From 281e05b6cb406debe7b290e5aee8eae049671c14 Mon Sep 17 00:00:00 2001 From: Ronny Chevalier Date: Tue, 11 Nov 2014 20:05:40 +0100 Subject: tests: add test-execute add tests for the following directives: - WorkingDirectory - Personality - IgnoreSIGPIPE - PrivateTmp - SystemCallFilter: It makes test/TEST-04-SECCOMP obsolete, so it has been removed. - SystemCallErrorNumber - User - Group - Environment --- test/TEST-04-SECCOMP/Makefile | 1 - test/TEST-04-SECCOMP/test-seccomp.sh | 13 ---- test/TEST-04-SECCOMP/test.sh | 79 ------------------------- test/TEST-04-SECCOMP/will-fail.service | 8 --- test/TEST-04-SECCOMP/will-fail2.service | 6 -- test/TEST-04-SECCOMP/will-not-fail.service | 9 --- test/TEST-04-SECCOMP/will-not-fail2.service | 6 -- test/exec-environment-empty.service | 7 +++ test/exec-environment-multiple.service | 7 +++ test/exec-environment.service | 6 ++ test/exec-group.service | 6 ++ test/exec-ignoresigpipe-no.service | 7 +++ test/exec-ignoresigpipe-yes.service | 7 +++ test/exec-personality-x86-64.service | 7 +++ test/exec-personality-x86.service | 7 +++ test/exec-privatedevices-no.service | 7 +++ test/exec-privatedevices-yes.service | 7 +++ test/exec-privatetmp-no.service | 7 +++ test/exec-privatetmp-yes.service | 7 +++ test/exec-systemcallerrornumber.service | 7 +++ test/exec-systemcallfilter-failing.service | 8 +++ test/exec-systemcallfilter-failing2.service | 6 ++ test/exec-systemcallfilter-not-failing.service | 9 +++ test/exec-systemcallfilter-not-failing2.service | 6 ++ test/exec-user.service | 6 ++ test/exec-workingdirectory.service | 7 +++ 26 files changed, 131 insertions(+), 122 deletions(-) delete mode 120000 test/TEST-04-SECCOMP/Makefile delete mode 100755 test/TEST-04-SECCOMP/test-seccomp.sh delete mode 100755 test/TEST-04-SECCOMP/test.sh delete mode 100644 test/TEST-04-SECCOMP/will-fail.service delete mode 100644 test/TEST-04-SECCOMP/will-fail2.service delete mode 100644 test/TEST-04-SECCOMP/will-not-fail.service delete mode 100644 test/TEST-04-SECCOMP/will-not-fail2.service create mode 100644 test/exec-environment-empty.service create mode 100644 test/exec-environment-multiple.service create mode 100644 test/exec-environment.service create mode 100644 test/exec-group.service create mode 100644 test/exec-ignoresigpipe-no.service create mode 100644 test/exec-ignoresigpipe-yes.service create mode 100644 test/exec-personality-x86-64.service create mode 100644 test/exec-personality-x86.service create mode 100644 test/exec-privatedevices-no.service create mode 100644 test/exec-privatedevices-yes.service create mode 100644 test/exec-privatetmp-no.service create mode 100644 test/exec-privatetmp-yes.service create mode 100644 test/exec-systemcallerrornumber.service create mode 100644 test/exec-systemcallfilter-failing.service create mode 100644 test/exec-systemcallfilter-failing2.service create mode 100644 test/exec-systemcallfilter-not-failing.service create mode 100644 test/exec-systemcallfilter-not-failing2.service create mode 100644 test/exec-user.service create mode 100644 test/exec-workingdirectory.service (limited to 'test') diff --git a/test/TEST-04-SECCOMP/Makefile b/test/TEST-04-SECCOMP/Makefile deleted file mode 120000 index e9f93b1104..0000000000 --- a/test/TEST-04-SECCOMP/Makefile +++ /dev/null @@ -1 +0,0 @@ -../TEST-01-BASIC/Makefile \ No newline at end of file diff --git a/test/TEST-04-SECCOMP/test-seccomp.sh b/test/TEST-04-SECCOMP/test-seccomp.sh deleted file mode 100755 index 2496190445..0000000000 --- a/test/TEST-04-SECCOMP/test-seccomp.