anitazha / rpms / systemd

Forked from rpms/systemd 3 years ago
Clone

Blame SOURCES/0727-core-be-stricter-when-handling-PID-files-and-MAINPID.patch

923a60
From c0f32feb77768aa76d8c813471b3484c93bc2651 Mon Sep 17 00:00:00 2001
923a60
From: Lennart Poettering <lennart@poettering.net>
923a60
Date: Fri, 5 Jan 2018 12:20:22 +0100
923a60
Subject: [PATCH] core: be stricter when handling PID files and MAINPID
923a60
 sd_notify() messages
923a60
923a60
Let's be more restrictive when validating PID files and MAINPID=
923a60
messages: don't accept PIDs that make no sense, and if the configuration
923a60
source is not trusted, don't accept out-of-cgroup PIDs. A configuratin
923a60
source is considered trusted when the PID file is owned by root, or the
923a60
message was received from root.
923a60
923a60
This should lock things down a bit, in case service authors write out
923a60
PID files from unprivileged code or use NotifyAccess=all with
923a60
unprivileged code. Note that doing so was always problematic, just now
923a60
it's a bit less problematic.
923a60
923a60
When we open the PID file we'll now use the CHASE_SAFE chase_symlinks()
923a60
logic, to ensure that we won't follow an unpriviled-owned symlink to a
923a60
privileged-owned file thinking this was a valid privileged PID file,
923a60
even though it really isn't.
923a60
923a60
Fixes: #6632
923a60
(cherry picked from commit db256aab13d8a89d583ecd2bacf0aca87c66effc)
923a60
923a60
Resolves: #1663143
923a60
---
923a60
 man/systemd.service.xml                |  18 ++-
923a60
 src/core/manager.c                     |  17 ++-
923a60
 src/core/service.c                     | 166 ++++++++++++++++------
923a60
 src/core/unit.h                        |   2 +-
923a60
 test/TEST-20-MAINPIDGAMES/Makefile     |   1 +
923a60
 test/TEST-20-MAINPIDGAMES/test.sh      |  81 +++++++++++
923a60
 test/TEST-20-MAINPIDGAMES/testsuite.sh | 189 +++++++++++++++++++++++++
923a60
 test/test-functions                    |   2 +-
923a60
 8 files changed, 418 insertions(+), 58 deletions(-)
923a60
 create mode 120000 test/TEST-20-MAINPIDGAMES/Makefile
923a60
 create mode 100755 test/TEST-20-MAINPIDGAMES/test.sh
923a60
 create mode 100755 test/TEST-20-MAINPIDGAMES/testsuite.sh
923a60
923a60
diff --git a/man/systemd.service.xml b/man/systemd.service.xml
923a60
index d147e449a6..565a783f72 100644
923a60
--- a/man/systemd.service.xml
923a60
+++ b/man/systemd.service.xml
923a60
@@ -221,16 +221,14 @@
923a60
       <varlistentry>
923a60
         <term><varname>PIDFile=</varname></term>
923a60
 
923a60
-        <listitem><para>Takes an absolute file name pointing to the
923a60
-        PID file of this daemon. Use of this option is recommended for
923a60
-        services where <varname>Type=</varname> is set to
923a60
-        <option>forking</option>. systemd will read the PID of the
923a60
-        main process of the daemon after start-up of the service.
923a60
-        systemd will not write to the file configured here, although
923a60
-        it will remove the file after the service has shut down if it
923a60
-        still exists.
923a60
-        </para>
923a60
-        </listitem>
923a60
+        <listitem><para>Takes an absolute path referring to the PID file of the service. Usage of this option is
923a60
+        recommended for services where <varname>Type=</varname> is set to <option>forking</option>. The service manager
923a60
+        will read the PID of the main process of the service from this file after start-up of the service. The service
923a60
+        manager will not write to the file configured here, although it will remove the file after the service has shut
923a60
+        down if it still exists. The PID file does not need to be owned by a privileged user, but if it is owned by an
923a60
+        unprivileged user additional safety restrictions are enforced: the file may not be a symlink to a file owned by
923a60
+        a different user (neither directly nor indirectly), and the PID file must refer to a process already belonging
923a60
+        to the service.</para></listitem>
923a60
       </varlistentry>
923a60
 
