picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/test/test-execute
History
Lennart Poettering 4e67759960 core: be more lenient when checking whether sandboxing is necessary 
In some containers unshare() is made unavailable entirely. Let's deal
with this that more gracefully and disable our sandboxing of services
then, so that we work in a container, under the assumption the container
manager is then responsible for sandboxing if we can't do it ourselves.

Previously, we'd insist on sandboxing as soon as any form of BindPath=
is used. With this change we only insist on it if we have a setting like
that where source and destination differ, i.e. there's a mapping
established that actually rearranges things, and thus would result in
systematically different behaviour if skipped (as opposed to mappings
that just make stuff read-only/writable that otherwise arent').

(Let's also update a test that intended to test for this behaviour with
a more specific configuration that still triggers the behaviour with
this change in place)

Fixes: #13955

(For testing purposes unshare() can easily be blocked with
systemd-nspawn --system-call-filter=~unshare.)
 		2019-11-20 12:30:04 +01:00
..
exec-ambientcapabilities-merge-nfsnobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-merge-nobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-merge.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-nfsnobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-nobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-basic.service Treat kernel version condition as a list of quoted checks 2019-06-29 17:11:03 +02:00
exec-bindpaths.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-capabilityboundingset-invert.service test-execute: simplify checks if grep output is empty 2018-03-22 15:57:56 +01:00
exec-capabilityboundingset-merge.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-capabilityboundingset-reset.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-capabilityboundingset-simple.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-condition-failed.service core: ExecCondition= for services 2019-07-17 11:35:02 +02:00
exec-condition-skip.service core: ExecCondition= for services 2019-07-17 11:35:02 +02:00
exec-cpuaffinity1.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-cpuaffinity2.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-cpuaffinity3.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-dynamicuser-fixeduser-adm.service test: add tests for DynamicUser= with static User= whose UID and GID are different 2018-07-26 16:32:10 +09:00
exec-dynamicuser-fixeduser-games.service test: add tests for DynamicUser= with static User= whose UID and GID are different 2018-07-26 16:32:10 +09:00
exec-dynamicuser-fixeduser-one-supplementarygroup.service test: fix tests for supplementary groups 2018-10-02 09:48:53 +02:00
exec-dynamicuser-fixeduser.service test: fix tests for supplementary groups 2018-10-02 09:48:53 +02:00
exec-dynamicuser-statedir-migrate-step1.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-dynamicuser-statedir-migrate-step2.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-dynamicuser-statedir.service test-execute: Filter /dev/.lxc in exec-dynamicuser-statedir.service 2019-10-04 11:56:29 +02:00
exec-dynamicuser-supplementarygroups.service tests: fix fallthrough condition for supplementary groups 2018-10-11 22:24:03 +02:00
exec-environment-empty.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environment-multiple.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environment-no-substitute.service core: add ':' prefix to ExecXYZ= skip env var substitution 2019-02-20 17:58:14 +01:00
exec-environment.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environmentfile.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-group-nfsnobody.service test-execute: add nfsnobody alternative as a nobody user 2016-02-28 15:00:18 +01:00
exec-group-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-group-nogroup.service test-execute: use the "nogroup" group if it exists for testing 2017-12-06 13:40:50 +01:00
exec-group.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-ignoresigpipe-no.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ignoresigpipe-yes.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-inaccessiblepaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-inaccessiblepaths-sys.service test-execute: block /sys not /proc 2019-03-15 15:46:41 +01:00
exec-ioschedulingclass-best-effort.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-idle.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-none.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-realtime.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-oomscoreadjust-negative.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-oomscoreadjust-positive.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-passenvironment-absent.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment-empty.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment-repeated.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-personality-aarch64.service fix missed bracket of exec-personality-ppc64le.service (#8650) 2018-04-04 11:10:42 +02:00
exec-personality-ppc64.service test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
exec-personality-ppc64le.service test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
exec-personality-s390.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-personality-x86-64.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-personality-x86.service test: Pass personality test even when i686 userland runs on x86_64 kernel 2019-10-10 00:52:16 +01:00
exec-privatedevices-disabled-by-prefix.service test: add tests for PrivateDevices= with '+' prefix 2018-05-01 13:44:24 +09:00
exec-privatedevices-no-capability-mknod.service test: add CAP_MKNOD tests for PrivateDevices= 2016-09-25 13:04:30 +02:00
exec-privatedevices-no-capability-sys-rawio.service test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes 2016-10-12 13:47:59 +02:00
exec-privatedevices-no.service test: fix descriptions 2018-05-01 13:44:29 +09:00
exec-privatedevices-yes-capability-mknod.service test: add CAP_MKNOD tests for PrivateDevices= 2016-09-25 13:04:30 +02:00
