diff --git a/src/test/test-execute.c b/src/test/test-execute.c index b34b207a40..e5880baec6 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -269,6 +269,10 @@ static void test_exec_privatedevices(Manager *m) { test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED); } +static void test_exec_protecthome(Manager *m) { + test(m, "exec-protecthome-tmpfs-vs-protectsystem-strict.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); +} + static void test_exec_protectkernelmodules(Manager *m) { int r; @@ -732,6 +736,7 @@ int main(int argc, char *argv[]) { test_exec_privatedevices, test_exec_privatenetwork, test_exec_privatetmp, + test_exec_protecthome, test_exec_protectkernelmodules, test_exec_readonlypaths, test_exec_readwritepaths, diff --git a/test/meson.build b/test/meson.build index 796ad063c0..870f8bc6a7 100644 --- a/test/meson.build +++ b/test/meson.build @@ -94,6 +94,7 @@ test_data_files = ''' test-execute/exec-privatenetwork-yes.service test-execute/exec-privatetmp-no.service test-execute/exec-privatetmp-yes.service + test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service test-execute/exec-protectkernelmodules-no-capabilities.service test-execute/exec-protectkernelmodules-yes-capabilities.service test-execute/exec-protectkernelmodules-yes-mount-propagation.service diff --git a/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service b/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service new file mode 100644 index 0000000000..1522ff80e1 --- /dev/null +++ b/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service @@ -0,0 +1,9 @@ +[Unit] +Description=Test ProtectHome=tmpfs vs ProtectSystem=strict +# Test for #11276 + +[Service] +ProtectHome=tmpfs +ProtectSystem=strict +Type=oneshot +ExecStart=/bin/sh -x -c 'test "$$(stat -fc %%T /home)" = "tmpfs"'