923a60
       <varlistentry>
923a60
diff --git a/src/core/manager.c b/src/core/manager.c
923a60
index 73d6c81fdb..3bca61d0b1 100644
923a60
--- a/src/core/manager.c
923a60
+++ b/src/core/manager.c
923a60
@@ -1658,11 +1658,18 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui
923a60
         return 0;
923a60
 }
923a60
 
923a60
-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) {
923a60
+static void manager_invoke_notify_message(
923a60
+                Manager *m,
923a60
+                Unit *u,
923a60
+                const struct ucred *ucred,
923a60
+                const char *buf,
923a60
+                FDSet *fds) {
923a60
+
923a60
         _cleanup_strv_free_ char **tags = NULL;
923a60
 
923a60
         assert(m);
923a60
         assert(u);
923a60
+        assert(ucred);
923a60
         assert(buf);
923a60
 
923a60
         tags = strv_split(buf, "\n\r");
923a60
@@ -1674,7 +1681,7 @@ static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const
923a60
         log_unit_debug(u->id, "Got notification message for unit %s", u->id);
923a60
 
923a60
         if (UNIT_VTABLE(u)->notify_message)
923a60
-                UNIT_VTABLE(u)->notify_message(u, pid, tags, fds);
923a60
+                UNIT_VTABLE(u)->notify_message(u, ucred, tags, fds);
923a60
         else if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
923a60
                 _cleanup_free_ char *x = NULL, *y = NULL;
923a60
 
923a60
@@ -1777,19 +1784,19 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
923a60
          * to avoid notifying the same one multiple times. */
923a60
         u1 = manager_get_unit_by_pid(m, ucred->pid);
923a60
         if (u1) {
923a60
-                manager_invoke_notify_message(m, u1, ucred->pid, buf, fds);
923a60
+                manager_invoke_notify_message(m, u1, ucred, buf, fds);
923a60
                 found = true;
923a60
         }
923a60
 
923a60
         u2 = hashmap_get(m->watch_pids1, LONG_TO_PTR(ucred->pid));
923a60
         if (u2 && u2 != u1) {
923a60
-                manager_invoke_notify_message(m, u2, ucred->pid, buf, fds);
923a60
+                manager_invoke_notify_message(m, u2, ucred, buf, fds);
923a60
                 found = true;
923a60
         }
923a60
 
923a60
         u3 = hashmap_get(m->watch_pids2, LONG_TO_PTR(ucred->pid));
923a60
         if (u3 && u3 != u2 && u3 != u1) {
923a60
-                manager_invoke_notify_message(m, u3, ucred->pid, buf, fds);
923a60
+                manager_invoke_notify_message(m, u3, ucred, buf, fds);
923a60
                 found = true;
923a60
         }
923a60
 
923a60
diff --git a/src/core/service.c b/src/core/service.c
923a60
index fe6e2ff17c..06b39e3a5a 100644
923a60
--- a/src/core/service.c
923a60
+++ b/src/core/service.c
923a60
@@ -700,9 +700,45 @@ static void service_dump(Unit *u, FILE *f, const char *prefix) {
923a60
         }
923a60
 }
923a60
 