exec-privatedevices-yes-capability-sys-rawio.service test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes 2016-10-12 13:47:59 +02:00
exec-privatedevices-yes.service test: fix descriptions 2018-05-01 13:44:29 +09:00
exec-privatenetwork-yes.service test-network: ignore tunnel devices automatically added by kernel 2019-02-06 22:04:32 +09:00
exec-privatetmp-no.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-privatetmp-yes.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-protecthome-tmpfs-vs-protectsystem-strict.service test: add a testcase for ProtectHome=tmpfs vs ProtectSystem=strict 2019-03-13 11:53:59 +09:00
exec-protectkernellogs-no-capabilities.service tests: Add capability tests for ProtectKernelLogs 2019-11-11 12:12:02 -08:00
exec-protectkernellogs-yes-capabilities.service tests: Add capability tests for ProtectKernelLogs 2019-11-11 12:12:02 -08:00
exec-protectkernelmodules-no-capabilities.service test: add capability tests for ProtectKernelModules= 2016-10-12 13:36:27 +02:00
exec-protectkernelmodules-yes-capabilities.service test: add capability tests for ProtectKernelModules= 2016-10-12 13:36:27 +02:00
exec-protectkernelmodules-yes-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-readonlypaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-readonlypaths-simple.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-readonlypaths-with-bindpaths.service core: be more lenient when checking whether sandboxing is necessary 2019-11-20 12:30:04 +01:00
exec-readonlypaths.service namespace: don't try to remount superblocks 2018-08-30 11:17:16 +01:00
exec-readwritepaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-restrictnamespaces-merge-all.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-merge-and.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-merge-or.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-mnt-blacklist.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-mnt.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-no.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-yes.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-runtimedirectory-mode.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-runtimedirectory-owner-nfsnobody.service test: use setup_fake_runtime_dir() in test-execute 2018-02-26 12:50:03 +09:00
exec-runtimedirectory-owner-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-runtimedirectory-owner-nogroup.service test-execute: add a test for the case that NOBODY_GROUP_NAME is nogroup 2018-03-01 18:31:26 +09:00
exec-runtimedirectory-owner.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-runtimedirectory.service test-execute: add tests for $RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
exec-specifier-interpolation.service test-execute: skip exec-specifier-interpolation if perl is missing 2018-03-22 15:57:56 +01:00
exec-specifier.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-specifier@.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-standardinput-data.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-standardinput-file.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-standardoutput-append.service Add support for opening files for appending 2018-07-20 03:54:22 -07:00
exec-standardoutput-file.service Add support for opening files for appending 2018-07-20 03:54:22 -07:00
exec-supplementarygroups-multiple-groups-default-group-user.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-supplementarygroups-multiple-groups-withgid.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-supplementarygroups-multiple-groups-withuid.service tests: fix fallthrough condition for supplementary groups 2018-10-11 22:24:03 +02:00
exec-supplementarygroups-single-group-user.service tests: fix fallthrough condition for supplementary groups 2018-10-11 22:24:03 +02:00
exec-supplementarygroups-single-group.service test: fix tests for supplementary groups 2018-10-02 09:48:53 +02:00
exec-supplementarygroups.service shared: add %g, %G specifiers for group / gid (#10368) 2018-10-13 17:26:48 +09:00
exec-systemcallerrornumber-name.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallerrornumber-number.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallfilter-failing.service test-execute: turn off coredump generation in test services 2019-05-24 10:48:28 +02:00
exec-systemcallfilter-failing2.service test-execute: turn off coredump generation in test services 2019-05-24 10:48:28 +02:00
exec-systemcallfilter-not-failing.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-not-failing2.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-system-user-nfsnobody.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-system-user-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-systemcallfilter-system-user.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-systemcallfilter-with-errno-multi.service test-execute: add a test for systemcall filter (#10273) 2018-10-05 14:46:30 +09:00
exec-systemcallfilter-with-errno-name.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallfilter-with-errno-number.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-temporaryfilesystem-options.service namespace: don't try to remount superblocks 2018-08-30 11:17:16 +01:00
exec-temporaryfilesystem-ro.service namespace: fix mode for TemporaryFileSystem= 2018-09-01 17:22:14 +09:00
exec-temporaryfilesystem-rw.service namespace: fix mode for TemporaryFileSystem= 2018-09-01 17:22:14 +09:00
exec-temporaryfilesystem-usr.service test: add tests for TemporaryFileSystem= 2018-02-21 09:18:14 +09:00
exec-umask-0177.service test-execute: also tests under the condition that unshare() is filtered 2018-10-03 08:33:23 +02:00
exec-umask-default.service test-execute: also tests under the condition that unshare() is filtered 2018-10-03 08:33:23 +02:00
exec-unsetenvironment.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-user-nfsnobody.service test-execute: add nfsnobody alternative as a nobody user 2016-02-28 15:00:18 +01:00
exec-user-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-user.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-workingdirectory-trailing-dot.service test: add test for trailing dot in WorkingDirectory= and RuntimeDirectory= 2018-06-03 23:59:51 +09:00
exec-workingdirectory.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00