test: add tests for RestrictNamespaces=

2025-03-31 14:50:15 +03:00 · 2016-11-15 15:50:19 +01:00 · 2016-11-15 15:50:19 +01:00 · 97e60383c0
commit 97e60383c0
parent d6299d613f
6 changed files with 45 additions and 0 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -1684,6 +1684,10 @@ EXTRA_DIST += \
 	test/test-execute/exec-runtimedirectory-mode.service \
 	test/test-execute/exec-runtimedirectory-owner.service \
 	test/test-execute/exec-runtimedirectory-owner-nfsnobody.service \
+	test/test-execute/exec-restrict-namespaces-no.service \
+	test/test-execute/exec-restrict-namespaces-yes.service \
+	test/test-execute/exec-restrict-namespaces-mnt.service \
+	test/test-execute/exec-restrict-namespaces-mnt-blacklist.service \
 	test/bus-policy/hello.conf \
 	test/bus-policy/methods.conf \
 	test/bus-policy/ownerships.conf \
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@ -219,6 +219,18 @@ static void test_exec_systemcallerrornumber(Manager *m) {
 #endif
 }

+static void test_exec_restrict_namespaces(Manager *m) {
+#ifdef HAVE_SECCOMP
+        if (!is_seccomp_available())
+                return;
+
+        test(m, "exec-restrict-namespaces-no.service", 0, CLD_EXITED);
+        test(m, "exec-restrict-namespaces-yes.service", 1, CLD_EXITED);
+        test(m, "exec-restrict-namespaces-mnt.service", 0, CLD_EXITED);
+        test(m, "exec-restrict-namespaces-mnt-blacklist.service", 1, CLD_EXITED);
+#endif
+}
+
 static void test_exec_systemcall_system_mode_with_user(Manager *m) {
 #ifdef HAVE_SECCOMP
        if (!is_seccomp_available())
@ -435,6 +447,7 @@ int main(int argc, char *argv[]) {
                test_exec_privatenetwork,
                test_exec_systemcallfilter,
                test_exec_systemcallerrornumber,
+                test_exec_restrict_namespaces,
                test_exec_user,
                test_exec_group,
                test_exec_supplementary_groups,
--- a/test/test-execute/exec-restrict-namespaces-mnt-blacklist.service
+++ b/test/test-execute/exec-restrict-namespaces-mnt-blacklist.service
@ -0,0 +1,7 @@
+[Unit]
+Description=Test RestrictNamespaces=~mnt
+
+[Service]
+RestrictNamespaces=~mnt
+ExecStart=/bin/sh -x -c 'unshare -m'
+Type=oneshot
--- a/test/test-execute/exec-restrict-namespaces-mnt.service
+++ b/test/test-execute/exec-restrict-namespaces-mnt.service
@ -0,0 +1,7 @@
+[Unit]
+Description=Test RestrictNamespaces=mnt
+
+[Service]
+RestrictNamespaces=mnt
+ExecStart=/bin/sh -x -c 'unshare -m'
+Type=oneshot
--- a/test/test-execute/exec-restrict-namespaces-no.service
+++ b/test/test-execute/exec-restrict-namespaces-no.service
@ -0,0 +1,7 @@
+[Unit]
+Description=Test RestrictNamespaces=no
+
+[Service]
+RestrictNamespaces=no
+ExecStart=/bin/sh -x -c 'unshare -m -u -i -n -p -f'
+Type=oneshot
--- a/test/test-execute/exec-restrict-namespaces-yes.service
+++ b/test/test-execute/exec-restrict-namespaces-yes.service
@ -0,0 +1,7 @@
+[Unit]
+Description=Test RestrictNamespaces=yes
+
+[Service]
+RestrictNamespaces=yes
+ExecStart=/bin/sh -x -c 'unshare -m'
+Type=oneshot