mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN
CAP_NET_ADMIN is somtrimes dropped by container runtime. This changes to use CAP_CHOWN instead of CAP_NET_ADMIN, as it is less likely to be dropped.
This commit is contained in:
parent
b7856f9218
commit
e5ba1d324d
@ -559,7 +559,7 @@ static void test_exec_ambientcapabilities(Manager *m) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (have_effective_cap(CAP_NET_ADMIN) <= 0 ||
|
||||
if (have_effective_cap(CAP_CHOWN) <= 0 ||
|
||||
have_effective_cap(CAP_NET_RAW) <= 0) {
|
||||
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
|
||||
return;
|
||||
|
@ -2,8 +2,8 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nfsnobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN
|
||||
AmbientCapabilities=CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_RAW
|
||||
|
@ -2,8 +2,8 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN
|
||||
AmbientCapabilities=CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_RAW
|
||||
|
@ -2,8 +2,8 @@
|
||||
Description=Test for AmbientCapabilities (daemon)
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=daemon
|
||||
AmbientCapabilities=CAP_NET_ADMIN
|
||||
AmbientCapabilities=CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_RAW
|
||||
|
@ -2,7 +2,7 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nfsnobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
||||
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
||||
|
@ -2,7 +2,7 @@
|
||||
Description=Test for AmbientCapabilities
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=nobody
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
||||
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
||||
|
@ -2,7 +2,7 @@
|
||||
Description=Test for AmbientCapabilities (daemon)
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||
Type=oneshot
|
||||
User=daemon
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
||||
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
||||
|
Loading…
Reference in New Issue
Block a user