines/unified-$1-cgns-$2"
+ /create-busybox-container "$_root"
+ UNIFIED_CGROUP_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" systemd-nspawn --register=no -D "$_root" -b
+ UNIFIED_CGROUP_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" systemd-nspawn --register=no -D "$_root" --private-network -b
+ UNIFIED_CGROUP_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" systemd-nspawn --register=no -D "$_root" -U -b
+ UNIFIED_CGROUP_HIERARCHY="$1" SYSTEMD_NSPAWN_USE_CGNS="$2" systemd-nspawn --register=no -D "$_root" --private-network -U -b
+
+ return 0
+}
+
+run no no
+run yes no
+run no yes
+run yes yes
+
+touch /testok
+EOF
+
+ chmod 0755 $initdir/test-nspawn.sh
+ setup_testsuite
+ ) || return 1
+
+ ddebug "umount $TESTDIR/root"
+ umount $TESTDIR/root
+}
+
+test_cleanup() {
+ umount $TESTDIR/root 2>/dev/null
+ [[ $LOOPDEV ]] && losetup -d $LOOPDEV
+ return 0
+}
+
+do_test "$@"
diff --git a/test/networkd-test.py b/test/networkd-test.py
index bfa1bf3580..3091722fc1 100755
--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@@ -54,7 +54,6 @@ class ClientTestBase:
self.workdir_obj = tempfile.TemporaryDirectory()
self.workdir = self.workdir_obj.name
self.config = '/run/systemd/network/test_eth42.network'
- os.makedirs(os.path.dirname(self.config), exist_ok=True)
# avoid "Failed to open /dev/tty" errors in containers
os.environ['SYSTEMD_LOG_TARGET'] = 'journal'
@@ -77,10 +76,14 @@ class ClientTestBase:
def tearDown(self):
self.shutdown_iface()
- if os.path.exists(self.config):
- os.unlink(self.config)
subprocess.call(['systemctl', 'stop', 'systemd-networkd'])
+ def writeConfig(self, fname, contents):
+ os.makedirs(os.path.dirname(fname), exist_ok=True)
+ with open(fname, 'w') as f:
+ f.write(contents)
+ self.addCleanup(os.remove, fname)
+
def show_journal(self, unit):
'''Show journal of given unit since start of the test'''
@@ -107,8 +110,8 @@ class ClientTestBase:
def do_test(self, coldplug=True, ipv6=False, extra_opts='',
online_timeout=10, dhcp_mode='yes'):
subprocess.check_call(['systemctl', 'start', 'systemd-resolved'])
- with open(self.config, 'w') as f:
- f.write('''[Match]
+ self.writeConfig(self.config, '''\
+[Match]
Name=%s
[Network]
DHCP=%s
@@ -225,6 +228,32 @@ DHCP=%s
self.do_test(coldplug=False, ipv6=True)
def test_route_only_dns(self):
+ self.writeConfig('/run/systemd/network/myvpn.netdev', '''\
+[NetDev]
+Name=dummy0
+Kind=dummy
+MACAddress=12:34:56:78:9a:bc''')
+ self.writeConfig('/run/systemd/network/myvpn.network', '''\
+[Match]
+Name=dummy0
+[Network]
+Address=192.168.42.100
+DNS=192.168.42.1
+Domains= ~company''')
+
+ self.do_test(coldplug=True, ipv6=False,
+ extra_opts='IPv6AcceptRouterAdvertisements=False')
+
+ with open(RESOLV_CONF) as f:
+ contents = f.read()
+ # ~company is not a search domain, only a routing domain
+ self.assertNotRegex(contents, 'search.*company')
+ # our global server should appear
+ self.assertIn('nameserver 192.168.5.1\n', contents)
+ # should not have domain-restricted server as global server
+ self.assertNotIn('nameserver 192.168.42.1\n', contents)
+
+ def test_route_only_dns_all_domains(self):
with open('/run/systemd/network/myvpn.netdev', 'w') as f:
f.write('''[NetDev]
Name=dummy0
@@ -236,7 +265,7 @@ Name=dummy0
[Network]
Address=192.168.42.100
DNS=192.168.42.1
-Domains= ~company''')
+Domains= ~company ~.''')
