shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 00:51:24 +03:00
Code
8d186a35cb
systemd/test/test-execute
History
Topi Miettinen ddc155b2fd New directives NoExecPaths= ExecPaths= 
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.

Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib

Closes: #17942.
2021-01-29 12:40:52 +00:00
..
exec-ambientcapabilities-merge-nfsnobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-merge-nobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-merge.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-nfsnobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-nobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-basic.service execute: Make '+' exec prefix ignore PrivateTmp=yes 2020-02-29 19:32:01 +09:00
exec-bindpaths.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-capabilityboundingset-invert.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-capabilityboundingset-merge.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-capabilityboundingset-reset.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-capabilityboundingset-simple.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-condition-failed.service core: ExecCondition= for services 2019-07-17 11:35:02 +02:00
exec-condition-skip.service core: ExecCondition= for services 2019-07-17 11:35:02 +02:00
exec-cpuaffinity1.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-cpuaffinity2.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-cpuaffinity3.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-dynamicuser-fixeduser-adm.service test: add tests for DynamicUser= with static User= whose UID and GID are different 2018-07-26 16:32:10 +09:00
exec-dynamicuser-fixeduser-games.service test: add tests for DynamicUser= with static User= whose UID and GID are different 2018-07-26 16:32:10 +09:00
exec-dynamicuser-fixeduser-one-supplementarygroup.service test: fix tests for supplementary groups 2018-10-02 09:48:53 +02:00
exec-dynamicuser-fixeduser.service test: fix tests for supplementary groups 2018-10-02 09:48:53 +02:00
exec-dynamicuser-runtimedirectory1.service test: add test cases for RuntimeDirectoryPreserve=yes 2020-09-18 13:11:39 +02:00
exec-dynamicuser-runtimedirectory2.service test: add test cases for RuntimeDirectoryPreserve=yes 2020-09-18 13:11:39 +02:00
exec-dynamicuser-runtimedirectory3.service test: add test cases for RuntimeDirectoryPreserve=yes 2020-09-18 13:11:39 +02:00
exec-dynamicuser-statedir-migrate-step1.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-dynamicuser-statedir-migrate-step2.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-dynamicuser-statedir.service test-execute/exec-dynamicuser-statedir.service: fix quoting 2020-09-04 18:11:22 +02:00
exec-dynamicuser-supplementarygroups.service tests: fix fallthrough condition for supplementary groups 2018-10-11 22:24:03 +02:00
exec-environment-empty.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environment-multiple.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environment-no-substitute.service core: add ':' prefix to ExecXYZ= skip env var substitution 2019-02-20 17:58:14 +01:00
exec-environment.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environmentfile.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-group-nfsnobody.service test-execute: add nfsnobody alternative as a nobody user 2016-02-28 15:00:18 +01:00
exec-group-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-group-nogroup.service test-execute: use the "nogroup" group if it exists for testing 2017-12-06 13:40:50 +01:00
exec-group.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-ignoresigpipe-no.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ignoresigpipe-yes.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-inaccessiblepaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-inaccessiblepaths-sys.service test-execute: block /sys not /proc 2019-03-15 15:46:41 +01:00
exec-ioschedulingclass-best-effort.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-idle.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-none.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-realtime.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-noexecpaths-simple.service New directives NoExecPaths= ExecPaths= 2021-01-29 12:40:52 +00:00
exec-oomscoreadjust-negative.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-oomscoreadjust-positive.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-passenvironment-absent.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment-empty.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment-repeated.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-personality-aarch64.service fix missed bracket of exec-personality-ppc64le.service (#8650) 2018-04-04 11:10:42 +02:00
exec-personality-ppc64.service test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
exec-personality-ppc64le.service test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
exec-personality-s390.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-personality-x86-64.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-personality-x86.service test: Pass personality test even when i686 userland runs on x86_64 kernel 2019-10-10 00:52:16 +01:00
exec-privatedevices-disabled-by-prefix.service test: add tests for PrivateDevices= with '+' prefix 2018-05-01 13:44:24 +09:00
exec-privatedevices-no-capability-mknod.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-privatedevices-no-capability-sys-rawio.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-privatedevices-no.service test: fix descriptions 2018-05-01 13:44:29 +09:00
exec-privatedevices-yes-capability-mknod.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-privatedevices-yes-capability-sys-rawio.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-privatedevices-yes-with-group.service test: add test case for PrivateDevices=y and Group=daemon 2019-12-18 11:09:30 -08:00
exec-privatedevices-yes.service test: fix descriptions 2018-05-01 13:44:29 +09:00
exec-privatenetwork-yes.service test-network: ignore tunnel devices automatically added by kernel 2019-02-06 22:04:32 +09:00
exec-privatetmp-disabled-by-prefix.service execute: Make '+' exec prefix ignore PrivateTmp=yes 2020-02-29 19:32:01 +09:00