923a60
+static int service_is_suitable_main_pid(Service *s, pid_t pid, int prio) {
923a60
+        Unit *owner;
923a60
+
923a60
+        assert(s);
923a60
+        assert(pid > 0);
923a60
+
923a60
+        /* Checks whether the specified PID is suitable as main PID for this service. returns negative if not, 0 if the
923a60
+         * PID is questionnable but should be accepted if the source of configuration is trusted. > 0 if the PID is
923a60
+         * good */
923a60
+
923a60
+        if (pid == getpid() || pid == 1) {
923a60
+                log_unit_full(UNIT(s)->id, prio, "New main PID "PID_FMT" is the manager, refusing.", pid);
923a60
+                return -EPERM;
923a60
+        }
923a60
+
923a60
+        if (pid == s->control_pid) {
923a60
+                log_unit_full(UNIT(s)->id, prio, "New main PID "PID_FMT" is the control process, refusing.", pid);
923a60
+                return -EPERM;
923a60
+        }
923a60
+
923a60
+        if (!pid_is_alive(pid)) {
923a60
+                log_unit_full(UNIT(s)->id, prio, "New main PID "PID_FMT" does not exist or is a zombie.", pid);
923a60
+                return -ESRCH;
923a60
+        }
923a60
+
923a60
+        owner = manager_get_unit_by_pid(UNIT(s)->manager, pid);
923a60
+        if (owner == UNIT(s)) {
923a60
+                log_unit_debug(UNIT(s)->id, "New main PID "PID_FMT" belongs to service, we are happy.", pid);
923a60
+                return 1; /* Yay, it's definitely a good PID */
923a60
+        }
923a60
+
923a60
+        return 0; /* Hmm it's a suspicious PID, let's accept it if configuration source is trusted */
923a60
+}
923a60
+
923a60
 static int service_load_pid_file(Service *s, bool may_warn) {
923a60
+        char procfs[sizeof("/proc/self/fd/") - 1 + DECIMAL_STR_MAX(int)];
923a60
         _cleanup_free_ char *k = NULL;
923a60
-        int r;
923a60
+        _cleanup_close_ int fd = -1;
923a60
+        int r, prio;
923a60
         pid_t pid;
923a60
 
923a60
         assert(s);
923a60
@@ -710,30 +746,47 @@ static int service_load_pid_file(Service *s, bool may_warn) {
923a60
         if (!s->pid_file)
923a60
                 return -ENOENT;
923a60
 
923a60
-        r = read_one_line_file(s->pid_file, &k);
923a60
-        if (r < 0) {
923a60
-                if (may_warn)
923a60
-                        log_unit_info(UNIT(s)->id, "PID file %s not readable (yet?) after %s.", s->pid_file, service_state_to_string(s->state));
923a60
-                return r;
923a60
-        }
923a60
+        prio = may_warn ? LOG_INFO : LOG_DEBUG;
923a60
+
923a60
+        fd = chase_symlinks(s->pid_file, NULL, CHASE_OPEN|CHASE_SAFE, NULL);
923a60
+        if (fd == -EPERM)
923a60
+                return log_unit_full(UNIT(s)->id, prio, "Permission denied while opening PID file or unsafe symlink chain: %s", s->pid_file);
923a60
+        if (fd < 0)
923a60
+                return log_unit_full(UNIT(s)->id, prio, "Can't open PID file %s (yet?) after %s: %m", s->pid_file, service_state_to_string(s->state));
923a60
+
923a60
+        /* Let's read the PID file now that we chased it down. But we need to convert the O_PATH fd chase_symlinks() returned us into a proper fd first. */
923a60
+        xsprintf(procfs, "/proc/self/fd/%i", fd);
923a60
+        r = read_one_line_file(procfs, &k);
923a60
+        if (r < 0)
923a60
+                return log_unit_error_errno(UNIT(s)->id, r, "Can't convert PID files %s O_PATH file descriptor to proper file descriptor: %m", s->pid_file);
923a60
 
923a60
         r = parse_pid(k, &pid;;
923a60
-        if (r < 0) {
923a60
-                if (may_warn)
923a60
-                        log_unit_info_errno(UNIT(s)->id, r, "Failed to read PID from file %s: %m", s->pid_file);
923a60
+        if (r < 0)
923a60
+                return log_unit_full(UNIT(s)->id, prio, "Failed to parse PID from file %s: %m", s->pid_file);
923a60
+
923a60
+        if (s->main_pid_known && pid == s->main_pid)
923a60
+                return 0;
923a60
+
923a60
+        r = service_is_suitable_main_pid(s, pid, prio);
923a60
+        if (r < 0)
923a60
                 return r;
923a60
-        }
923a60
+        if (r == 0) {
923a60
+                struct stat st;
923a60
 