self.addCleanup(os.remove, '/run/systemd/network/myvpn.netdev')
self.addCleanup(os.remove, '/run/systemd/network/myvpn.network')
@@ -245,10 +274,14 @@ Domains= ~company''')
with open(RESOLV_CONF) as f:
contents = f.read()
- # ~company is not a search domain, only a routing domain
- self.assertNotRegex(contents, 'search.*company')
- # our global server should appear
- self.assertIn('nameserver 192.168.5.1\n', contents)
+
+ # ~company is not a search domain, only a routing domain
+ self.assertNotRegex(contents, 'search.*company')
+
+ # our global server should appear
+ self.assertIn('nameserver 192.168.5.1\n', contents)
+ # should have company server as global server due to ~.
+ self.assertIn('nameserver 192.168.42.1\n', contents)
@unittest.skipUnless(have_dnsmasq, 'dnsmasq not installed')
@@ -259,7 +292,7 @@ class DnsmasqClientTest(ClientTestBase, unittest.TestCase):
super().setUp()
self.dnsmasq = None
- def create_iface(self, ipv6=False):
+ def create_iface(self, ipv6=False, dnsmasq_opts=None):
'''Create test interface with DHCP server behind it'''
# add veth pair
@@ -280,6 +313,8 @@ class DnsmasqClientTest(ClientTestBase, unittest.TestCase):
extra_opts = ['--enable-ra', '--dhcp-range=2600::10,2600::20']
else:
extra_opts = []
+ if dnsmasq_opts:
+ extra_opts += dnsmasq_opts
self.dnsmasq = subprocess.Popen(
['dnsmasq', '--keep-in-foreground', '--log-queries',
'--log-facility=' + self.dnsmasq_log, '--conf-file=/dev/null',
@@ -304,6 +339,80 @@ class DnsmasqClientTest(ClientTestBase, unittest.TestCase):
with open(self.dnsmasq_log) as f:
sys.stdout.write('\n\n---- dnsmasq log ----\n%s\n------\n\n' % f.read())
+ def test_resolved_domain_restricted_dns(self):
+ '''resolved: domain-restricted DNS servers'''
+
+ # create interface for generic connections; this will map all DNS names
+ # to 192.168.42.1
+ self.create_iface(dnsmasq_opts=['--address=/#/192.168.42.1'])
+ self.writeConfig('/run/systemd/network/general.network', '''\
+[Match]
+Name=%s
+[Network]
+DHCP=ipv4
+IPv6AcceptRA=False''' % self.iface)
+
+ # create second device/dnsmasq for a .company/.lab VPN interface
+ # static IPs for simplicity
+ subprocess.check_call(['ip', 'link', 'add', 'name', 'testvpnclient', 'type',
+ 'veth', 'peer', 'name', 'testvpnrouter'])
+ self.addCleanup(subprocess.call, ['ip', 'link', 'del', 'dev', 'testvpnrouter'])
+ subprocess.check_call(['ip', 'a', 'flush', 'dev', 'testvpnrouter'])
+ subprocess.check_call(['ip', 'a', 'add', '10.241.3.1/24', 'dev', 'testvpnrouter'])
+ subprocess.check_call(['ip', 'link', 'set', 'testvpnrouter', 'up'])
+
+ vpn_dnsmasq_log = os.path.join(self.workdir, 'dnsmasq-vpn.log')
+ vpn_dnsmasq = subprocess.Popen(
+ ['dnsmasq', '--keep-in-foreground', '--log-queries',
+ '--log-facility=' + vpn_dnsmasq_log, '--conf-file=/dev/null',
+ '--dhcp-leasefile=/dev/null', '--bind-interfaces',
+ '--interface=testvpnrouter', '--except-interface=lo',
+ '--address=/math.lab/10.241.3.3', '--address=/cantina.company/10.241.4.4'])
+ self.addCleanup(vpn_dnsmasq.wait)
+ self.addCleanup(vpn_dnsmasq.kill)
+
+ self.writeConfig('/run/systemd/network/vpn.network', '''\
+[Match]
+Name=testvpnclient
+[Network]
+IPv6AcceptRA=False
+Address=10.241.3.2/24
+DNS=10.241.3.1
+Domains= ~company ~lab''')
+
+ subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
+ subprocess.check_call([self.networkd_wait_online, '--interface', self.iface,
+ '--interface=testvpnclient', '--timeout=20'])
+
+ # ensure we start fresh with every test
+ subprocess.check_call(['systemctl', 'restart', 'systemd-resolved'])
+
+ # test vpnclient specific domains; these should *not* be answered by
+ # the general DNS
+ out = subprocess.check_output(['systemd-resolve', 'math.lab'])
+ self.assertIn(b'math.lab: 10.241.3.3', out)