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -x - -systemctl start will-fail.service -systemctl start will-fail2.service -systemctl start will-not-fail.service -systemctl start will-not-fail2.service -systemctl is-failed will-fail.service || exit 1 -systemctl is-failed will-fail2.service || exit 1 -systemctl is-failed will-not-fail.service && exit 1 -systemctl is-failed will-not-fail2.service && exit 1 - -touch /testok -exit 0 diff --git a/test/TEST-04-SECCOMP/test.sh b/test/TEST-04-SECCOMP/test.sh deleted file mode 100755 index a85b50cca2..0000000000 --- a/test/TEST-04-SECCOMP/test.sh +++ /dev/null @@ -1,79 +0,0 @@ -#!/bin/bash -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh -TEST_DESCRIPTION="seccomp tests" - -. $TEST_BASE_DIR/test-functions - -check_result_qemu() { - ret=1 - mkdir -p $TESTDIR/root - mount ${LOOPDEV}p1 $TESTDIR/root - [[ -e $TESTDIR/root/testok ]] && ret=0 - [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR - cp -a $TESTDIR/root/var/log/journal $TESTDIR - umount $TESTDIR/root - [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed - ls -l $TESTDIR/journal/*/*.journal - test -s $TESTDIR/failed && ret=$(($ret+1)) - return $ret -} - -test_run() { - if run_qemu; then - check_result_qemu || return 1 - else - dwarn "can't run QEMU, skipping" - fi - if check_nspawn; then - run_nspawn - check_result_nspawn || return 1 - else - dwarn "can't run systemd-nspawn, skipping" - fi - return 0 -} - -test_setup() { - create_empty_image - mkdir -p $TESTDIR/root - mount ${LOOPDEV}p1 $TESTDIR/root - - # Create what will eventually be our root filesystem onto an overlay - ( - LOG_LEVEL=5 - eval $(udevadm info --export --query=env --name=${LOOPDEV}p2) - - setup_basic_environment - - # setup the testsuite service - cat >$initdir/etc/systemd/system/testsuite.service </dev/null - [[ $LOOPDEV ]] && losetup -d $LOOPDEV - return 0 -} - -do_test "$@" diff --git a/test/TEST-04-SECCOMP/will-fail.service b/test/TEST-04-SECCOMP/will-fail.service deleted file mode 100644 index c4e0be90f2..0000000000 --- a/test/TEST-04-SECCOMP/will-fail.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Will fail - -[Service] -ExecStart=/bin/echo "This should not be seen" -SystemCallFilter=ioperm -SystemCallFilter=~ioperm -SystemCallFilter=ioperm diff --git a/test/TEST-04-SECCOMP/will-fail2.service b/test/TEST-04-SECCOMP/will-fail2.service deleted file mode 100644 index f7f1ae9077..0000000000 --- a/test/TEST-04-SECCOMP/will-fail2.service +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Will fail 2 - -[Service] -ExecStart=/bin/echo "This should not be seen" -SystemCallFilter=~write open execve exit_group close mmap munmap fstat DONOTEXIST diff --git a/test/TEST-04-SECCOMP/will-not-fail.service b/test/TEST-04-SECCOMP/will-not-fail.service deleted file mode 100644 index 5c1b59456e..0000000000 --- a/test/TEST-04-SECCOMP/will-not-fail.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Will not fail - -[Service] -ExecStart=/bin/echo "Foo bar" -SystemCallFilter=~read write open execve ioperm -SystemCallFilter=ioctl -SystemCallFilter=read write open execve -SystemCallFilter=~ioperm diff --git a/test/TEST-04-SECCOMP/will-not-fail2.service b/test/TEST-04-SECCOMP/will-not-fail2.service deleted file mode 100644 index 2df05e33e8..0000000000 --- a/test/TEST-04-SECCOMP/will-not-fail2.service +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Reset SystemCallFilter - -[Service] -ExecStart=/bin/echo "Foo bar" -SystemCallFilter= diff --git a/test/exec-environment-empty.service b/test/exec-environment-empty.service new file mode 100644 index 0000000000..0219ca4fd7 --- /dev/null +++ b/test/exec-environment-empty.