exec-privatetmp-no.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-privatetmp-yes.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-protecthome-tmpfs-vs-protectsystem-strict.service test: add a testcase for ProtectHome=tmpfs vs ProtectSystem=strict 2019-03-13 11:53:59 +09:00
exec-protectkernellogs-no-capabilities.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-protectkernellogs-yes-capabilities.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-protectkernelmodules-no-capabilities.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-protectkernelmodules-yes-capabilities.service test: ignore IAB capabilities in test-execute 2020-03-09 18:22:16 +01:00
exec-protectkernelmodules-yes-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-readonlypaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-readonlypaths-simple.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-readonlypaths-with-bindpaths.service core: be more lenient when checking whether sandboxing is necessary 2019-11-20 12:30:04 +01:00
exec-readonlypaths.service namespace: don't try to remount superblocks 2018-08-30 11:17:16 +01:00
exec-readwritepaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-restrictnamespaces-merge-all.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-merge-and.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-merge-or.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-mnt-deny-list.service tree-wide: avoid some loaded terms 2020-06-25 09:00:19 +02:00
exec-restrictnamespaces-mnt.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-no.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-yes.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-runtimedirectory-mode.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-runtimedirectory-owner-nfsnobody.service test: use setup_fake_runtime_dir() in test-execute 2018-02-26 12:50:03 +09:00
exec-runtimedirectory-owner-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-runtimedirectory-owner-nogroup.service test-execute: add a test for the case that NOBODY_GROUP_NAME is nogroup 2018-03-01 18:31:26 +09:00
exec-runtimedirectory-owner.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-runtimedirectory.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-specifier-interpolation.service test-execute: skip exec-specifier-interpolation if perl is missing 2018-03-22 15:57:56 +01:00
exec-specifier.service test: Simplify hostname checking 2020-04-22 10:35:12 +02:00
exec-specifier@.service test: Simplify hostname checking 2020-04-22 10:35:12 +02:00
exec-standardinput-data.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-standardinput-file-cat.service test: add test for https://github.com/systemd/systemd/issues/14560 2020-01-20 17:19:51 +01:00
exec-standardinput-file.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-standardoutput-append.service Add support for opening files for appending 2018-07-20 03:54:22 -07:00
exec-standardoutput-file.service Add support for opening files for appending 2018-07-20 03:54:22 -07:00
exec-standardoutput-truncate.service test: fix exec-standardoutput-truncate test 2021-01-15 20:22:29 +01:00
exec-supplementarygroups-multiple-groups-default-group-user.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-supplementarygroups-multiple-groups-withgid.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-supplementarygroups-multiple-groups-withuid.service tests: fix fallthrough condition for supplementary groups 2018-10-11 22:24:03 +02:00
exec-supplementarygroups-single-group-user.service tests: fix fallthrough condition for supplementary groups 2018-10-11 22:24:03 +02:00
exec-supplementarygroups-single-group.service test: fix tests for supplementary groups 2018-10-02 09:48:53 +02:00
exec-supplementarygroups.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-systemcallerrornumber-name.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallerrornumber-number.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallfilter-failing2.service test-execute: make sure shell execs the child 2020-11-06 15:20:34 +01:00
exec-systemcallfilter-failing.service test-execute: make sure shell execs the child 2020-11-06 15:20:34 +01:00
exec-systemcallfilter-not-failing2.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-not-failing.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-override-error-action2.service exec: Add kill action to system call filters 2020-09-15 12:54:17 +03:00
exec-systemcallfilter-override-error-action.service exec: Add kill action to system call filters 2020-09-15 12:54:17 +03:00
exec-systemcallfilter-system-user-nfsnobody.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-system-user-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-systemcallfilter-system-user.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-systemcallfilter-with-errno-multi.service test-execute: add a test for systemcall filter (#10273) 2018-10-05 14:46:30 +09:00
exec-systemcallfilter-with-errno-name.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallfilter-with-errno-number.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-temporaryfilesystem-options.service namespace: don't try to remount superblocks 2018-08-30 11:17:16 +01:00
exec-temporaryfilesystem-ro.service namespace: fix mode for TemporaryFileSystem= 2018-09-01 17:22:14 +09:00
exec-temporaryfilesystem-rw.service namespace: fix mode for TemporaryFileSystem= 2018-09-01 17:22:14 +09:00
exec-temporaryfilesystem-usr.service test: add tests for TemporaryFileSystem= 2018-02-21 09:18:14 +09:00
exec-umask-0177.service test-execute: also tests under the condition that unshare() is filtered 2018-10-03 08:33:23 +02:00
exec-umask-default.service test-execute: also tests under the condition that unshare() is filtered 2018-10-03 08:33:23 +02:00
exec-unsetenvironment.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-user-nfsnobody.service test-execute: add nfsnobody alternative as a nobody user 2016-02-28 15:00:18 +01:00
exec-user-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-user.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-workingdirectory-trailing-dot.service test: add test for trailing dot in WorkingDirectory= and RuntimeDirectory= 2018-06-03 23:59:51 +09:00
exec-workingdirectory.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00