+ out = subprocess.check_output(['systemd-resolve', 'kettle.cantina.company'])
+ self.assertIn(b'kettle.cantina.company: 10.241.4.4', out)
+
+ # test general domains
+ out = subprocess.check_output(['systemd-resolve', 'megasearch.net'])
+ self.assertIn(b'megasearch.net: 192.168.42.1', out)
+
+ with open(self.dnsmasq_log) as f:
+ general_log = f.read()
+ with open(vpn_dnsmasq_log) as f:
+ vpn_log = f.read()
+
+ # VPN domains should only be sent to VPN DNS
+ self.assertRegex(vpn_log, 'query.*math.lab')
+ self.assertRegex(vpn_log, 'query.*cantina.company')
+ self.assertNotIn('lab', general_log)
+ self.assertNotIn('company', general_log)
+
+ # general domains should not be sent to the VPN DNS
+ self.assertRegex(general_log, 'query.*megasearch.net')
+ self.assertNotIn('megasearch.net', vpn_log)
+
class NetworkdClientTest(ClientTestBase, unittest.TestCase):
'''Test networkd client against networkd server'''
@@ -320,7 +429,8 @@ class NetworkdClientTest(ClientTestBase, unittest.TestCase):
(fd, script) = tempfile.mkstemp(prefix='networkd-router.sh')
self.addCleanup(os.remove, script)
with os.fdopen(fd, 'w+') as f:
- f.write('''#!/bin/sh -eu
+ f.write('''\
+#!/bin/sh -eu
mkdir -p /run/systemd/network
mkdir -p /run/systemd/netif
mount -t tmpfs none /run/systemd/network
@@ -398,20 +508,18 @@ exec $(systemctl cat systemd-networkd.service | sed -n '/^ExecStart=/ { s/^.*=//
# we don't use this interface for this test
self.if_router = None
- with open('/run/systemd/network/test.netdev', 'w') as f:
- f.write('''[NetDev]
+ self.writeConfig('/run/systemd/network/test.netdev', '''\
+[NetDev]
Name=dummy0
Kind=dummy
MACAddress=12:34:56:78:9a:bc''')
- with open('/run/systemd/network/test.network', 'w') as f:
- f.write('''[Match]
+ self.writeConfig('/run/systemd/network/test.network', '''\
+[Match]
Name=dummy0
[Network]
Address=192.168.42.100
DNS=192.168.42.1
Domains= one two three four five six seven eight nine ten''')
- self.addCleanup(os.remove, '/run/systemd/network/test.netdev')
- self.addCleanup(os.remove, '/run/systemd/network/test.network')
subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
@@ -432,23 +540,18 @@ Domains= one two three four five six seven eight nine ten''')
name_prefix = 'a' * 60
- with open('/run/systemd/network/test.netdev', 'w') as f:
- f.write('''[NetDev]
+ self.writeConfig('/run/systemd/network/test.netdev', '''\
+[NetDev]
Name=dummy0
Kind=dummy
MACAddress=12:34:56:78:9a:bc''')
- with open('/run/systemd/network/test.network', 'w') as f:
- f.write('''[Match]
+ self.writeConfig('/run/systemd/network/test.network', '''\
+[Match]
Name=dummy0
[Network]
Address=192.168.42.100
DNS=192.168.42.1
-Domains=''')
- for i in range(5):
- f.write('%s%i ' % (name_prefix, i))
-
- self.addCleanup(os.remove, '/run/systemd/network/test.netdev')
- self.addCleanup(os.remove, '/run/systemd/network/test.network')
+Domains={p}0 {p}1 {p}2 {p}3 {p}4'''.format(p=name_prefix))
subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
@@ -458,9 +561,38 @@ Domains=''')
if ' one' in contents:
break
time.sleep(0.1)
- self.assertRegex(contents, 'search .*%(p)s0 %(p)s1 %(p)s2' % {'p': name_prefix})
+ self.assertRegex(contents, 'search .*{p}0 {p}1 {p}2'.format(p=name_prefix))
self.assertIn('# Total length of all search domains is too long, remaining ones ignored.', contents)
+ def test_dropin(self):
+ # we don't use this interface for this test
+ self.if_router = None
+
+ self.writeConfig('/run/systemd/network/test.netdev', '''\
+[NetDev]
+Name=dummy0
+Kind=dummy
+MACAddress=12:34:56:78:9a:bc''')
+ self.writeConfig('/run/systemd/network/test.network', '''\
+[Match]
+Name=dummy0
+[Network]
+Address=192.168.42.100
+DNS=192.168.42.1''')
