test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes

2016-10-07 20:41:38 +02:00 · 2016-10-07 20:41:38 +02:00 · 625d8769fa
parent 2cd0a73547
commit 625d8769fa
3 changed files with 16 additions and 0 deletions
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@ -140,6 +140,8 @@ static void test_exec_privatedevices_capabilities(Manager *m) {
        }
        test(m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED);
        test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
 }

 static void test_exec_protectkernelmodules_capabilities(Manager *m) {
--- a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
+
+[Service]
+PrivateDevices=no
+ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_rawio'
+Type=oneshot
--- a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_rawio'
+Type=oneshot