From d7fce219aedfea378dcbc04c68b41d22d31ffae5 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 22 Feb 2023 18:05:18 +0100 Subject: [PATCH] test: test setting ambient caps via pam_systemd.so --- test/units/testsuite-35.sh | 53 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/test/units/testsuite-35.sh b/test/units/testsuite-35.sh index 85925f2471b..02f22cf2a23 100755 --- a/test/units/testsuite-35.sh +++ b/test/units/testsuite-35.sh @@ -573,6 +573,58 @@ EOF assert_eq "$(loginctl --no-legend | grep -c "logind-test-user")" 0 } +test_ambient_caps() { + local PAMSERVICE TRANSIENTUNIT SCRIPT + + # Verify that pam_systemd works and assigns ambient caps as it should + + if ! grep -q 'CapAmb:' /proc/self/status ; then + echo "ambient caps not available, skipping test." >&2 + return + fi + + typeset -i BND MASK + + # Get PID 1's bounding set + BND="0x$(grep 'CapBnd:' /proc/1/status | cut -d: -f2 | tr -d '[:space:]')" + + # CAP_CHOWN | CAP_KILL + MASK=$(((1 << 0) | (1 << 5))) + + if [ $(("$BND" & "$MASK")) -ne "$MASK" ] ; then + echo "CAP_CHOWN or CAP_KILL not available in bounding set, skipping test." >&2 + return + fi + + PAMSERVICE="pamserv$RANDOM" + TRANSIENTUNIT="capwakealarm$RANDOM.service" + SCRIPT="/tmp/capwakealarm$RANDOM.sh" + + cat > /etc/pam.d/"$PAMSERVICE" < "$SCRIPT" <<'EOF' +#!/bin/bash +set -ex +typeset -i AMB MASK +AMB="0x$(grep 'CapAmb:' /proc/self/status | cut -d: -f2 | tr -d '[:space:]')" +MASK=$(((1 << 0) | (1 << 5))) +test "$AMB" -eq "$MASK" +EOF + + chmod +x "$SCRIPT" + + systemd-run -u "$TRANSIENTUNIT" -p PAMName="$PAMSERVICE" -p Type=oneshot -p User=logind-test-user -p StandardError=tty "$SCRIPT" + + rm -f "$SCRIPT" "$PAMSERVICE" +} + : >/failed setup_test_user @@ -587,6 +639,7 @@ test_lock_idle_action test_session_properties test_list_users test_stop_idle_session +test_ambient_caps touch /testok rm /failed