Branch data Line data Source code
1 : : /* SPDX-License-Identifier: LGPL-2.1+ */
2 : :
3 : : #include <stdio.h>
4 : : #include <sys/types.h>
5 : : #include <sys/utsname.h>
6 : : #include <unistd.h>
7 : :
8 : : #include "sd-id128.h"
9 : :
10 : : #include "alloc-util.h"
11 : : #include "apparmor-util.h"
12 : : #include "architecture.h"
13 : : #include "audit-util.h"
14 : : #include "cgroup-util.h"
15 : : #include "condition.h"
16 : : #include "cpu-set-util.h"
17 : : #include "efivars.h"
18 : : #include "hostname-util.h"
19 : : #include "id128-util.h"
20 : : #include "ima-util.h"
21 : : #include "limits-util.h"
22 : : #include "log.h"
23 : : #include "macro.h"
24 : : #include "nulstr-util.h"
25 : : #include "process-util.h"
26 : : #include "selinux-util.h"
27 : : #include "set.h"
28 : : #include "smack-util.h"
29 : : #include "string-util.h"
30 : : #include "strv.h"
31 : : #include "tests.h"
32 : : #include "tomoyo-util.h"
33 : : #include "user-util.h"
34 : : #include "virt.h"
35 : :
36 : 4 : static void test_condition_test_path(void) {
37 : : Condition *condition;
38 : :
39 : 4 : condition = condition_new(CONDITION_PATH_EXISTS, "/bin/sh", false, false);
40 [ - + ]: 4 : assert_se(condition);
41 [ - + ]: 4 : assert_se(condition_test(condition));
42 : 4 : condition_free(condition);
43 : :
44 : 4 : condition = condition_new(CONDITION_PATH_EXISTS, "/bin/s?", false, false);
45 [ - + ]: 4 : assert_se(condition);
46 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
47 : 4 : condition_free(condition);
48 : :
49 : 4 : condition = condition_new(CONDITION_PATH_EXISTS_GLOB, "/bin/s?", false, false);
50 [ - + ]: 4 : assert_se(condition);
51 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
52 : 4 : condition_free(condition);
53 : :
54 : 4 : condition = condition_new(CONDITION_PATH_EXISTS_GLOB, "/bin/s?", false, true);
55 [ - + ]: 4 : assert_se(condition);
56 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
57 : 4 : condition_free(condition);
58 : :
59 : 4 : condition = condition_new(CONDITION_PATH_EXISTS, "/thiscertainlywontexist", false, false);
60 [ - + ]: 4 : assert_se(condition);
61 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
62 : 4 : condition_free(condition);
63 : :
64 : 4 : condition = condition_new(CONDITION_PATH_EXISTS, "/thiscertainlywontexist", false, true);
65 [ - + ]: 4 : assert_se(condition);
66 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
67 : 4 : condition_free(condition);
68 : :
69 : 4 : condition = condition_new(CONDITION_PATH_IS_DIRECTORY, "/bin", false, false);
70 [ - + ]: 4 : assert_se(condition);
71 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
72 : 4 : condition_free(condition);
73 : :
74 : 4 : condition = condition_new(CONDITION_DIRECTORY_NOT_EMPTY, "/bin", false, false);
75 [ - + ]: 4 : assert_se(condition);
76 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
77 : 4 : condition_free(condition);
78 : :
79 : 4 : condition = condition_new(CONDITION_FILE_NOT_EMPTY, "/bin/sh", false, false);
80 [ - + ]: 4 : assert_se(condition);
81 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
82 : 4 : condition_free(condition);
83 : :
84 : 4 : condition = condition_new(CONDITION_FILE_IS_EXECUTABLE, "/bin/sh", false, false);
85 [ - + ]: 4 : assert_se(condition);
86 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
87 : 4 : condition_free(condition);
88 : :
89 : 4 : condition = condition_new(CONDITION_FILE_IS_EXECUTABLE, "/etc/passwd", false, false);
90 [ - + ]: 4 : assert_se(condition);
91 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
92 : 4 : condition_free(condition);
93 : :
94 : 4 : condition = condition_new(CONDITION_PATH_IS_MOUNT_POINT, "/proc", false, false);
95 [ - + ]: 4 : assert_se(condition);
96 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
97 : 4 : condition_free(condition);
98 : :
99 : 4 : condition = condition_new(CONDITION_PATH_IS_MOUNT_POINT, "/", false, false);
100 [ - + ]: 4 : assert_se(condition);
101 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
102 : 4 : condition_free(condition);
103 : :
104 : 4 : condition = condition_new(CONDITION_PATH_IS_MOUNT_POINT, "/bin", false, false);
105 [ - + ]: 4 : assert_se(condition);
106 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
107 : 4 : condition_free(condition);
108 : :
109 : 4 : condition = condition_new(CONDITION_PATH_IS_READ_WRITE, "/tmp", false, false);
110 [ - + ]: 4 : assert_se(condition);
