test-namespace: Add test for ProtectKernelLogs=

src/test/test-namespace.c

@@ -1,5 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1+ */
 
+#include <fcntl.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 
@@ -9,7 +10,9 @@
 #include "process-util.h"
 #include "string-util.h"
 #include "tests.h"
+#include "user-util.h"
 #include "util.h"
+#include "virt.h"
 
 static void test_tmpdir(const char *id, const char *A, const char *B) {
         _cleanup_free_ char *a, *b;
@@ -48,14 +51,16 @@ static void test_tmpdir(const char *id, const char *A, const char *B) {
         assert_se(rmdir(b) >= 0);
 }
 
-static int test_netns(void) {
+static void test_netns(void) {
         _cleanup_close_pair_ int s[2] = { -1, -1 };
         pid_t pid1, pid2, pid3;
         int r, n = 0;
         siginfo_t si;
 
-        if (geteuid() > 0)
-                return log_tests_skipped("not root");
+        if (geteuid() > 0) {
+                (void) log_tests_skipped("not root");
+                return;
+        }
 
         assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0);
 
@@ -102,7 +107,62 @@ static int test_netns(void) {
         n += si.si_status;
 
         assert_se(n == 1);
-        return EXIT_SUCCESS;
+}
+
+static void test_protect_kernel_logs(void) {
+        int r;
+        pid_t pid;
+        static const NamespaceInfo ns_info = {
+                .protect_kernel_logs = true,
+        };
+
+        if (geteuid() > 0) {
+                (void) log_tests_skipped("not root");
+                return;
+        }
+
+        /* In a container we likely don't have access to /dev/kmsg */
+        if (detect_container() > 0) {
+                (void) log_tests_skipped("in container");
+                return;
+        }
+
+
+        pid = fork();
+        assert_se(pid >= 0);
+
+        if (pid == 0) {
+                _cleanup_close_ int fd = -1;
+
+                fd = open("/dev/kmsg", O_RDONLY | O_CLOEXEC);
+                assert_se(fd > 0);
+
+                r = setup_namespace(NULL,
+                                    NULL,
+                                    &ns_info,
+                                    NULL,
+                                    NULL,
+                                    NULL,
+                                    NULL,
+                                    NULL, 0,
+                                    NULL, 0,
+                                    NULL,
+                                    NULL,
+                                    PROTECT_HOME_NO,
+                                    PROTECT_SYSTEM_NO,
+                                    0,
+                                    0,
+                                    NULL);
+                assert_se(r == 0);
+
+                assert_se(setresuid(UID_NOBODY, UID_NOBODY, UID_NOBODY) >= 0);
+                assert_se(open("/dev/kmsg", O_RDONLY | O_CLOEXEC) < 0);
+                assert_se(errno == EACCES);
+
+                _exit(EXIT_SUCCESS);
+        }
+
+        assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
 }
 
 int main(int argc, char *argv[]) {
@@ -133,5 +193,8 @@ int main(int argc, char *argv[]) {
 
         test_tmpdir("sys-devices-pci0000:00-0000:00:1a.0-usb3-3\\x2d1-3\\x2d1:1.0-bluetooth-hci0.device", z, zz);
 
-        return test_netns();
+        test_netns();
+        test_protect_kernel_logs();
+
+        return EXIT_SUCCESS;
 }