keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tests/layering-non-root-caps: Adapt to new libcap output

Browse Source 
I didn't deep dive on this, just observed that the new output
matches what we laid down.  There's ~2.5 years of changes
and ~200 commits between 2.28 and 2.48.
This commit is contained in:
Colin Walters 2021-02-16 20:26:08 +00:00 committed by OpenShift Merge Robot
parent 04839e200f
commit c1ff933bc3
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
tests/vmcheck/test-layering-non-root-caps.sh
View File

@ -107,7 +107,19 @@ check_group() {
check_fcap() {
local fcap=$(vm_cmd getcap $1)
local fcap=${fcap#* = } # trim filename
local fcap=${fcap#* = } # trim filename for pre-2.48 libcap: /usr/bin/foo = cap_net_raw+ep
fcap=${fcap#* } # And from the new 2.48+ libcap: /usr/bin/foo cap_net_raw=ep
if test -z "$2"; then
if test -n "$fcap"; then
assert_not_reached "expected no fcaps but found $fcap"
fi
return
fi
# Replace '+' with '='; a libcap change https://bodhi.fedoraproject.org/updates/FEDORA-2021-eeff266a64
# changed the output, and the new variant seems more correct
# because it's matching what we specified above. But we need
# to handle the previous case too for backcompat for a bit.
fcap=${fcap/+/=}
if [[ $fcap != $2 ]]; then
assert_not_reached "expected fcaps $2 on file $1 but got $fcap"
fi
@ -127,12 +139,12 @@ check_file /usr/bin/nrc-none.sh root root
check_file /usr/bin/nrc-user.sh nrcuser root
check_file /usr/bin/nrc-user-link.sh nrcuser root
check_file /usr/bin/nrc-group.sh root nrcgroup
check_file /usr/bin/nrc-caps.sh root root "cap_net_bind_service+ep"
check_file /usr/bin/nrc-caps-setuid.sh root root "cap_net_bind_service+ep"
check_file /usr/bin/nrc-caps.sh root root "cap_net_bind_service=ep"
check_file /usr/bin/nrc-caps-setuid.sh root root "cap_net_bind_service=ep"
vm_cmd test -u /usr/bin/nrc-caps-setuid.sh
check_file /usr/bin/nrc-usergroup.sh nrcuser nrcgroup
check_file /usr/bin/nrc-usergroupcaps.sh nrcuser nrcgroup "cap_net_bind_service+ep"
check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_service+ep"
check_file /usr/bin/nrc-usergroupcaps.sh nrcuser nrcgroup "cap_net_bind_service=ep"
check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_service=ep"
vm_cmd test -u /usr/bin/nrc-usergroupcaps-setuid.sh
check_file /var/lib/nonrootcap nrcuser nrcgroup
check_file /run/nonrootcap nrcuser nrcgroup