111 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
112 : 4 : condition_free(condition);
113 : :
114 : 4 : condition = condition_new(CONDITION_PATH_IS_SYMBOLIC_LINK, "/dev/stdout", false, false);
115 [ - + ]: 4 : assert_se(condition);
116 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
117 : 4 : condition_free(condition);
118 : 4 : }
119 : :
120 : 4 : static void test_condition_test_control_group_controller(void) {
121 : : Condition *condition;
122 : : CGroupMask system_mask;
123 : : CGroupController controller;
124 [ + - ]: 4 : _cleanup_free_ char *controller_name = NULL;
125 : : int r;
126 : :
127 : 4 : r = cg_unified_flush();
128 [ - + ]: 4 : if (r < 0) {
129 [ # # ]: 0 : log_notice_errno(r, "Skipping ConditionControlGroupController tests: %m");
130 : 0 : return;
131 : : }
132 : :
133 : : /* Invalid controllers are ignored */
134 : 4 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, "thisisnotarealcontroller", false, false);
135 [ - + ]: 4 : assert_se(condition);
136 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
137 : 4 : condition_free(condition);
138 : :
139 : 4 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, "thisisnotarealcontroller", false, true);
140 [ - + ]: 4 : assert_se(condition);
141 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
142 : 4 : condition_free(condition);
143 : :
144 [ - + ]: 4 : assert_se(cg_mask_supported(&system_mask) >= 0);
145 : :
146 : : /* Individual valid controllers one by one */
147 [ + + ]: 40 : for (controller = 0; controller < _CGROUP_CONTROLLER_MAX; controller++) {
148 : 36 : const char *local_controller_name = cgroup_controller_to_string(controller);
149 [ + - ]: 36 : log_info("chosen controller is '%s'", local_controller_name);
150 [ + + ]: 36 : if (system_mask & CGROUP_CONTROLLER_TO_MASK(controller)) {
151 [ + - ]: 24 : log_info("this controller is available");
152 : 24 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, local_controller_name, false, false);
153 [ - + ]: 24 : assert_se(condition);
154 [ - + ]: 24 : assert_se(condition_test(condition) > 0);
155 : 24 : condition_free(condition);
156 : :
157 : 24 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, local_controller_name, false, true);
158 [ - + ]: 24 : assert_se(condition);
159 [ - + ]: 24 : assert_se(condition_test(condition) == 0);
160 : 24 : condition_free(condition);
161 : : } else {
162 [ + - ]: 12 : log_info("this controller is unavailable");
163 : 12 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, local_controller_name, false, false);
164 [ - + ]: 12 : assert_se(condition);
165 [ - + ]: 12 : assert_se(condition_test(condition) == 0);
166 : 12 : condition_free(condition);
167 : :
168 : 12 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, local_controller_name, false, true);
169 [ - + ]: 12 : assert_se(condition);
170 [ - + ]: 12 : assert_se(condition_test(condition) > 0);
171 : 12 : condition_free(condition);
172 : : }
173 : : }
174 : :
175 : : /* Multiple valid controllers at the same time */
176 [ - + ]: 4 : assert_se(cg_mask_to_string(system_mask, &controller_name) >= 0);
177 : :
178 : 4 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, strempty(controller_name), false, false);
179 [ - + ]: 4 : assert_se(condition);
180 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
181 : 4 : condition_free(condition);
182 : :
183 : 4 : condition = condition_new(CONDITION_CONTROL_GROUP_CONTROLLER, strempty(controller_name), false, true);
184 [ - + ]: 4 : assert_se(condition);
185 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
186 : 4 : condition_free(condition);
187 : : }
188 : :
189 : 4 : static void test_condition_test_ac_power(void) {
190 : : Condition *condition;
191 : :
192 : 4 : condition = condition_new(CONDITION_AC_POWER, "true", false, false);
193 [ - + ]: 4 : assert_se(condition);
194 [ - + ]: 4 : assert_se(condition_test(condition) == on_ac_power());
195 : 4 : condition_free(condition);
196 : :
197 : 4 : condition = condition_new(CONDITION_AC_POWER, "false", false, false);
198 [ - + ]: 4 : assert_se(condition);
199 [ - + ]: 4 : assert_se(condition_test(condition) != on_ac_power());
200 : 4 : condition_free(condition);
201 : :
202 : 4 : condition = condition_new(CONDITION_AC_POWER, "false", false, true);
203 [ - + ]: 4 : assert_se(condition);
204 [ - + ]: 4 : assert_se(condition_test(condition) == on_ac_power());
205 : 4 : condition_free(condition);
