picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 

CAP_NET_ADMIN is somtrimes dropped by container runtime.
This changes to use CAP_CHOWN instead of CAP_NET_ADMIN, as it is
less likely to be dropped.
This commit is contained in:
Yu Watanabe 2018-03-05 00:02:22 +09:00
parent b7856f9218
commit e5ba1d324d
7 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/test/test-execute.c
View File

@ -559,7 +559,7 @@ static void test_exec_ambientcapabilities(Manager *m) {
return;
}
if (have_effective_cap(CAP_NET_ADMIN) <= 0 ||
if (have_effective_cap(CAP_CHOWN) <= 0 ||
have_effective_cap(CAP_NET_RAW) <= 0) {
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
return;

4
test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service
View File

@ -2,8 +2,8 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nfsnobody
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_CHOWN
AmbientCapabilities=CAP_NET_RAW

4
test/test-execute/exec-ambientcapabilities-merge-nobody.service
View File

@ -2,8 +2,8 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nobody
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_CHOWN
AmbientCapabilities=CAP_NET_RAW

4
test/test-execute/exec-ambientcapabilities-merge.service
View File

@ -2,8 +2,8 @@
Description=Test for AmbientCapabilities (daemon)
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=daemon
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_CHOWN
AmbientCapabilities=CAP_NET_RAW

4
test/test-execute/exec-ambientcapabilities-nfsnobody.service
View File

@ -2,7 +2,7 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nfsnobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW

4
test/test-execute/exec-ambientcapabilities-nobody.service
View File

@ -2,7 +2,7 @@
Description=Test for AmbientCapabilities
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW

4
test/test-execute/exec-ambientcapabilities.service
View File

@ -2,7 +2,7 @@
Description=Test for AmbientCapabilities (daemon)
[Service]
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
Type=oneshot
User=daemon
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW