test: add test case for PrivateDevices=y and Group=daemon
For root, group enforcement needs to come after PrivateDevices=y set up
according to 096424d123
. Add a test to
verify this is the case.
This commit is contained in:
parent
e5f10cafe0
commit
b6657e2c53
|
@ -313,6 +313,7 @@ static void test_exec_privatedevices(Manager *m) {
|
|||
test(__func__, m, "exec-privatedevices-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(__func__, m, "exec-privatedevices-no.service", 0, CLD_EXITED);
|
||||
test(__func__, m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
test(__func__, m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
|
||||
|
||||
/* We use capsh to test if the capabilities are
|
||||
* properly set, so be sure that it exists */
|
||||
|
|
|
@ -102,6 +102,7 @@ test_data_files = '''
|
|||
test-execute/exec-privatedevices-no-capability-mknod.service
|
||||
test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
||||
test-execute/exec-privatedevices-no.service
|
||||
test-execute/exec-privatedevices-yes-with-group.service
|
||||
test-execute/exec-privatedevices-yes-capability-mknod.service
|
||||
test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
||||
test-execute/exec-privatedevices-yes.service
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
[Unit]
|
||||
Description=Test Group=group is applied after PrivateDevices=yes
|
||||
|
||||
[Service]
|
||||
PrivateDevices=yes
|
||||
Group=daemon
|
||||
Type=oneshot
|
||||
|
||||
# Check the group applied
|
||||
ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"'
|
||||
|
||||
# Check that the namespace applied
|
||||
ExecStart=/bin/sh -c 'test ! -c /dev/kmsg'
|
||||
|
||||
# Check that the owning group of a node is not daemon (should be the host root)
|
||||
ExecStart=/bin/sh -x -c 'test ! "$$(stat -c %%G /dev/stderr)" = "daemon"'
|
Loading…
Reference in New Issue