206 : 4 : }
207 : :
208 : 4 : static void test_condition_test_host(void) {
209 : 4 : _cleanup_free_ char *hostname = NULL;
210 : : char sid[SD_ID128_STRING_MAX];
211 : : Condition *condition;
212 : : sd_id128_t id;
213 : : int r;
214 : :
215 : 4 : r = sd_id128_get_machine(&id);
216 [ - + ]: 4 : assert_se(r >= 0);
217 [ - + ]: 4 : assert_se(sd_id128_to_string(id, sid));
218 : :
219 : 4 : condition = condition_new(CONDITION_HOST, sid, false, false);
220 [ - + ]: 4 : assert_se(condition);
221 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
222 : 4 : condition_free(condition);
223 : :
224 : 4 : condition = condition_new(CONDITION_HOST, "garbage value jjjjjjjjjjjjjj", false, false);
225 [ - + ]: 4 : assert_se(condition);
226 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
227 : 4 : condition_free(condition);
228 : :
229 : 4 : condition = condition_new(CONDITION_HOST, sid, false, true);
230 [ - + ]: 4 : assert_se(condition);
231 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
232 : 4 : condition_free(condition);
233 : :
234 : 4 : hostname = gethostname_malloc();
235 [ - + ]: 4 : assert_se(hostname);
236 : :
237 : : /* if hostname looks like an id128 then skip testing it */
238 [ - + ]: 4 : if (id128_is_valid(hostname))
239 [ # # ]: 0 : log_notice("hostname is an id128, skipping test");
240 : : else {
241 : 4 : condition = condition_new(CONDITION_HOST, hostname, false, false);
242 [ - + ]: 4 : assert_se(condition);
243 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
244 : 4 : condition_free(condition);
245 : : }
246 : 4 : }
247 : :
248 : 4 : static void test_condition_test_architecture(void) {
249 : : Condition *condition;
250 : : const char *sa;
251 : : int a;
252 : :
253 : 4 : a = uname_architecture();
254 [ - + ]: 4 : assert_se(a >= 0);
255 : :
256 : 4 : sa = architecture_to_string(a);
257 [ - + ]: 4 : assert_se(sa);
258 : :
259 : 4 : condition = condition_new(CONDITION_ARCHITECTURE, sa, false, false);
260 [ - + ]: 4 : assert_se(condition);
261 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
262 : 4 : condition_free(condition);
263 : :
264 : 4 : condition = condition_new(CONDITION_ARCHITECTURE, "garbage value", false, false);
265 [ - + ]: 4 : assert_se(condition);
266 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
267 : 4 : condition_free(condition);
268 : :
269 : 4 : condition = condition_new(CONDITION_ARCHITECTURE, sa, false, true);
270 [ - + ]: 4 : assert_se(condition);
271 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
272 : 4 : condition_free(condition);
273 : 4 : }
274 : :
275 : 4 : static void test_condition_test_kernel_command_line(void) {
276 : : Condition *condition;
277 : :
278 : 4 : condition = condition_new(CONDITION_KERNEL_COMMAND_LINE, "thisreallyshouldntbeonthekernelcommandline", false, false);
279 [ - + ]: 4 : assert_se(condition);
280 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
281 : 4 : condition_free(condition);
282 : :
283 : 4 : condition = condition_new(CONDITION_KERNEL_COMMAND_LINE, "andthis=neither", false, false);
284 [ - + ]: 4 : assert_se(condition);
285 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
286 : 4 : condition_free(condition);
287 : 4 : }
288 : :
289 : 4 : static void test_condition_test_kernel_version(void) {
290 : : Condition *condition;
291 : : struct utsname u;
292 : : const char *v;
293 : :
294 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "*thisreallyshouldntbeinthekernelversion*", false, false);
295 [ - + ]: 4 : assert_se(condition);
296 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
297 : 4 : condition_free(condition);
298 : :
299 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "*", false, false);
300 [ - + ]: 4 : assert_se(condition);
301 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
302 : 4 : condition_free(condition);
303 : :
304 : : /* An artificially empty condition. It evaluates to true, but normally
305 : : * such condition cannot be created, because the condition list is reset instead. */
306 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "", false, false);
307 [ - + ]: 4 : assert_se(condition);
308 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
309 : 4 : condition_free(condition);
310 : :
311 [ - + ]: 4 : assert_se(uname(&u) >= 0);
312 : :
313 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, u.release, false, false);
314 [ - + ]: 4 : assert_se(condition);