+ self.writeConfig('/run/systemd/network/test.network.d/dns.conf', '''\
+[Network]
+DNS=127.0.0.1''')
+
+ subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
+
+ for timeout in range(50):
+ with open(RESOLV_CONF) as f:
+ contents = f.read()
+ if ' 127.0.0.1' in contents:
+ break
+ time.sleep(0.1)
+ self.assertIn('nameserver 192.168.42.1\n', contents)
+ self.assertIn('nameserver 127.0.0.1\n', contents)
if __name__ == '__main__':
unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
diff --git a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
new file mode 100644
index 0000000000..de1a6e7303
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test DynamicUser with User= and SupplementaryGroups=
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "1" && test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+DynamicUser=yes
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-dynamicuser-fixeduser.service b/test/test-execute/exec-dynamicuser-fixeduser.service
new file mode 100644
index 0000000000..1d84af02ed
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-fixeduser.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test DynamicUser with User=
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "1" && test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+DynamicUser=yes
diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service
new file mode 100644
index 0000000000..a47b7fab78
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test DynamicUser with SupplementaryGroups=
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G | cut -d " " --complement -f 1)" = "1 2 3"'
+Type=oneshot
+DynamicUser=yes
+SupplementaryGroups=1 2 3
diff --git a/test/test-execute/exec-inaccessiblepaths-mount-propagation.service b/test/test-execute/exec-inaccessiblepaths-mount-propagation.service
new file mode 100644
index 0000000000..23c6ff3f93
--- /dev/null
+++ b/test/test-execute/exec-inaccessiblepaths-mount-propagation.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test to make sure that InaccessiblePaths= disconnect mount propagation
+
+[Service]
+InaccessiblePaths=-/i-dont-exist
+ExecStart=/bin/sh -x -c 'mkdir -p /TEST; mount -t tmpfs tmpfs /TEST; grep TEST /proc/self/mountinfo && ! grep TEST /proc/$${PPID}/mountinfo && ! grep TEST /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-personality-aarch64.service b/test/test-execute/exec-personality-aarch64.service
new file mode 100644
index 0000000000..40b6d95e3a
--- /dev/null
+++ b/test/test-execute/exec-personality-aarch64.service
@@ -0,0 +1,7 @@
+Unit]
+Description=Test for Personality=aarch64
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "aarch64")'
+Type=oneshot
+Personality=aarch64
diff --git a/test/test-execute/exec-personality-ppc64.service b/test/test-execute/exec-personality-ppc64.service
new file mode 100644
index 0000000000..ccc2c8d83d
--- /dev/null
+++ b/test/test-execute/exec-personality-ppc64.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Personality=ppc64
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "ppc64")'
+Type=oneshot
+Personality=ppc64
diff --git a/test/test-execute/exec-personality-ppc64le.service b/test/test-execute/exec-personality-ppc64le.service
new file mode 100644
index 0000000000..2a7625087d
--- /dev/null
+++ b/test/test-execute/exec-personality-ppc64le.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Personality=ppc64le
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "ppc64le")'
+Type=oneshot
+Personality=ppc64le
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
new file mode 100644
index 0000000000..6d39469da8
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_MKNOD capability for PrivateDevices=no
+
+[Service]
+PrivateDevices=no
