test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN
CAP_NET_ADMIN is somtrimes dropped by container runtime. This changes to use CAP_CHOWN instead of CAP_NET_ADMIN, as it is less likely to be dropped.
This commit is contained in:
parent
b7856f9218
commit
e5ba1d324d
|
@ -559,7 +559,7 @@ static void test_exec_ambientcapabilities(Manager *m) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (have_effective_cap(CAP_NET_ADMIN) <= 0 ||
|
if (have_effective_cap(CAP_CHOWN) <= 0 ||
|
||||||
have_effective_cap(CAP_NET_RAW) <= 0) {
|
have_effective_cap(CAP_NET_RAW) <= 0) {
|
||||||
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
|
log_notice("Skipping %s, this process does not have enough capabilities", __func__);
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
Description=Test for AmbientCapabilities
|
Description=Test for AmbientCapabilities
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
User=nfsnobody
|
User=nfsnobody
|
||||||
AmbientCapabilities=CAP_NET_ADMIN
|
AmbientCapabilities=CAP_CHOWN
|
||||||
AmbientCapabilities=CAP_NET_RAW
|
AmbientCapabilities=CAP_NET_RAW
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
Description=Test for AmbientCapabilities
|
Description=Test for AmbientCapabilities
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
User=nobody
|
User=nobody
|
||||||
AmbientCapabilities=CAP_NET_ADMIN
|
AmbientCapabilities=CAP_CHOWN
|
||||||
AmbientCapabilities=CAP_NET_RAW
|
AmbientCapabilities=CAP_NET_RAW
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
Description=Test for AmbientCapabilities (daemon)
|
Description=Test for AmbientCapabilities (daemon)
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
User=daemon
|
User=daemon
|
||||||
AmbientCapabilities=CAP_NET_ADMIN
|
AmbientCapabilities=CAP_CHOWN
|
||||||
AmbientCapabilities=CAP_NET_RAW
|
AmbientCapabilities=CAP_NET_RAW
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
Description=Test for AmbientCapabilities
|
Description=Test for AmbientCapabilities
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
User=nfsnobody
|
User=nfsnobody
|
||||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
Description=Test for AmbientCapabilities
|
Description=Test for AmbientCapabilities
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
User=nobody
|
User=nobody
|
||||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
Description=Test for AmbientCapabilities (daemon)
|
Description=Test for AmbientCapabilities (daemon)
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
User=daemon
|
User=daemon
|
||||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
|
||||||
|
|
Loading…
Reference in New Issue