315 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
316 : 4 : condition_free(condition);
317 : :
318 : 4 : strshorten(u.release, 4);
319 : 4 : strcpy(strchr(u.release, 0), "*");
320 : :
321 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, u.release, false, false);
322 [ - + ]: 4 : assert_se(condition);
323 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
324 : 4 : condition_free(condition);
325 : :
326 : : /* 0.1.2 would be a very very very old kernel */
327 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "> 0.1.2", false, false);
328 [ - + ]: 4 : assert_se(condition);
329 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
330 : 4 : condition_free(condition);
331 : :
332 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, ">0.1.2", false, false);
333 [ - + ]: 4 : assert_se(condition);
334 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
335 : 4 : condition_free(condition);
336 : :
337 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "'>0.1.2' '<9.0.0'", false, false);
338 [ - + ]: 4 : assert_se(condition);
339 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
340 : 4 : condition_free(condition);
341 : :
342 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "> 0.1.2 < 9.0.0", false, false);
343 [ - + ]: 4 : assert_se(condition);
344 [ - + ]: 4 : assert_se(condition_test(condition) == -EINVAL);
345 : 4 : condition_free(condition);
346 : :
347 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, ">", false, false);
348 [ - + ]: 4 : assert_se(condition);
349 [ - + ]: 4 : assert_se(condition_test(condition) == -EINVAL);
350 : 4 : condition_free(condition);
351 : :
352 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, ">= 0.1.2", false, false);
353 [ - + ]: 4 : assert_se(condition);
354 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
355 : 4 : condition_free(condition);
356 : :
357 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "< 0.1.2", false, false);
358 [ - + ]: 4 : assert_se(condition);
359 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
360 : 4 : condition_free(condition);
361 : :
362 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "<= 0.1.2", false, false);
363 [ - + ]: 4 : assert_se(condition);
364 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
365 : 4 : condition_free(condition);
366 : :
367 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "= 0.1.2", false, false);
368 [ - + ]: 4 : assert_se(condition);
369 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
370 : 4 : condition_free(condition);
371 : :
372 : : /* 4711.8.15 is a very very very future kernel */
373 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "< 4711.8.15", false, false);
374 [ - + ]: 4 : assert_se(condition);
375 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
376 : 4 : condition_free(condition);
377 : :
378 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "<= 4711.8.15", false, false);
379 [ - + ]: 4 : assert_se(condition);
380 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
381 : 4 : condition_free(condition);
382 : :
383 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "= 4711.8.15", false, false);
384 [ - + ]: 4 : assert_se(condition);
385 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
386 : 4 : condition_free(condition);
387 : :
388 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, "> 4711.8.15", false, false);
389 [ - + ]: 4 : assert_se(condition);
390 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
391 : 4 : condition_free(condition);
392 : :
393 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, ">= 4711.8.15", false, false);
394 [ - + ]: 4 : assert_se(condition);
395 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
396 : 4 : condition_free(condition);
397 : :
398 [ - + ]: 4 : assert_se(uname(&u) >= 0);
399 : :
400 [ + + + - : 20 : v = strjoina(">=", u.release);
- + - + +
+ + - ]
401 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, v, false, false);
402 [ - + ]: 4 : assert_se(condition);
403 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
404 : 4 : condition_free(condition);
405 : :
406 [ + + + - : 20 : v = strjoina("= ", u.release);
- + - + +
+ + - ]
407 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, v, false, false);
408 [ - + ]: 4 : assert_se(condition);
409 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
410 : 4 : condition_free(condition);
411 : :
412 [ + + + - : 20 : v = strjoina("<=", u.release);