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for Environment + +[Service] +ExecStart=/bin/sh -c 'exit $(test ! "$VAR1" = "word1 word2") && $(test ! "$VAR2" = word3) && $(test ! "$VAR3" = \'$word 5 6\')' +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" +Environment= diff --git a/test/exec-environment-multiple.service b/test/exec-environment-multiple.service new file mode 100644 index 0000000000..479005a5d8 --- /dev/null +++ b/test/exec-environment-multiple.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for Environment + +[Service] +ExecStart=/bin/sh -c 'exit $(test "$VAR1" = "word1 word2") && $(test "$VAR2" = word3) && $(test "$VAR3" = foobar)' +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" +Environment="VAR3=foobar" diff --git a/test/exec-environment.service b/test/exec-environment.service new file mode 100644 index 0000000000..4586b4c4a9 --- /dev/null +++ b/test/exec-environment.service @@ -0,0 +1,6 @@ +[Unit] +Description=Test for Environment + +[Service] +ExecStart=/bin/sh -c 'exit $(test "$VAR1" = "word1 word2") && $(test "$VAR2" = word3) && $(test "$VAR3" = \'$word 5 6\')' +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" diff --git a/test/exec-group.service b/test/exec-group.service new file mode 100644 index 0000000000..1aa04b5bd2 --- /dev/null +++ b/test/exec-group.service @@ -0,0 +1,6 @@ +[Unit] +Description=Test for Group + +[Service] +ExecStart=/bin/sh -c 'exit $(test $(id -n -g) = nobody)' +Group=nobody diff --git a/test/exec-ignoresigpipe-no.service b/test/exec-ignoresigpipe-no.service new file mode 100644 index 0000000000..69b2e9d8a8 --- /dev/null +++ b/test/exec-ignoresigpipe-no.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for IgnoreSIGPIPE=no + +[Service] +ExecStart=/bin/sh -c 'kill -PIPE 0' +Type=oneshot +IgnoreSIGPIPE=no diff --git a/test/exec-ignoresigpipe-yes.service b/test/exec-ignoresigpipe-yes.service new file mode 100644 index 0000000000..877ec8aed0 --- /dev/null +++ b/test/exec-ignoresigpipe-yes.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for IgnoreSIGPIPE=yes + +[Service] +ExecStart=/bin/sh -c 'kill -PIPE 0' +Type=oneshot +IgnoreSIGPIPE=yes diff --git a/test/exec-personality-x86-64.service b/test/exec-personality-x86-64.service new file mode 100644 index 0000000000..5bb5d910d0 --- /dev/null +++ b/test/exec-personality-x86-64.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for Personality=x86-64 + +[Service] +ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "x86_64")' +Type=oneshot +Personality=x86-64 diff --git a/test/exec-personality-x86.service b/test/exec-personality-x86.service new file mode 100644 index 0000000000..0b370a6480 --- /dev/null +++ b/test/exec-personality-x86.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for Personality=x86 + +[Service] +ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "i686")' +Type=oneshot +Personality=x86 diff --git a/test/exec-privatedevices-no.service b/test/exec-privatedevices-no.service new file mode 100644 index 0000000000..cf4f275fb6 --- /dev/null +++ b/test/exec-privatedevices-no.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for PrivateDev=no + +[Service] +ExecStart=/bin/sh -c 'exit $(test -c /dev/mem)' +Type=oneshot +PrivateDevices=no diff --git a/test/exec-privatedevices-yes.service b/test/exec-privatedevices-yes.service new file mode 100644 index 0000000000..85b3f4f981 --- /dev/null +++ b/test/exec-privatedevices-yes.