tests: add integration test for RestrictNetworkInterfaces=

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2024-11-23 10:13:34 +08:00 · 2021-02-25 19:59:36 -05:00 · 2021-02-25 19:59:36 -05:00 · 00d6fceeb3
commit 00d6fceeb3
parent 2ce150f5ec
10 changed files with 122 additions and 0 deletions
--- a/test/TEST-62-RESTRICT-IFACES/Makefile
+++ b/test/TEST-62-RESTRICT-IFACES/Makefile
@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
--- a/test/TEST-62-RESTRICT-IFACES/test.sh
+++ b/test/TEST-62-RESTRICT-IFACES/test.sh
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+TEST_NO_NSPAWN=1
+
+set -e
+TEST_DESCRIPTION="test RestrictNetworkInterfaces="
+. $TEST_BASE_DIR/test-functions
+
+do_test "$@" 62
--- a/test/test-functions
+++ b/test/test-functions
@ -673,6 +673,7 @@ setup_basic_environment() {
    has_user_dbus_socket && install_user_dbus
    setup_selinux
    strip_binaries
+    instmods veth
    install_depmod_files
    generate_module_dependencies
    if get_bool "$IS_BUILT_WITH_ASAN"; then
--- a/test/units/testsuite-62-1.service
+++ b/test/units/testsuite-62-1.service
@ -0,0 +1,8 @@
+[Unit]
+Description=TEST-62-RESTRICT-IFACES-all-pings-work
+[Service]
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.9'
+RestrictNetworkInterfaces=
+Type=oneshot
--- a/test/units/testsuite-62-2.service
+++ b/test/units/testsuite-62-2.service
@ -0,0 +1,9 @@
+[Unit]
+Description=TEST-62-RESTRICT-IFACES-allow-list
+[Service]
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.9'
+RestrictNetworkInterfaces=veth0
+RestrictNetworkInterfaces=veth1
+Type=oneshot
--- a/test/units/testsuite-62-3.service
+++ b/test/units/testsuite-62-3.service
@ -0,0 +1,9 @@
+[Unit]
+Description=TEST-62-RESTRICT-IFACES-deny-list
+[Service]
+ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.9'
+RestrictNetworkInterfaces=~veth0
+RestrictNetworkInterfaces=~veth1
+Type=oneshot
--- a/test/units/testsuite-62-4.service
+++ b/test/units/testsuite-62-4.service
@ -0,0 +1,9 @@
+[Unit]
+Description=TEST-62-RESTRICT-IFACES-empty-assigment
+[Service]
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.9'
+RestrictNetworkInterfaces=veth0
+RestrictNetworkInterfaces=
+Type=oneshot
--- a/test/units/testsuite-62-5.service
+++ b/test/units/testsuite-62-5.service
@ -0,0 +1,10 @@
+[Unit]
+Description=TEST-62-RESTRICT-IFACES-invert-assigment
+[Service]
+ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.9'
+RestrictNetworkInterfaces=veth0
+RestrictNetworkInterfaces=veth0 veth1
+RestrictNetworkInterfaces=~veth0
+Type=oneshot
--- a/test/units/testsuite-62.service
+++ b/test/units/testsuite-62.service
@ -0,0 +1,6 @@
+Description=TEST-62-RESTRICT-IFACES
+
+[Service]
+ExecStartPre=rm -f /failed /testok
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
+Type=oneshot
--- a/test/units/testsuite-62.sh
+++ b/test/units/testsuite-62.sh
@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -ex
+set -o pipefail
+
+setup() {
+    systemd-analyze log-level debug
+    systemd-analyze log-target console
+
+    for i in `seq 0 3`;
+    do
+        ip netns del ns${i} || true
+        ip link del veth${i} || true
+        ip netns add ns${i}
+        ip link add veth${i} type veth peer name veth${i}_
+        ip link set veth${i}_ netns ns${i}
+        ip -n ns${i} link set dev veth${i}_ up
+        ip -n ns${i} link set dev lo up
+        ip -n ns${i} addr add "192.168.113."$((4*i+1))/30 dev veth${i}_
+        ip link set dev veth${i} up
+        ip addr add "192.168.113."$((4*i+2))/30 dev veth${i}
+    done
+}
+
+teardown() {
+    set +e
+
+    for i in `seq 0 3`;
+    do
+        ip netns del ns${i}
+        ip link del veth${i}
+    done
+
+    systemd-analyze log-level info
+}
+
+KERNEL_VERSION="$(uname -r)"
+KERNEL_MAJOR="${KERNEL_VERSION%%.*}"
+KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
+KERNEL_MINOR="${KERNEL_MINOR%%.*}"
+
+MAJOR_REQUIRED=5
+MINOR_REQUIRED=7
+
+if [[ "$KERNEL_MAJOR" -lt $MAJOR_REQUIRED || ("$KERNEL_MAJOR" -eq $MAJOR_REQUIRED && "$KERNEL_MINOR" -lt $MINOR_REQUIRED) ]]; then
+    echo "kernel is not 5.7+" >>/skipped
+    exit 0
+fi
+
+trap teardown EXIT
+setup
+
+systemctl start --wait testsuite-62-1.service
+systemctl start --wait testsuite-62-2.service
+systemctl start --wait testsuite-62-3.service
+systemctl start --wait testsuite-62-4.service
+systemctl start --wait testsuite-62-5.service
+
+echo OK > /testok
+
+exit 0