- + - + +
+ + - ]
413 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, v, false, false);
414 [ - + ]: 4 : assert_se(condition);
415 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
416 : 4 : condition_free(condition);
417 : :
418 [ + + + - : 20 : v = strjoina("> ", u.release);
- + - + +
+ + - ]
419 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, v, false, false);
420 [ - + ]: 4 : assert_se(condition);
421 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
422 : 4 : condition_free(condition);
423 : :
424 [ + + + - : 20 : v = strjoina("< ", u.release);
- + - + +
+ + - ]
425 : 4 : condition = condition_new(CONDITION_KERNEL_VERSION, v, false, false);
426 [ - + ]: 4 : assert_se(condition);
427 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
428 : 4 : condition_free(condition);
429 : 4 : }
430 : :
431 : 4 : static void test_condition_test_null(void) {
432 : : Condition *condition;
433 : :
434 : 4 : condition = condition_new(CONDITION_NULL, NULL, false, false);
435 [ - + ]: 4 : assert_se(condition);
436 [ - + ]: 4 : assert_se(condition_test(condition) > 0);
437 : 4 : condition_free(condition);
438 : :
439 : 4 : condition = condition_new(CONDITION_NULL, NULL, false, true);
440 [ - + ]: 4 : assert_se(condition);
441 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
442 : 4 : condition_free(condition);
443 : 4 : }
444 : :
445 : 4 : static void test_condition_test_security(void) {
446 : : Condition *condition;
447 : :
448 : 4 : condition = condition_new(CONDITION_SECURITY, "garbage oifdsjfoidsjoj", false, false);
449 [ - + ]: 4 : assert_se(condition);
450 [ - + ]: 4 : assert_se(condition_test(condition) == 0);
451 : 4 : condition_free(condition);
452 : :
453 : 4 : condition = condition_new(CONDITION_SECURITY, "selinux", false, true);
454 [ - + ]: 4 : assert_se(condition);
455 [ - + ]: 4 : assert_se(condition_test(condition) != mac_selinux_use());
456 : 4 : condition_free(condition);
457 : :
458 : 4 : condition = condition_new(CONDITION_SECURITY, "apparmor", false, false);
459 [ - + ]: 4 : assert_se(condition);
460 [ - + ]: 4 : assert_se(condition_test(condition) == mac_apparmor_use());
461 : 4 : condition_free(condition);
462 : :
463 : 4 : condition = condition_new(CONDITION_SECURITY, "tomoyo", false, false);
464 [ - + ]: 4 : assert_se(condition);
465 [ - + ]: 4 : assert_se(condition_test(condition) == mac_tomoyo_use());
466 : 4 : condition_free(condition);
467 : :
468 : 4 : condition = condition_new(CONDITION_SECURITY, "ima", false, false);
469 [ - + ]: 4 : assert_se(condition);
470 [ - + ]: 4 : assert_se(condition_test(condition) == use_ima());
471 : 4 : condition_free(condition);
472 : :
473 : 4 : condition = condition_new(CONDITION_SECURITY, "smack", false, false);
474 [ - + ]: 4 : assert_se(condition);
475 [ - + ]: 4 : assert_se(condition_test(condition) == mac_smack_use());
476 : 4 : condition_free(condition);
477 : :
478 : 4 : condition = condition_new(CONDITION_SECURITY, "audit", false, false);
479 [ - + ]: 4 : assert_se(condition);
480 [ - + ]: 4 : assert_se(condition_test(condition) == use_audit());
481 : 4 : condition_free(condition);
482 : :
483 : 4 : condition = condition_new(CONDITION_SECURITY, "uefi-secureboot", false, false);
484 [ - + ]: 4 : assert_se(condition);
485 [ - + ]: 4 : assert_se(condition_test(condition) == is_efi_secure_boot());
486 : 4 : condition_free(condition);
487 : 4 : }
488 : :
489 : 4 : static void print_securities(void) {
490 [ + - ]: 4 : log_info("------ enabled security technologies ------");
491 [ + - ]: 4 : log_info("SELinux: %s", yes_no(mac_selinux_use()));
492 [ + - ]: 4 : log_info("AppArmor: %s", yes_no(mac_apparmor_use()));
493 [ + - ]: 4 : log_info("Tomoyo: %s", yes_no(mac_tomoyo_use()));
494 [ + - ]: 4 : log_info("IMA: %s", yes_no(use_ima()));
495 [ + - ]: 4 : log_info("SMACK: %s", yes_no(mac_smack_use()));
496 [ + - ]: 4 : log_info("Audit: %s", yes_no(use_audit()));
497 [ + - ]: 4 : log_info("UEFI secure boot: %s", yes_no(is_efi_secure_boot()));
498 [ + - ]: 4 : log_info("-------------------------------------------");
499 : 4 : }
500 : :
501 : 4 : static void test_condition_test_virtualization(void) {
502 : : Condition *condition;
503 : : const char *virt;
504 : : int r;
505 : :
506 : 4 : condition = condition_new(CONDITION_VIRTUALIZATION, "garbage oifdsjfoidsjoj", false, false);
507 [ - + ]: 4 : assert_se(condition);
508 : 4 : r = condition_test(condition);
