diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 9d6aeed776..b3f8cc8434 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -313,6 +313,7 @@ static void test_exec_privatedevices(Manager *m) { test(__func__, m, "exec-privatedevices-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); test(__func__, m, "exec-privatedevices-no.service", 0, CLD_EXITED); test(__func__, m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); + test(__func__, m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED); /* We use capsh to test if the capabilities are * properly set, so be sure that it exists */ diff --git a/test/meson.build b/test/meson.build index eeb3c5f8f0..237b4db12c 100644 --- a/test/meson.build +++ b/test/meson.build @@ -102,6 +102,7 @@ test_data_files = ''' test-execute/exec-privatedevices-no-capability-mknod.service test-execute/exec-privatedevices-no-capability-sys-rawio.service test-execute/exec-privatedevices-no.service + test-execute/exec-privatedevices-yes-with-group.service test-execute/exec-privatedevices-yes-capability-mknod.service test-execute/exec-privatedevices-yes-capability-sys-rawio.service test-execute/exec-privatedevices-yes.service diff --git a/test/test-execute/exec-privatedevices-yes-with-group.service b/test/test-execute/exec-privatedevices-yes-with-group.service new file mode 100644 index 0000000000..70a7ed24f4 --- /dev/null +++ b/test/test-execute/exec-privatedevices-yes-with-group.service @@ -0,0 +1,16 @@ +[Unit] +Description=Test Group=group is applied after PrivateDevices=yes + +[Service] +PrivateDevices=yes +Group=daemon +Type=oneshot + +# Check the group applied +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"' + +# Check that the namespace applied +ExecStart=/bin/sh -c 'test ! -c /dev/kmsg' + +# Check that the owning group of a node is not daemon (should be the host root) +ExecStart=/bin/sh -x -c 'test ! "$$(stat -c %%G /dev/stderr)" = "daemon"'