923a60
-        if (!pid_is_alive(pid)) {
923a60
-                if (may_warn)
923a60
-                        log_unit_info(UNIT(s)->id, "PID "PID_FMT" read from file %s does not exist or is a zombie.", pid, s->pid_file);
923a60
-                return -ESRCH;
923a60
+                /* Hmm, it's not clear if the new main PID is safe. Let's allow this if the PID file is owned by root */
923a60
+
923a60
+                if (fstat(fd, &st) < 0)
923a60
+                        return log_unit_error_errno(UNIT(s)->id, errno, "Failed to fstat() PID file O_PATH fd: %m");
923a60
+
923a60
+                if (st.st_uid != 0) {
923a60
+                        log_unit_error(UNIT(s)->id, "New main PID "PID_FMT" does not belong to service, and PID file is not owned by root. Refusing.", pid);
923a60
+                        return -EPERM;
923a60
+                }
923a60
+
923a60
+                log_unit_debug(UNIT(s)->id, "New main PID "PID_FMT" does not belong to service, but we'll accept it since PID file is owned by root.", pid);
923a60
         }
923a60
 
923a60
         if (s->main_pid_known) {
923a60
-                if (pid == s->main_pid)
923a60
-                        return 0;
923a60
-
923a60
                 log_unit_debug(UNIT(s)->id, "Main PID changing: "PID_FMT" -> "PID_FMT, s->main_pid, pid);
923a60
 
923a60
                 service_unwatch_main_pid(s);
923a60
@@ -752,7 +805,7 @@ static int service_load_pid_file(Service *s, bool may_warn) {
923a60
                 return r;
923a60
         }
923a60
 
923a60
-        return 0;
923a60
+        return 1;
923a60
 }
923a60
 
923a60
 static int service_search_main_pid(Service *s) {
923a60
@@ -2584,7 +2637,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
923a60
                 /* Forking services may occasionally move to a new PID.
923a60
                  * As long as they update the PID file before exiting the old
923a60
                  * PID, they're fine. */
923a60
-                if (service_load_pid_file(s, false) == 0)
923a60
+                if (service_load_pid_file(s, false) > 0)
923a60
                         return;
923a60
 
923a60
                 s->main_pid = 0;
923a60
@@ -2957,42 +3010,73 @@ static int service_dispatch_watchdog(sd_event_source *source, usec_t usec, void
923a60
         return 0;
923a60
 }
923a60
 
923a60
-static void service_notify_message(Unit *u, pid_t pid, char **tags, FDSet *fds) {
923a60
+static bool service_notify_message_authorized(Service *s, pid_t pid, char **tags, FDSet *fds) {
923a60
+        assert(s);
923a60
+
923a60
+        if (s->notify_access == NOTIFY_NONE) {
923a60
+                log_unit_warning(UNIT(s)->id, "Got notification message from PID "PID_FMT", but reception is disabled.", pid);
923a60
+                return false;
923a60
+        }
923a60
+
923a60
+        if (s->notify_access == NOTIFY_MAIN && pid != s->main_pid) {
923a60
+                if (s->main_pid != 0)
923a60
+                        log_unit_warning(UNIT(s)->id, "Got notification message from PID "PID_FMT", but reception only permitted for main PID "PID_FMT, pid, s->main_pid);
923a60
+                else
923a60
+                        log_unit_warning(UNIT(s)->id, "Got notification message from PID "PID_FMT", but reception only permitted for main PID which is currently not known", pid);
923a60
+
923a60
+                return false;
923a60
+        }
923a60
+
923a60
+        return true;
923a60
+}
923a60
+
923a60
+static void service_notify_message(
923a60
+                Unit *u,
923a60
+                const struct ucred *ucred,
923a60
+                char **tags,
923a60
+                FDSet *fds) {
923a60
         Service *s = SERVICE(u);
923a60
-        _cleanup_free_ char *cc = NULL;
923a60
         bool notify_dbus = false;
923a60
         const char *e;
923a60
+        int r;
923a60
 