509 [ + - ]: 4 : log_info("ConditionVirtualization=garbage → %i", r);
510 [ - + ]: 4 : assert_se(r == 0);
511 : 4 : condition_free(condition);
512 : :
513 : 4 : condition = condition_new(CONDITION_VIRTUALIZATION, "container", false, false);
514 [ - + ]: 4 : assert_se(condition);
515 : 4 : r = condition_test(condition);
516 [ + - ]: 4 : log_info("ConditionVirtualization=container → %i", r);
517 [ - + ]: 4 : assert_se(r == !!detect_container());
518 : 4 : condition_free(condition);
519 : :
520 : 4 : condition = condition_new(CONDITION_VIRTUALIZATION, "vm", false, false);
521 [ - + ]: 4 : assert_se(condition);
522 : 4 : r = condition_test(condition);
523 [ + - ]: 4 : log_info("ConditionVirtualization=vm → %i", r);
524 [ - + # # : 4 : assert_se(r == (detect_vm() && !detect_container()));
- + ]
525 : 4 : condition_free(condition);
526 : :
527 : 4 : condition = condition_new(CONDITION_VIRTUALIZATION, "private-users", false, false);
528 [ - + ]: 4 : assert_se(condition);
529 : 4 : r = condition_test(condition);
530 [ + - ]: 4 : log_info("ConditionVirtualization=private-users → %i", r);
531 [ - + ]: 4 : assert_se(r == !!running_in_userns());
532 : 4 : condition_free(condition);
533 : :
534 [ + - + + ]: 52 : NULSTR_FOREACH(virt,
535 : : "kvm\0"
536 : : "qemu\0"
537 : : "bochs\0"
538 : : "xen\0"
539 : : "uml\0"
540 : : "vmware\0"
541 : : "oracle\0"
542 : : "microsoft\0"
543 : : "zvm\0"
544 : : "parallels\0"
545 : : "bhyve\0"
546 : : "vm_other\0") {
547 : :
548 : 48 : condition = condition_new(CONDITION_VIRTUALIZATION, virt, false, false);
549 [ - + ]: 48 : assert_se(condition);
550 : 48 : r = condition_test(condition);
551 [ + - ]: 48 : log_info("ConditionVirtualization=%s → %i", virt, r);
552 [ - + ]: 48 : assert_se(r >= 0);
553 : 48 : condition_free(condition);
554 : : }
555 : 4 : }
556 : :
557 : 4 : static void test_condition_test_user(void) {
558 : : Condition *condition;
559 : : char* uid;
560 : : char* username;
561 : : int r;
562 : :
563 : 4 : condition = condition_new(CONDITION_USER, "garbage oifdsjfoidsjoj", false, false);
564 [ - + ]: 4 : assert_se(condition);
565 : 4 : r = condition_test(condition);
566 [ + - ]: 4 : log_info("ConditionUser=garbage → %i", r);
567 [ - + ]: 4 : assert_se(r == 0);
568 : 4 : condition_free(condition);
569 : :
570 [ - + ]: 4 : assert_se(asprintf(&uid, "%"PRIu32, UINT32_C(0xFFFF)) > 0);
571 : 4 : condition = condition_new(CONDITION_USER, uid, false, false);
572 [ - + ]: 4 : assert_se(condition);
573 : 4 : r = condition_test(condition);
574 [ + - ]: 4 : log_info("ConditionUser=%s → %i", uid, r);
575 [ - + ]: 4 : assert_se(r == 0);
576 : 4 : condition_free(condition);
577 : 4 : free(uid);
578 : :
579 [ - + ]: 4 : assert_se(asprintf(&uid, "%u", (unsigned)getuid()) > 0);
580 : 4 : condition = condition_new(CONDITION_USER, uid, false, false);
581 [ - + ]: 4 : assert_se(condition);
582 : 4 : r = condition_test(condition);
583 [ + - ]: 4 : log_info("ConditionUser=%s → %i", uid, r);
584 [ - + ]: 4 : assert_se(r > 0);
585 : 4 : condition_free(condition);
586 : 4 : free(uid);
587 : :
588 [ - + ]: 4 : assert_se(asprintf(&uid, "%u", (unsigned)getuid()+1) > 0);
589 : 4 : condition = condition_new(CONDITION_USER, uid, false, false);
590 [ - + ]: 4 : assert_se(condition);
591 : 4 : r = condition_test(condition);
592 [ + - ]: 4 : log_info("ConditionUser=%s → %i", uid, r);
593 [ - + ]: 4 : assert_se(r == 0);
594 : 4 : condition_free(condition);
595 : 4 : free(uid);
596 : :
597 : 4 : username = getusername_malloc();
598 [ - + ]: 4 : assert_se(username);
599 : 4 : condition = condition_new(CONDITION_USER, username, false, false);
600 [ - + ]: 4 : assert_se(condition);
601 : 4 : r = condition_test(condition);
602 [ + - ]: 4 : log_info("ConditionUser=%s → %i", username, r);
603 [ - + ]: 4 : assert_se(r > 0);
604 : 4 : condition_free(condition);
605 : 4 : free(username);
606 : :
607 [ - + ]: 4 : username = (char*)(geteuid() == 0 ? NOBODY_USER_NAME : "root");
608 : 4 : condition = condition_new(CONDITION_USER, username, false, false);
609 [ - + ]: 4 : assert_se(condition);
610 : 4 : r = condition_test(condition);
611 [ + - ]: 4 : log_info("ConditionUser=%s → %i", username, r);
612 [ - + ]: 4 : assert_se(r == 0);
613 : 4 : condition_free(condition);
614 : :
615 : 4 : condition = condition_new(CONDITION_USER, "@system", false, false);
616 [ - + ]: 4 : assert_se(condition);
617 : 4 : r = condition_test(condition);