+ExecStart=/bin/sh -x -c 'capsh --print | grep cap_mknod'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
new file mode 100644
index 0000000000..e7f529c44c
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
+
+[Service]
+PrivateDevices=no
+ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_rawio'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
new file mode 100644
index 0000000000..fb1fc2875a
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_MKNOD capability for PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+ExecStart=/bin/sh -x -c '! capsh --print | grep cap_mknod'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
new file mode 100644
index 0000000000..cebc493a7a
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_rawio'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
new file mode 100644
index 0000000000..b2f2cd6b8a
--- /dev/null
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_MODULE ProtectKernelModules=no
+
+[Service]
+ProtectKernelModules=no
+ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_module'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
new file mode 100644
index 0000000000..84bf39be56
--- /dev/null
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
+
+[Service]
+ProtectKernelModules=yes
+ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_module'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service b/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service
new file mode 100644
index 0000000000..e438783df3
--- /dev/null
+++ b/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test to make sure that passing ProtectKernelModules=yes disconnect mount propagation
+
+[Service]
+ProtectKernelModules=yes
+ExecStart=/bin/sh -x -c 'mkdir -p /TEST; mount -t tmpfs tmpfs /TEST; grep TEST /proc/self/mountinfo && ! grep TEST /proc/$${PPID}/mountinfo && ! grep TEST /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-readonlypaths-mount-propagation.service b/test/test-execute/exec-readonlypaths-mount-propagation.service
new file mode 100644
index 0000000000..237cbb2efb
--- /dev/null
+++ b/test/test-execute/exec-readonlypaths-mount-propagation.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test to make sure that passing ReadOnlyPaths= disconnect mount propagation
+
+[Service]
+ReadOnlyPaths=-/i-dont-exist
+ExecStart=/bin/sh -x -c 'mkdir -p /TEST; mount -t tmpfs tmpfs /TEST; grep TEST /proc/self/mountinfo && ! grep TEST /proc/$${PPID}/mountinfo && ! grep TEST /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-readonlypaths.service b/test/test-execute/exec-readonlypaths.service
new file mode 100644
index 0000000000..6866fdc700
--- /dev/null
+++ b/test/test-execute/exec-readonlypaths.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for ReadOnlyPaths=
+
+[Service]
+ReadOnlyPaths=/etc -/i-dont-exist /usr
+ExecStart=/bin/sh -x -c 'test ! -w /etc && test ! -w /usr && test ! -e /i-dont-exist && test -w /var'
+Type=oneshot
diff --git a/test/test-execute/exec-readwritepaths-mount-propagation.service b/test/test-execute/exec-readwritepaths-mount-propagation.service
new file mode 100644
index 0000000000..466ce6c747
--- /dev/null
+++ b/test/test-execute/exec-readwritepaths-mount-propagation.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test to make sure that passing ReadWritePaths= disconnect mount propagation
+
+[Service]
+ReadWritePaths=-/i-dont-exist
+ExecStart=/bin/sh -x -c 'mkdir -p /TEST; mount -t tmpfs tmpfs /TEST; grep TEST /proc/self/mountinfo && ! grep TEST /proc/$${PPID}/mountinfo && ! grep TEST /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
new file mode 100644
index 0000000000..a49c9d26a1
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Supplementary Group with multiple groups without Group and User