923a60
         assert(u);
923a60
+        assert(ucred);
923a60
 
923a60
-        cc = strv_join(tags, ", ");
923a60
-        log_unit_debug(u->id, "%s: Got notification message from PID "PID_FMT" (%s)",
923a60
-                       u->id, pid, isempty(cc) ? "n/a" : cc);
923a60
+        if (!service_notify_message_authorized(SERVICE(u), ucred->pid, tags, fds))
923a60
+                return;
923a60
 
923a60
         if (s->notify_access == NOTIFY_NONE) {
923a60
-                log_unit_warning(u->id, "%s: Got notification message from PID "PID_FMT", but reception is disabled.", u->id, pid);
923a60
-                return;
923a60
-        }
923a60
+                _cleanup_free_ char *cc = NULL;
923a60
 
923a60
-        if (s->notify_access == NOTIFY_MAIN && pid != s->main_pid) {
923a60
-                if (s->main_pid != 0)
923a60
-                        log_unit_warning(u->id, "%s: Got notification message from PID "PID_FMT", but reception only permitted for main PID "PID_FMT, u->id, pid, s->main_pid);
923a60
-                else
923a60
-                        log_unit_debug(u->id, "%s: Got notification message from PID "PID_FMT", but reception only permitted for main PID which is currently not known", u->id, pid);
923a60
-                return;
923a60
+                cc = strv_join(tags, ", ");
923a60
+                log_unit_debug(u->id, "Got notification message from PID "PID_FMT" (%s)", ucred->pid, isempty(cc) ? "n/a" : cc);
923a60
         }
923a60
 
923a60
         /* Interpret MAINPID= */
923a60
         e = strv_find_startswith(tags, "MAINPID=");
923a60
         if (e && IN_SET(s->state, SERVICE_START, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD)) {
923a60
-                if (parse_pid(e, &pid) < 0)
923a60
-                        log_unit_warning(u->id, "Failed to parse MAINPID= field in notification message: %s", e);
923a60
-                else {
923a60
-                        log_unit_debug(u->id, "%s: got MAINPID=%s", u->id, e);
923a60
+                pid_t new_main_pid;
923a60
 
923a60
-                        service_set_main_pid(s, pid);
923a60
-                        unit_watch_pid(UNIT(s), pid);
923a60
-                        notify_dbus = true;
923a60
+                if (parse_pid(e, &new_main_pid) < 0)
923a60
+                        log_unit_warning(u->id, "Failed to parse MAINPID= field in notification message, ignoring: %s", e);
923a60
+                else if (!s->main_pid_known || new_main_pid != s->main_pid) {
923a60
+
923a60
+                        r = service_is_suitable_main_pid(s, new_main_pid, LOG_WARNING);
923a60
+                        if (r == 0) {
923a60
+                                /* The new main PID is a bit suspicous, which is OK if the sender is privileged. */
923a60
+
923a60
+                                if (ucred->uid == 0) {
923a60
+                                        log_unit_debug(u->id, "New main PID "PID_FMT" does not belong to service, but we'll accept it as the request to change it came from a privileged process.", new_main_pid);
923a60
+                                        r = 1;
923a60
+                                } else
923a60
+                                        log_unit_debug(u->id, "New main PID "PID_FMT" does not belong to service, refusing.", new_main_pid);
923a60
+                        }
923a60
+                        if (r > 0) {
923a60
+                                service_set_main_pid(s, new_main_pid);
923a60
+                                unit_watch_pid(UNIT(s), new_main_pid);
923a60
+                                notify_dbus = true;
923a60
+                        }
923a60
                 }
923a60
         }
923a60
 
923a60
diff --git a/src/core/unit.h b/src/core/unit.h
923a60
index dfec9cea01..091ef7596e 100644
923a60
--- a/src/core/unit.h
923a60
+++ b/src/core/unit.h
923a60
@@ -376,7 +376,7 @@ struct UnitVTable {
923a60
         void (*notify_cgroup_empty)(Unit *u);
923a60
 
923a60
         /* Called whenever a process of this unit sends us a message */
923a60
-        void (*notify_message)(Unit *u, pid_t pid, char **tags, FDSet *fds);
923a60
+        void (*notify_message)(Unit *u, const struct ucred *ucred, char **tags, FDSet *fds);
923a60
 