618 [ + - ]: 4 : log_info("ConditionUser=@system → %i", r);
619 [ + - - + ]: 4 : if (uid_is_system(getuid()) || uid_is_system(geteuid()))
620 [ # # ]: 0 : assert_se(r > 0);
621 : : else
622 [ - + ]: 4 : assert_se(r == 0);
623 : 4 : condition_free(condition);
624 : 4 : }
625 : :
626 : 4 : static void test_condition_test_group(void) {
627 : : Condition *condition;
628 : : char* gid;
629 : : char* groupname;
630 : : gid_t *gids, max_gid;
631 : : int ngroups_max, ngroups, r, i;
632 : :
633 [ - + ]: 4 : assert_se(0 < asprintf(&gid, "%u", UINT32_C(0xFFFF)));
634 : 4 : condition = condition_new(CONDITION_GROUP, gid, false, false);
635 [ - + ]: 4 : assert_se(condition);
636 : 4 : r = condition_test(condition);
637 [ + - ]: 4 : log_info("ConditionGroup=%s → %i", gid, r);
638 [ - + ]: 4 : assert_se(r == 0);
639 : 4 : condition_free(condition);
640 : 4 : free(gid);
641 : :
642 [ - + ]: 4 : assert_se(0 < asprintf(&gid, "%u", getgid()));
643 : 4 : condition = condition_new(CONDITION_GROUP, gid, false, false);
644 [ - + ]: 4 : assert_se(condition);
645 : 4 : r = condition_test(condition);
646 [ + - ]: 4 : log_info("ConditionGroup=%s → %i", gid, r);
647 [ - + ]: 4 : assert_se(r > 0);
648 : 4 : condition_free(condition);
649 : 4 : free(gid);
650 : :
651 : 4 : ngroups_max = sysconf(_SC_NGROUPS_MAX);
652 [ - + ]: 4 : assert(ngroups_max > 0);
653 : :
654 [ - + - + ]: 4 : gids = newa(gid_t, ngroups_max);
655 : :
656 : 4 : ngroups = getgroups(ngroups_max, gids);
657 [ - + ]: 4 : assert(ngroups >= 0);
658 : :
659 : 4 : max_gid = getgid();
660 [ + + ]: 40 : for (i = 0; i < ngroups; i++) {
661 [ - + ]: 36 : assert_se(0 < asprintf(&gid, "%u", gids[i]));
662 : 36 : condition = condition_new(CONDITION_GROUP, gid, false, false);
663 [ - + ]: 36 : assert_se(condition);
664 : 36 : r = condition_test(condition);
665 [ + - ]: 36 : log_info("ConditionGroup=%s → %i", gid, r);
666 [ - + ]: 36 : assert_se(r > 0);
667 : 36 : condition_free(condition);
668 : 36 : free(gid);
669 : 36 : max_gid = gids[i] > max_gid ? gids[i] : max_gid;
670 : :
671 : 36 : groupname = gid_to_name(gids[i]);
672 [ - + ]: 36 : assert_se(groupname);
673 : 36 : condition = condition_new(CONDITION_GROUP, groupname, false, false);
674 [ - + ]: 36 : assert_se(condition);
675 : 36 : r = condition_test(condition);
676 [ + - ]: 36 : log_info("ConditionGroup=%s → %i", groupname, r);
677 [ - + ]: 36 : assert_se(r > 0);
678 : 36 : condition_free(condition);
679 : 36 : free(groupname);
680 : 36 : max_gid = gids[i] > max_gid ? gids[i] : max_gid;
681 : : }
682 : :
683 [ - + ]: 4 : assert_se(0 < asprintf(&gid, "%u", max_gid+1));
684 : 4 : condition = condition_new(CONDITION_GROUP, gid, false, false);
685 [ - + ]: 4 : assert_se(condition);
686 : 4 : r = condition_test(condition);
687 [ + - ]: 4 : log_info("ConditionGroup=%s → %i", gid, r);
688 [ - + ]: 4 : assert_se(r == 0);
689 : 4 : condition_free(condition);
690 : 4 : free(gid);
691 : :
692 [ - + ]: 4 : groupname = (char*)(geteuid() == 0 ? NOBODY_GROUP_NAME : "root");
693 : 4 : condition = condition_new(CONDITION_GROUP, groupname, false, false);
694 [ - + ]: 4 : assert_se(condition);
695 : 4 : r = condition_test(condition);
696 [ + - ]: 4 : log_info("ConditionGroup=%s → %i", groupname, r);
697 [ - + ]: 4 : assert_se(r == 0);
698 : 4 : condition_free(condition);
699 : 4 : }
700 : :
701 : 72 : static void test_condition_test_cpus_one(const char *s, bool result) {
702 : : Condition *condition;
703 : : int r;
704 : :
705 [ + - ]: 72 : log_debug("%s=%s", condition_type_to_string(CONDITION_CPUS), s);
706 : :
707 : 72 : condition = condition_new(CONDITION_CPUS, s, false, false);
708 [ - + ]: 72 : assert_se(condition);
709 : :
710 : 72 : r = condition_test(condition);
711 [ - + ]: 72 : assert_se(r >= 0);
712 [ - + ]: 72 : assert_se(r == result);
713 : 72 : condition_free(condition);
714 : 72 : }
715 : :
716 : 4 : static void test_condition_test_cpus(void) {
717 : 8 : _cleanup_free_ char *t = NULL;
718 : : int cpus;
719 : :
720 : 4 : cpus = cpus_in_affinity_mask();
721 [ - + ]: 4 : assert_se(cpus >= 0);
722 : :
723 : 4 : test_condition_test_cpus_one("> 0", true);
724 : 4 : test_condition_test_cpus_one(">= 0", true);
725 : 4 : test_condition_test_cpus_one("!= 0", true);
726 : 4 : test_condition_test_cpus_one("<= 0", false);
727 : 4 : test_condition_test_cpus_one("< 0", false);
728 : 4 : test_condition_test_cpus_one("= 0", false);
729 : :
730 : 4 : test_condition_test_cpus_one("> 100000", false);
