mirror of
https://github.com/systemd/systemd.git
synced 2025-01-11 09:18:07 +03:00
test-execute: add no_new_privs tests for SystemCallFilter
When starting a service with a non-root user and a SystemCallFilter and other settings (like ProtectClock), the no_new_privs flag should not be set. Also, test that CapabilityBoundingSet behaves correctly, since we need to preserve some capabilities to do the seccomp filter and restore the ones set by the service before executing.
This commit is contained in:
parent
24832d10b6
commit
e720cebf7c
@ -754,6 +754,18 @@ static void test_exec_systemcallfilter(Manager *m) {
|
||||
test(m, "exec-systemcallfilter-with-errno-in-allow-list.service", errno_from_name("EILSEQ"), CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-override-error-action.service", SIGSYS, CLD_KILLED);
|
||||
test(m, "exec-systemcallfilter-override-error-action2.service", errno_from_name("EILSEQ"), CLD_EXITED);
|
||||
|
||||
test(m, "exec-systemcallfilter-nonewprivileges.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-nonewprivileges-protectclock.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
|
||||
|
||||
r = find_executable("capsh", NULL);
|
||||
if (r < 0) {
|
||||
log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
test(m, "exec-systemcallfilter-nonewprivileges-bounding1.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-nonewprivileges-bounding2.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -0,0 +1,10 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
[Unit]
|
||||
Description=Test bounding set is right with SystemCallFilter and non-root user
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_net_bind_service"'
|
||||
Type=oneshot
|
||||
User=1
|
||||
SystemCallFilter=@system-service
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
@ -0,0 +1,10 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
[Unit]
|
||||
Description=Test bounding set is right with SystemCallFilter and non-root user
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_setpcap,cap_net_bind_service,cap_sys_admin"'
|
||||
Type=oneshot
|
||||
User=1
|
||||
SystemCallFilter=@system-service
|
||||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETPCAP CAP_NET_BIND_SERVICE
|
@ -0,0 +1,9 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
[Unit]
|
||||
Description=Test no_new_privs is unset for ProtectClock and non-root user
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"'
|
||||
Type=oneshot
|
||||
User=1
|
||||
ProtectClock=yes
|
@ -0,0 +1,9 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
[Unit]
|
||||
Description=Test no_new_privs is unset for SystemCallFilter and non-root user
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"'
|
||||
Type=oneshot
|
||||
User=1
|
||||
SystemCallFilter=@system-service
|
Loading…
Reference in New Issue
Block a user