923a60
         /* Called whenever a name this Unit registered for comes or
923a60
          * goes away. */
923a60
diff --git a/test/TEST-20-MAINPIDGAMES/Makefile b/test/TEST-20-MAINPIDGAMES/Makefile
923a60
new file mode 120000
923a60
index 0000000000..e9f93b1104
923a60
--- /dev/null
923a60
+++ b/test/TEST-20-MAINPIDGAMES/Makefile
923a60
@@ -0,0 +1 @@
923a60
+../TEST-01-BASIC/Makefile
923a60
\ No newline at end of file
923a60
diff --git a/test/TEST-20-MAINPIDGAMES/test.sh b/test/TEST-20-MAINPIDGAMES/test.sh
923a60
new file mode 100755
923a60
index 0000000000..733532b718
923a60
--- /dev/null
923a60
+++ b/test/TEST-20-MAINPIDGAMES/test.sh
923a60
@@ -0,0 +1,81 @@
923a60
+#!/bin/bash
923a60
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
923a60
+# ex: ts=8 sw=4 sts=4 et filetype=sh
923a60
+TEST_DESCRIPTION="test changing main PID"
923a60
+
923a60
+. $TEST_BASE_DIR/test-functions
923a60
+
923a60
+check_result_qemu() {
923a60
+    ret=1
923a60
+    mkdir -p $TESTDIR/root
923a60
+    mount ${LOOPDEV}p1 $TESTDIR/root
923a60
+    [[ -e $TESTDIR/root/testok ]] && ret=0
923a60
+    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
923a60
+    [[ -f $TESTDIR/root/var/log/journal ]] && cp -a $TESTDIR/root/var/log/journal $TESTDIR
923a60
+    umount $TESTDIR/root
923a60
+    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
923a60
+    ls -l $TESTDIR/journal/*/*.journal
923a60
+    test -s $TESTDIR/failed && ret=$(($ret+1))
923a60
+    return $ret
923a60
+}
923a60
+
923a60
+test_run() {
923a60
+    if run_qemu; then
923a60
+        check_result_qemu || return 1
923a60
+    else
923a60
+        dwarn "can't run QEMU, skipping"
923a60
+    fi
923a60
+    if check_nspawn; then
923a60
+        run_nspawn
923a60
+        check_result_nspawn || return 1
923a60
+    else
923a60
+        dwarn "can't run systemd-nspawn, skipping"
923a60
+    fi
923a60
+    return 0
923a60
+}
923a60
+
923a60
+test_setup() {
923a60
+    create_empty_image
923a60
+    mkdir -p $TESTDIR/root
923a60
+    mount ${LOOPDEV}p1 $TESTDIR/root
923a60
+
923a60
+    (
923a60
+        LOG_LEVEL=5
923a60
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
923a60
+
923a60
+        setup_basic_environment
923a60
+        inst_binary cut
923a60
+        inst_binary useradd
923a60
+        inst /etc/login.defs
923a60
+
923a60
+        # setup the testsuite service
923a60
+        cat >$initdir/etc/systemd/system/testsuite.service <
923a60
+[Unit]
923a60
+Description=Testsuite service
923a60
+
923a60
+[Service]
923a60
+ExecStart=/bin/bash -x /testsuite.sh
923a60
+Type=oneshot
923a60
+StandardOutput=tty
923a60
+StandardError=tty
923a60
+NotifyAccess=all
923a60
+EOF
923a60
+        cp testsuite.sh $initdir/
923a60
+
923a60
+        useradd -R $initdir -U -u 1234 test
923a60
+
923a60
+        setup_testsuite
923a60
+    )
923a60
+    setup_nspawn_root
923a60
+
923a60
+    ddebug "umount $TESTDIR/root"
923a60
+    umount $TESTDIR/root
923a60
+}
923a60
+
923a60
+test_cleanup() {
923a60
+    umount $TESTDIR/root 2>/dev/null
923a60
+    [[ $LOOPDEV ]] && losetup -d $LOOPDEV
923a60
+    return 0
923a60
+}
923a60
+
923a60
+do_test "$@"
923a60
diff --git a/test/TEST-20-MAINPIDGAMES/testsuite.sh b/test/TEST-20-MAINPIDGAMES/testsuite.sh
923a60
new file mode 100755
923a60
index 0000000000..d4ad63865c
923a60
--- /dev/null
923a60
