picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/test/test-execute
History
Alan Jenkins 69338c3dfb namespace: don't try to remount superblocks 
We can't remount the underlying superblocks, if we are inside a user
namespace and running Linux <= 4.17.  We can only change the per-mount
flags (MS_REMOUNT | MS_BIND).

This type of mount() call can only change the per-mount flags, so we
don't have to worry about passing the right string options now.

Fixes #9914 ("Since 1beab8b was merged, systemd has been failing to start
systemd-resolved inside unprivileged containers" ... "Failed to re-mount
'/run/systemd/unit-root/dev' read-only: Operation not permitted").

> It's basically my fault :-). I pointed out we could remount read-only
> without MS_BIND when reviewing the PR that added TemporaryFilesystem=,
> and poettering suggested to change PrivateDevices= at the same time.
> I think it's safe to change back, and I don't expect anyone will notice
> a difference in behaviour.
>
> It just surprised me to realize that
> `TemporaryFilesystem=/tmp:size=10M,ro,nosuid` would not apply `ro` to the
> superblock (underlying filesystem), like mount -osize=10M,ro,nosuid does.
> Maybe a comment could note the kernel version (v4.18), that lets you
> remount without MS_BIND inside a user namespace.

This makes the code longer and I guess this function is still ugly, sorry.
One obstacle to cleaning it up is the interaction between
`PrivateDevices=yes` and `ReadOnlyPaths=/dev`.  I've added a test for the
existing behaviour, which I think is now the correct behaviour.
2018-08-30 11:17:16 +01:00
..
exec-ambientcapabilities-merge-nfsnobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-merge-nobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-merge.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-nfsnobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities-nobody.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-ambientcapabilities.service test-execute: use CAP_CHOWN instead of CAP_NET_ADMIN 2018-03-05 00:02:22 +09:00
exec-basic.service systemd: do not require absolute paths in ExecStart 2018-04-16 16:09:46 +02:00
exec-bindpaths.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-capabilityboundingset-invert.service test-execute: simplify checks if grep output is empty 2018-03-22 15:57:56 +01:00
exec-capabilityboundingset-merge.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-capabilityboundingset-reset.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-capabilityboundingset-simple.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-cpuaffinity1.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-cpuaffinity2.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-cpuaffinity3.service test-execute: add tests for CPUAffinity= 2017-12-06 10:44:20 +09:00
exec-dynamicuser-fixeduser-adm.service test: add tests for DynamicUser= with static User= whose UID and GID are different 2018-07-26 16:32:10 +09:00
exec-dynamicuser-fixeduser-games.service test: add tests for DynamicUser= with static User= whose UID and GID are different 2018-07-26 16:32:10 +09:00
exec-dynamicuser-fixeduser-one-supplementarygroup.service test: test DynamicUser= with a fixed user 2016-11-03 08:37:15 +01:00
exec-dynamicuser-fixeduser.service test: test DynamicUser= with a fixed user 2016-11-03 08:37:15 +01:00
exec-dynamicuser-statedir-migrate-step1.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-dynamicuser-statedir-migrate-step2.service test-execute: remove state directories before running tests 2018-05-10 22:50:51 -07:00
exec-dynamicuser-statedir.service test-execute: make find invocation a bit more efficent, increase timeout 2018-04-16 16:09:46 +02:00
exec-dynamicuser-supplementarygroups.service test: test DynamicUser= with SupplementaryGroups= 2016-11-03 08:38:28 +01:00
exec-environment-empty.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environment-multiple.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environment.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-environmentfile.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-group-nfsnobody.service test-execute: add nfsnobody alternative as a nobody user 2016-02-28 15:00:18 +01:00
exec-group-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-group-nogroup.service test-execute: use the "nogroup" group if it exists for testing 2017-12-06 13:40:50 +01:00
exec-group.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-ignoresigpipe-no.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ignoresigpipe-yes.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-inaccessiblepaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-inaccessiblepaths-proc.service test: ensure 'InaccessiblePaths=/proc' option works (#6017) 2017-05-25 07:47:08 +03:00
exec-ioschedulingclass-best-effort.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-idle.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-none.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-ioschedulingclass-realtime.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-oomscoreadjust-negative.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-oomscoreadjust-positive.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-passenvironment-absent.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment-empty.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment-repeated.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-passenvironment.service test: add testcase for environment file variables with backslashes 2018-05-11 13:15:16 +09:00
exec-personality-aarch64.service fix missed bracket of exec-personality-ppc64le.service (#8650) 2018-04-04 11:10:42 +02:00
exec-personality-ppc64.service test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
exec-personality-ppc64le.service test: fix test-execute personality tests on ppc64 and aarch64 (#3825) 2016-08-02 16:22:56 +02:00
exec-personality-s390.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-personality-x86-64.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-personality-x86.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-privatedevices-disabled-by-prefix.service test: add tests for PrivateDevices= with '+' prefix 2018-05-01 13:44:24 +09:00
exec-privatedevices-no-capability-mknod.service test: add CAP_MKNOD tests for PrivateDevices= 2016-09-25 13:04:30 +02:00
