set -eux
set -o pipefail
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
# Make sure the unit's exec context matches its configuration
# See: https://github.com/systemd/systemd/pull/29552
ulimit -R || exit 0;
: RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];'
+# RestrictFileSystems=
+#
+# Note: running instrumented binaries requires at least /proc to be accessible, so let's
+# skip the test when we're running under sanitizers
+if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then
+ ROOTFS="$(df --output=fstype /usr/bin | sed --quiet 2p)"
+ systemd-run --wait --pipe -p RestrictFileSystems="" ls /
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls /
+ (! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /)
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup
+
+ systemd-run --wait --pipe -p RestrictFileSystems="~" ls /
+ systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /
+ systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys)
+ systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys)
+fi
+
# Ensure that clean-up codepaths work correctly if activation ultimately fails
touch /run/not-a-directory
mkdir /tmp/root
# but let's do that when/if the need arises
openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
}
+
+kernel_supports_lsm() {
+ local lsm="${1:?}"
+ local items item
+
+ if [[ ! -e /sys/kernel/security/lsm ]]; then
+ echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported"
+ return 1
+ fi
+
+ mapfile -t -d, items </sys/kernel/security/lsm
+ for item in "${items[@]}"; do
+ if [[ "$item" == "$lsm" ]]; then
+ return 0
+ fi
+ done
+
+ return 1
+}