mirror of
https://github.com/systemd/systemd.git
synced 2025-01-11 09:18:07 +03:00
e720cebf7c
When starting a service with a non-root user and a SystemCallFilter and other settings (like ProtectClock), the no_new_privs flag should not be set. Also, test that CapabilityBoundingSet behaves correctly, since we need to preserve some capabilities to do the seccomp filter and restore the ones set by the service before executing.
11 lines
410 B
Desktop File
11 lines
410 B
Desktop File
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
[Unit]
|
|
Description=Test bounding set is right with SystemCallFilter and non-root user
|
|
|
|
[Service]
|
|
ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_setpcap,cap_net_bind_service,cap_sys_admin"'
|
|
Type=oneshot
|
|
User=1
|
|
SystemCallFilter=@system-service
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETPCAP CAP_NET_BIND_SERVICE
|