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "0 1 2 3" && test "$$(id -g)" = "0" && test "$$(id -u)" = "0"'
+Type=oneshot
+SupplementaryGroups=1 2 3
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
new file mode 100644
index 0000000000..5c62c1d639
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for Supplementary Group with multiple groups and Group=1
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "1 2 3" && test "$$(id -g)" = "1" && test "$$(id -u)" = "0"'
+Type=oneshot
+Group=1
+SupplementaryGroups=1 2 3
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
new file mode 100644
index 0000000000..00523e383b
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for Supplementary Group with multiple groups and Uid=1
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "1 2 3" && test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+SupplementaryGroups=1 2 3
diff --git a/test/test-execute/exec-supplementarygroups-single-group-user.service b/test/test-execute/exec-supplementarygroups-single-group-user.service
new file mode 100644
index 0000000000..ed6276d303
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-single-group-user.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test for Supplementary Group with only one group and uid 1
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "1" && test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+Group=1
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-supplementarygroups-single-group.service b/test/test-execute/exec-supplementarygroups-single-group.service
new file mode 100644
index 0000000000..ee502b3d37
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-single-group.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for Supplementary Group with only one group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "1" && test "$$(id -g)" = "1" && test "$$(id -u)" = "0"'
+Type=oneshot
+Group=1
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-supplementarygroups.service b/test/test-execute/exec-supplementarygroups.service
new file mode 100644
index 0000000000..43a9a981f2
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Supplementary Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -G)" = "0 1"'
+Type=oneshot
+SupplementaryGroups=1
diff --git a/test/test-functions b/test/test-functions
index 567a000b8d..2a21a64c5c 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -225,6 +225,7 @@ create_valgrind_wrapper() {
cat >$_valgrind_wrapper <<EOF
#!/bin/bash
+mount -t proc proc /proc
exec valgrind --leak-check=full --log-file=/valgrind.out $ROOTLIBDIR/systemd "\$@"
EOF
chmod 0755 $_valgrind_wrapper
diff --git a/test/udev-test.pl b/test/udev-test.pl
index da0a4e1f6b..9723386b23 100755
--- a/test/udev-test.pl
+++ b/test/udev-test.pl
@@ -37,7 +37,7 @@ my $EXIT_TEST_SKIP = 77;
my $rules_10k_tags = "";
for (my $i = 1; $i <= 10000; ++$i) {
- $rules_10k_tags .= 'KERNEL=="sda", TAG+="test' . $i . "\"\n";
+ $rules_10k_tags .= 'KERNEL=="sda", TAG+="test' . $i . "\"\n";
}
my @tests = (
@@ -1535,11 +1535,18 @@ if (!($<==0)) {
exit($EXIT_TEST_SKIP);
}
+# skip the test when running in a chroot
+system("systemd-detect-virt", "-r", "-q");
+if ($? >> 8 == 0) {
+ print "Running in a chroot, skipping the test.\n";
+ exit($EXIT_TEST_SKIP);
+}
+
# skip the test when running in a container
system("systemd-detect-virt", "-c", "-q");
if ($? >> 8 == 0) {
- print "Running in a container, skipping the test.\n";
- exit($EXIT_TEST_SKIP);
+ print "Running in a container, skipping the test.\n";
+ exit($EXIT_TEST_SKIP);
}
udev_setup();
@@ -1589,6 +1596,6 @@ system("umount", "$udev_tmpfs");
rmdir($udev_tmpfs);
if ($error > 0) {
- exit(1);
+ exit(1);
}
exit(0);