+++ b/test/TEST-20-MAINPIDGAMES/testsuite.sh
923a60
@@ -0,0 +1,189 @@
923a60
+#!/bin/bash
923a60
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
923a60
+# ex: ts=8 sw=4 sts=4 et filetype=sh
923a60
+set -ex
923a60
+set -o pipefail
923a60
+
923a60
+systemctl_show_value() {
923a60
+    systemctl show "$@" | cut -d = -f 2-
923a60
+}
923a60
+
923a60
+systemd-analyze set-log-level debug
923a60
+
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+# Start a test process inside of our own cgroup
923a60
+sleep infinity &
923a60
+INTERNALPID=$!
923a60
+disown
923a60
+
923a60
+# Start a test process outside of our own cgroup
923a60
+systemd-run -p User=test --unit=sleep.service /bin/sleep infinity
923a60
+EXTERNALPID=`systemctl_show_value -p MainPID sleep.service`
923a60
+
923a60
+# Update our own main PID to the external test PID, this should work
923a60
+systemd-notify MAINPID=$EXTERNALPID
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $EXTERNALPID
923a60
+
923a60
+# Update our own main PID to the internal test PID, this should work, too
923a60
+systemd-notify MAINPID=$INTERNALPID
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $INTERNALPID
923a60
+
923a60
+# Update it back to our own PID, this should also work
923a60
+systemd-notify MAINPID=$$
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+# Try to set it to PID 1, which it should ignore, because that's the manager
923a60
+systemd-notify MAINPID=1
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+# Try to set it to PID 0, which is invalid and should be ignored
923a60
+systemd-notify MAINPID=0
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+# Try to set it to a valid but non-existing PID, which should be ignored. (Note
923a60
+# that we set the PID to a value well above any known /proc/sys/kernel/pid_max,
923a60
+# which means we can be pretty sure it doesn't exist by coincidence)
923a60
+systemd-notify MAINPID=1073741824
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+# Change it again to the external PID, without priviliges this time. This should be ignored, because the PID is from outside of our cgroup and we lack privileges.
923a60
+systemd-notify --uid=1000 MAINPID=$EXTERNALPID
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+# Change it again to the internal PID, without priviliges this time. This should work, as the process is on our cgroup, and that's enough even if we lack privileges.
923a60
+systemd-notify --uid=1000 MAINPID=$INTERNALPID
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $INTERNALPID
923a60
+
923a60
+# Update it back to our own PID, this should also work
923a60
+systemd-notify --uid=1000 MAINPID=$$
923a60
+test `systemctl_show_value -p MainPID testsuite.service` -eq $$
923a60
+
923a60
+cat >/tmp/mainpid.sh <
923a60
+#!/bin/bash
923a60
+
923a60
+set -eux
923a60
+set -o pipefail
923a60
+
923a60
+# Create a number of children, and make one the main one
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+sleep infinity &
923a60
+MAINPID=\$!
923a60
+disown
923a60
+
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+echo \$MAINPID > /run/mainpidsh/pid
923a60
+EOF
923a60
+chmod +x /tmp/mainpid.sh
923a60
+
923a60
+cat > /etc/systemd/system/mainpidsh.service <
923a60
+[Unit]
923a60
+Description=MainPID test 1 service
923a60
+
923a60
+[Service]
923a60
+StandardOutput=tty
923a60
+StandardError=tty
923a60