exec-privatedevices-no-capability-sys-rawio.service test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes 2016-10-12 13:47:59 +02:00
exec-privatedevices-no.service test: fix descriptions 2018-05-01 13:44:29 +09:00
exec-privatedevices-yes-capability-mknod.service test: add CAP_MKNOD tests for PrivateDevices= 2016-09-25 13:04:30 +02:00
exec-privatedevices-yes-capability-sys-rawio.service test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes 2016-10-12 13:47:59 +02:00
exec-privatedevices-yes.service test: fix descriptions 2018-05-01 13:44:29 +09:00
exec-privatenetwork-yes.service test-execute: allow sit0@ to exist in private network namespace 2018-03-22 15:57:56 +01:00
exec-privatetmp-no.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-privatetmp-yes.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-protectkernelmodules-no-capabilities.service test: add capability tests for ProtectKernelModules= 2016-10-12 13:36:27 +02:00
exec-protectkernelmodules-yes-capabilities.service test: add capability tests for ProtectKernelModules= 2016-10-12 13:36:27 +02:00
exec-protectkernelmodules-yes-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-readonlypaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-readonlypaths-simple.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-readonlypaths-with-bindpaths.service test: add test for ReadOnlyPaths= with RuntimeDirectory= 2017-11-08 15:48:32 +09:00
exec-readonlypaths.service namespace: don't try to remount superblocks 2018-08-30 11:17:16 +01:00
exec-readwritepaths-mount-propagation.service tests: stop creating /TEST (#5943) 2017-05-11 18:56:39 -04:00
exec-restrictnamespaces-merge-all.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-merge-and.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-merge-or.service test: add tests for merging RestrictNamespaces= 2018-05-05 11:07:37 +09:00
exec-restrictnamespaces-mnt-blacklist.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-mnt.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-no.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-restrictnamespaces-yes.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-runtimedirectory-mode.service test: use setup_fake_runtime_dir() in test-execute 2018-02-26 12:50:03 +09:00
exec-runtimedirectory-owner-nfsnobody.service test: use setup_fake_runtime_dir() in test-execute 2018-02-26 12:50:03 +09:00
exec-runtimedirectory-owner-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-runtimedirectory-owner-nogroup.service test-execute: add a test for the case that NOBODY_GROUP_NAME is nogroup 2018-03-01 18:31:26 +09:00
exec-runtimedirectory-owner.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-runtimedirectory.service test: add test for trailing dot in WorkingDirectory= and RuntimeDirectory= 2018-06-03 23:59:51 +09:00
exec-specifier-interpolation.service test-execute: skip exec-specifier-interpolation if perl is missing 2018-03-22 15:57:56 +01:00
exec-specifier.service test: add test for specifier of configuration directory root 2018-06-21 03:24:09 +09:00
exec-specifier@.service test: add test for specifier of configuration directory root 2018-06-21 03:24:09 +09:00
exec-standardinput-data.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-standardinput-file.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-standardoutput-append.service Add support for opening files for appending 2018-07-20 03:54:22 -07:00
exec-standardoutput-file.service Add support for opening files for appending 2018-07-20 03:54:22 -07:00
exec-supplementarygroups-multiple-groups-default-group-user.service test: lets add more tests to cover SupplementaryGroups= cases. 2016-10-24 12:38:53 +02:00
exec-supplementarygroups-multiple-groups-withgid.service test: lets add more tests to cover SupplementaryGroups= cases. 2016-10-24 12:38:53 +02:00
exec-supplementarygroups-multiple-groups-withuid.service test: lets add more tests to cover SupplementaryGroups= cases. 2016-10-24 12:38:53 +02:00
exec-supplementarygroups-single-group-user.service test: add more tests for SupplementaryGroups= 2016-10-23 23:27:16 +02:00
exec-supplementarygroups-single-group.service test: add more tests for SupplementaryGroups= 2016-10-23 23:27:16 +02:00
exec-supplementarygroups.service test: Add simple test for supplementary groups 2016-10-23 23:27:14 +02:00
exec-systemcallerrornumber-name.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallerrornumber-number.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallfilter-failing.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-failing2.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-not-failing.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-not-failing2.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-system-user-nfsnobody.service test-execute: always use /bin/sh 2017-10-12 13:26:39 +09:00
exec-systemcallfilter-system-user-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-systemcallfilter-system-user.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-systemcallfilter-with-errno-name.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-systemcallfilter-with-errno-number.service test-execute: change path to python3 (#7306) 2017-11-12 16:09:00 +01:00
exec-temporaryfilesystem-options.service namespace: don't try to remount superblocks 2018-08-30 11:17:16 +01:00
exec-temporaryfilesystem-ro.service test: add tests for TemporaryFileSystem= 2018-02-21 09:18:14 +09:00
exec-temporaryfilesystem-rw.service test: drop the use of /bin/sh in various test services 2018-04-16 16:09:46 +02:00
exec-temporaryfilesystem-usr.service test: add tests for TemporaryFileSystem= 2018-02-21 09:18:14 +09:00
exec-umask-0177.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-umask-default.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00
exec-unsetenvironment.service test-execute: cleanup 2017-12-06 00:36:55 +09:00
exec-user-nfsnobody.service test-execute: add nfsnobody alternative as a nobody user 2016-02-28 15:00:18 +01:00
exec-user-nobody.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-user.service test-execute: add tests with user/group daemon 2018-03-02 16:42:53 +09:00
exec-workingdirectory-trailing-dot.service test: add test for trailing dot in WorkingDirectory= and RuntimeDirectory= 2018-06-03 23:59:51 +09:00
exec-workingdirectory.service test-execute: Fix systemd escaping and shell issues 2015-11-10 07:58:29 -08:00