test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes
This commit is contained in:
parent
2cd0a73547
commit
625d8769fa
|
@ -140,6 +140,8 @@ static void test_exec_privatedevices_capabilities(Manager *m) {
|
||||||
}
|
}
|
||||||
test(m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED);
|
test(m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED);
|
||||||
test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
|
test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
|
||||||
|
test(m, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED);
|
||||||
|
test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_exec_protectkernelmodules_capabilities(Manager *m) {
|
static void test_exec_protectkernelmodules_capabilities(Manager *m) {
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
PrivateDevices=no
|
||||||
|
ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_rawio'
|
||||||
|
Type=oneshot
|
|
@ -0,0 +1,7 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
PrivateDevices=yes
|
||||||
|
ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_rawio'
|
||||||
|
Type=oneshot
|
Loading…
Reference in a new issue