+Type=forking
923a60
+RuntimeDirectory=mainpidsh
923a60
+PIDFile=/run/mainpidsh/pid
923a60
+ExecStart=/tmp/mainpid.sh
923a60
+EOF
923a60
+
923a60
+systemctl daemon-reload
923a60
+systemctl start mainpidsh.service
923a60
+test `systemctl_show_value -p MainPID mainpidsh.service` -eq `cat /run/mainpidsh/pid`
923a60
+
923a60
+cat >/tmp/mainpid2.sh <
923a60
+#!/bin/bash
923a60
+
923a60
+set -eux
923a60
+set -o pipefail
923a60
+
923a60
+# Create a number of children, and make one the main one
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+sleep infinity &
923a60
+MAINPID=\$!
923a60
+disown
923a60
+
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+echo \$MAINPID > /run/mainpidsh2/pid
923a60
+chown 1001:1001 /run/mainpidsh2/pid
923a60
+EOF
923a60
+chmod +x /tmp/mainpid2.sh
923a60
+
923a60
+cat > /etc/systemd/system/mainpidsh2.service <
923a60
+[Unit]
923a60
+Description=MainPID test 2 service
923a60
+
923a60
+[Service]
923a60
+StandardOutput=tty
923a60
+StandardError=tty
923a60
+Type=forking
923a60
+RuntimeDirectory=mainpidsh2
923a60
+PIDFile=/run/mainpidsh2/pid
923a60
+ExecStart=/tmp/mainpid2.sh
923a60
+EOF
923a60
+
923a60
+systemctl daemon-reload
923a60
+systemctl start mainpidsh2.service
923a60
+test `systemctl_show_value -p MainPID mainpidsh2.service` -eq `cat /run/mainpidsh2/pid`
923a60
+
923a60
+cat >/dev/shm/mainpid3.sh <
923a60
+#!/bin/bash
923a60
+
923a60
+set -eux
923a60
+set -o pipefail
923a60
+
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+sleep infinity &
923a60
+disown
923a60
+
923a60
+# Let's try to play games, and link up a privileged PID file
923a60
+ln -s ../mainpidsh/pid /run/mainpidsh3/pid
923a60
+
923a60
+# Quick assertion that the link isn't dead
923a60
+test -f /run/mainpidsh3/pid
923a60
+EOF
923a60
+chmod 755 /dev/shm/mainpid3.sh
923a60
+
923a60
+cat > /etc/systemd/system/mainpidsh3.service <
923a60
+[Unit]
923a60
+Description=MainPID test 3 service
923a60
+
923a60
+[Service]
923a60
+StandardOutput=tty
923a60
+StandardError=tty
923a60
+Type=forking
923a60
+RuntimeDirectory=mainpidsh3
923a60
+PIDFile=/run/mainpidsh3/pid
923a60
+User=test
923a60
+TimeoutStartSec=2s
923a60
+ExecStart=/dev/shm/mainpid3.sh
923a60
+EOF
923a60
+
923a60
+systemctl daemon-reload
923a60
+systemctl start mainpidsh3.service
923a60
+
923a60
+# Test that this failed due to timeout, and not some other error
923a60
+# test `systemctl_show_value -p Result mainpidsh3.service` = timeout
923a60
+# Just check that there is no MainPID => the pid file was ignored
923a60
+test `systemctl_show_value -p MainPID mainpidsh3.service` -eq 0
923a60
+
923a60
+systemd-analyze set-log-level info
923a60
+
923a60
+echo OK > /testok
923a60
+
923a60
+exit 0
923a60
diff --git a/test/test-functions b/test/test-functions
923a60
index 78e725d5b9..e50ce556fd 100644
923a60
--- a/test/test-functions
923a60
+++ b/test/test-functions
923a60
@@ -12,7 +12,7 @@ if ! ROOTLIBDIR=$(pkg-config --variable=systemdutildir systemd); then
923a60
     ROOTLIBDIR=/usr/lib/systemd
923a60
 fi
923a60
 
923a60
-BASICTOOLS="sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe"
923a60
+BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe chmod chown ln"
923a60
 DEBUGTOOLS="df free ls stty cat ps ln ip route dmesg dhclient mkdir cp ping dhclient strace less grep id tty touch du sort hostname"
923a60
 
923a60
 function find_qemu_bin() {