From e5ba1d324d3bda239907cd704a2f9646e777b820 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 5 Mar 2018 00:02:22 +0900 Subject: [PATCH] test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN CAP_NET_ADMIN is somtrimes dropped by container runtime. This changes to use CAP_CHOWN instead of CAP_NET_ADMIN, as it is less likely to be dropped. --- src/test/test-execute.c | 2 +- .../exec-ambientcapabilities-merge-nfsnobody.service | 4 ++-- .../exec-ambientcapabilities-merge-nobody.service | 4 ++-- test/test-execute/exec-ambientcapabilities-merge.service | 4 ++-- test/test-execute/exec-ambientcapabilities-nfsnobody.service | 4 ++-- test/test-execute/exec-ambientcapabilities-nobody.service | 4 ++-- test/test-execute/exec-ambientcapabilities.service | 4 ++-- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 788249e885..645e0b3d47 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -559,7 +559,7 @@ static void test_exec_ambientcapabilities(Manager *m) { return; } - if (have_effective_cap(CAP_NET_ADMIN) <= 0 || + if (have_effective_cap(CAP_CHOWN) <= 0 || have_effective_cap(CAP_NET_RAW) <= 0) { log_notice("Skipping %s, this process does not have enough capabilities", __func__); return; diff --git a/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service index 00bec581b5..d2cadebde4 100644 --- a/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service +++ b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service @@ -2,8 +2,8 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nfsnobody -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_CHOWN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-merge-nobody.service b/test/test-execute/exec-ambientcapabilities-merge-nobody.service index 64964380e2..545081d629 100644 --- a/test/test-execute/exec-ambientcapabilities-merge-nobody.service +++ b/test/test-execute/exec-ambientcapabilities-merge-nobody.service @@ -2,8 +2,8 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nobody -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_CHOWN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-merge.service b/test/test-execute/exec-ambientcapabilities-merge.service index 22b4c6d49e..2e3fe59124 100644 --- a/test/test-execute/exec-ambientcapabilities-merge.service +++ b/test/test-execute/exec-ambientcapabilities-merge.service @@ -2,8 +2,8 @@ Description=Test for AmbientCapabilities (daemon) [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=daemon -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_CHOWN AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-nfsnobody.service index 614cfdd584..9377ee16b2 100644 --- a/test/test-execute/exec-ambientcapabilities-nfsnobody.service +++ b/test/test-execute/exec-ambientcapabilities-nfsnobody.service @@ -2,7 +2,7 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nfsnobody -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-nobody.service b/test/test-execute/exec-ambientcapabilities-nobody.service index d63f884ef8..07a6c7511d 100644 --- a/test/test-execute/exec-ambientcapabilities-nobody.service +++ b/test/test-execute/exec-ambientcapabilities-nobody.service @@ -2,7 +2,7 @@ Description=Test for AmbientCapabilities [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=nobody -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities.service b/test/test-execute/exec-ambientcapabilities.service index 0a3cfa4bf6..d91cc09a48 100644 --- a/test/test-execute/exec-ambientcapabilities.service +++ b/test/test-execute/exec-ambientcapabilities.service @@ -2,7 +2,7 @@ Description=Test for AmbientCapabilities (daemon) [Service] -ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"' +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' Type=oneshot User=daemon -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW