/* SPDX-License-Identifier: LGPL-2.1+ */
+#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include "process-util.h"
#include "string-util.h"
#include "tests.h"
+#include "user-util.h"
#include "util.h"
+#include "virt.h"
static void test_tmpdir(const char *id, const char *A, const char *B) {
_cleanup_free_ char *a, *b;
assert_se(rmdir(b) >= 0);
}
-static int test_netns(void) {
+static void test_netns(void) {
_cleanup_close_pair_ int s[2] = { -1, -1 };
pid_t pid1, pid2, pid3;
int r, n = 0;
siginfo_t si;
- if (geteuid() > 0)
- return log_tests_skipped("not root");
+ if (geteuid() > 0) {
+ (void) log_tests_skipped("not root");
+ return;
+ }
assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);
n += si.si_status;
assert_se(n == 1);
- return EXIT_SUCCESS;
+}
+
+static void test_protect_kernel_logs(void) {
+ int r;
+ pid_t pid;
+ static const NamespaceInfo ns_info = {
+ .protect_kernel_logs = true,
+ };
+
+ if (geteuid() > 0) {
+ (void) log_tests_skipped("not root");
+ return;
+ }
+
+ /* In a container we likely don't have access to /dev/kmsg */
+ if (detect_container() > 0) {
+ (void) log_tests_skipped("in container");
+ return;
+ }
+
+
+ pid = fork();
+ assert_se(pid >= 0);
+
+ if (pid == 0) {
+ _cleanup_close_ int fd = -1;
+
+ fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC);
+ assert_se(fd > 0);
+
+ r = setup_namespace(NULL,
+ NULL,
+ &ns_info,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL, 0,
+ NULL, 0,
+ NULL,
+ NULL,
+ PROTECT_HOME_NO,
+ PROTECT_SYSTEM_NO,
+ 0,
+ 0,
+ NULL);
+ assert_se(r == 0);
+
+ assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
+ assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0);
+ assert_se(errno == EACCES);
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
}
int main(int argc, char *argv[]) {
test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);
- return test_netns();
+ test_netns();
+ test_protect_kernel_logs();
+
+ return EXIT_SUCCESS;
}