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for PrivateDev=yes + +[Service] +ExecStart=/bin/sh -c 'exit $(test ! -c /dev/mem)' +Type=oneshot +PrivateDevices=yes diff --git a/test/exec-privatetmp-no.service b/test/exec-privatetmp-no.service new file mode 100644 index 0000000000..d69e552a63 --- /dev/null +++ b/test/exec-privatetmp-no.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for PrivateTmp=no + +[Service] +ExecStart=/bin/sh -c 'exit $(test -f /tmp/test-exec_privatetmp)' +Type=oneshot +PrivateTmp=no diff --git a/test/exec-privatetmp-yes.service b/test/exec-privatetmp-yes.service new file mode 100644 index 0000000000..881a040b87 --- /dev/null +++ b/test/exec-privatetmp-yes.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for PrivateTmp=yes + +[Service] +ExecStart=/bin/sh -c 'exit $(test ! -f /tmp/test-exec_privatetmp)' +Type=oneshot +PrivateTmp=yes diff --git a/test/exec-systemcallerrornumber.service b/test/exec-systemcallerrornumber.service new file mode 100644 index 0000000000..255a8b231a --- /dev/null +++ b/test/exec-systemcallerrornumber.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for SystemCallErrorNumber + +[Service] +ExecStart=/usr/bin/uname -a +SystemCallFilter=~uname +SystemCallErrorNumber=EACCES diff --git a/test/exec-systemcallfilter-failing.service b/test/exec-systemcallfilter-failing.service new file mode 100644 index 0000000000..c6ce9368c9 --- /dev/null +++ b/test/exec-systemcallfilter-failing.service @@ -0,0 +1,8 @@ +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/echo "This should not be seen" +SystemCallFilter=ioperm +SystemCallFilter=~ioperm +SystemCallFilter=ioperm diff --git a/test/exec-systemcallfilter-failing2.service b/test/exec-systemcallfilter-failing2.service new file mode 100644 index 0000000000..b7f7c2aff9 --- /dev/null +++ b/test/exec-systemcallfilter-failing2.service @@ -0,0 +1,6 @@ +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/echo "This should not be seen" +SystemCallFilter=~write open execve exit_group close mmap munmap fstat DONOTEXIST diff --git a/test/exec-systemcallfilter-not-failing.service b/test/exec-systemcallfilter-not-failing.service new file mode 100644 index 0000000000..feb206ab6d --- /dev/null +++ b/test/exec-systemcallfilter-not-failing.service @@ -0,0 +1,9 @@ +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/echo "Foo bar" +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/exec-systemcallfilter-not-failing2.service b/test/exec-systemcallfilter-not-failing2.service new file mode 100644 index 0000000000..cca469aa3d --- /dev/null +++ b/test/exec-systemcallfilter-not-failing2.service @@ -0,0 +1,6 @@ +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/echo "Foo bar" +SystemCallFilter= diff --git a/test/exec-user.service b/test/exec-user.service new file mode 100644 index 0000000000..2ca08ebb42 --- /dev/null +++ b/test/exec-user.service @@ -0,0 +1,6 @@ +[Unit] +Description=Test for User + +[Service] +ExecStart=/bin/sh -c 'exit $(test "$USER" = nobody)' +User=nobody diff --git a/test/exec-workingdirectory.service b/test/exec-workingdirectory.service new file mode 100644 index 0000000000..10855d682a --- /dev/null +++ b/test/exec-workingdirectory.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for WorkingDirectory + +[Service] +ExecStart=/bin/sh -c 'echo $PWD; exit $(test $PWD = "/tmp/test-exec_workingdirectory")' +Type=oneshot +WorkingDirectory=/tmp/test-exec_workingdirectory -- cgit v1.2.3-54-g00ecf