test: add a couple of tests for RestrictFileSystems=

diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh
index b4118d2..10b4253 100755 (executable)
--- a/test/units/testsuite-07.exec-context.sh
+++ b/test/units/testsuite-07.exec-context.sh
@@ -4,6 +4,9 @@
 set -eux
 set -o pipefail
 
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
 # Make sure the unit's exec context matches its configuration
 # See: https://github.com/systemd/systemd/pull/29552
 
@@ -284,6 +287,34 @@ systemd-run --wait --pipe "${ARGUMENTS[@]}" \
                ulimit -R || exit 0;
                : RTTIME;     [[ $(ulimit -SR) -eq 666666 ]];       [[ $(ulimit -HR) -eq 666666 ]];'
 
+# RestrictFileSystems=
+#
+# Note: running instrumented binaries requires at least /proc to be accessible, so let's
+#       skip the test when we're running under sanitizers
+if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then
+    ROOTFS="$(df --output=fstype /usr/bin | sed --quiet 2p)"
+    systemd-run --wait --pipe -p RestrictFileSystems="" ls /
+    systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls /
+    (! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /)
+    systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc
+    systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc
+    systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup
+
+    systemd-run --wait --pipe -p RestrictFileSystems="~" ls /
+    systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /
+    systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys)
+    systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev)
+    (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys)
+fi
+
 # Ensure that clean-up codepaths work correctly if activation ultimately fails
 touch /run/not-a-directory
 mkdir /tmp/root

diff --git a/test/units/util.sh b/test/units/util.sh
index fdfb91f..b5ed732 100755 (executable)
--- a/test/units/util.sh
+++ b/test/units/util.sh
@@ -197,3 +197,22 @@ openssl_supports_kdf() {
     # but let's do that when/if the need arises
     openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
 }
+
+kernel_supports_lsm() {
+    local lsm="${1:?}"
+    local items item
+
+    if [[ ! -e /sys/kernel/security/lsm ]]; then
+        echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported"
+        return 1
+    fi
+
+    mapfile -t -d, items </sys/kernel/security/lsm
+    for item in "${items[@]}"; do
+        if [[ "$item" == "$lsm" ]]; then
+            return 0
+        fi
+    done
+
+    return 1
+}