731 : 4 : test_condition_test_cpus_one("= 100000", false);
732 : 4 : test_condition_test_cpus_one(">= 100000", false);
733 : 4 : test_condition_test_cpus_one("< 100000", true);
734 : 4 : test_condition_test_cpus_one("!= 100000", true);
735 : 4 : test_condition_test_cpus_one("<= 100000", true);
736 : :
737 [ - + ]: 4 : assert_se(asprintf(&t, "= %i", cpus) >= 0);
738 : 4 : test_condition_test_cpus_one(t, true);
739 : 4 : t = mfree(t);
740 : :
741 [ - + ]: 4 : assert_se(asprintf(&t, "<= %i", cpus) >= 0);
742 : 4 : test_condition_test_cpus_one(t, true);
743 : 4 : t = mfree(t);
744 : :
745 [ - + ]: 4 : assert_se(asprintf(&t, ">= %i", cpus) >= 0);
746 : 4 : test_condition_test_cpus_one(t, true);
747 : 4 : t = mfree(t);
748 : :
749 [ - + ]: 4 : assert_se(asprintf(&t, "!= %i", cpus) >= 0);
750 : 4 : test_condition_test_cpus_one(t, false);
751 : 4 : t = mfree(t);
752 : :
753 [ - + ]: 4 : assert_se(asprintf(&t, "< %i", cpus) >= 0);
754 : 4 : test_condition_test_cpus_one(t, false);
755 : 4 : t = mfree(t);
756 : :
757 [ - + ]: 4 : assert_se(asprintf(&t, "> %i", cpus) >= 0);
758 : 4 : test_condition_test_cpus_one(t, false);
759 : 4 : t = mfree(t);
760 : 4 : }
761 : :
762 : 72 : static void test_condition_test_memory_one(const char *s, bool result) {
763 : : Condition *condition;
764 : : int r;
765 : :
766 [ + - ]: 72 : log_debug("%s=%s", condition_type_to_string(CONDITION_MEMORY), s);
767 : :
768 : 72 : condition = condition_new(CONDITION_MEMORY, s, false, false);
769 [ - + ]: 72 : assert_se(condition);
770 : :
771 : 72 : r = condition_test(condition);
772 [ - + ]: 72 : assert_se(r >= 0);
773 [ - + ]: 72 : assert_se(r == result);
774 : 72 : condition_free(condition);
775 : 72 : }
776 : :
777 : 4 : static void test_condition_test_memory(void) {
778 : 8 : _cleanup_free_ char *t = NULL;
779 : : uint64_t memory;
780 : :
781 : 4 : memory = physical_memory();
782 : :
783 : 4 : test_condition_test_memory_one("> 0", true);
784 : 4 : test_condition_test_memory_one(">= 0", true);
785 : 4 : test_condition_test_memory_one("!= 0", true);
786 : 4 : test_condition_test_memory_one("<= 0", false);
787 : 4 : test_condition_test_memory_one("< 0", false);
788 : 4 : test_condition_test_memory_one("= 0", false);
789 : :
790 : 4 : test_condition_test_memory_one("> 18446744073709547520", false);
791 : 4 : test_condition_test_memory_one("= 18446744073709547520", false);
792 : 4 : test_condition_test_memory_one(">= 18446744073709547520", false);
793 : 4 : test_condition_test_memory_one("< 18446744073709547520", true);
794 : 4 : test_condition_test_memory_one("!= 18446744073709547520", true);
795 : 4 : test_condition_test_memory_one("<= 18446744073709547520", true);
796 : :
797 [ - + ]: 4 : assert_se(asprintf(&t, "= %" PRIu64, memory) >= 0);
798 : 4 : test_condition_test_memory_one(t, true);
799 : 4 : t = mfree(t);
800 : :
801 [ - + ]: 4 : assert_se(asprintf(&t, "<= %" PRIu64, memory) >= 0);
802 : 4 : test_condition_test_memory_one(t, true);
803 : 4 : t = mfree(t);
804 : :
805 [ - + ]: 4 : assert_se(asprintf(&t, ">= %" PRIu64, memory) >= 0);
806 : 4 : test_condition_test_memory_one(t, true);
807 : 4 : t = mfree(t);
808 : :
809 [ - + ]: 4 : assert_se(asprintf(&t, "!= %" PRIu64, memory) >= 0);
810 : 4 : test_condition_test_memory_one(t, false);
811 : 4 : t = mfree(t);
812 : :
813 [ - + ]: 4 : assert_se(asprintf(&t, "< %" PRIu64, memory) >= 0);
814 : 4 : test_condition_test_memory_one(t, false);
815 : 4 : t = mfree(t);
816 : :
817 [ - + ]: 4 : assert_se(asprintf(&t, "> %" PRIu64, memory) >= 0);
818 : 4 : test_condition_test_memory_one(t, false);
819 : 4 : t = mfree(t);
820 : 4 : }
821 : :
822 : 4 : int main(int argc, char *argv[]) {
823 : 4 : test_setup_logging(LOG_DEBUG);
824 : :
825 : 4 : test_condition_test_path();
826 : 4 : test_condition_test_ac_power();
827 : 4 : test_condition_test_host();
828 : 4 : test_condition_test_architecture();
829 : 4 : test_condition_test_kernel_command_line();
830 : 4 : test_condition_test_kernel_version();
831 : 4 : test_condition_test_null();
832 : 4 : test_condition_test_security();
833 : 4 : print_securities();
834 : 4 : test_condition_test_virtualization();
835 : 4 : test_condition_test_user();
836 : 4 : test_condition_test_group();
837 : 4 : test_condition_test_control_group_controller();
838 : 4 : test_condition_test_cpus();
839 : 4 : test_condition_test_memory();
840 : :
841 : 4 : return 0;
842 : : }
|
