summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRonny Chevalier <chevalier.ronny@gmail.com>2016-02-28 15:00:18 +0100
committerRonny Chevalier <chevalier.ronny@gmail.com>2016-02-28 15:00:18 +0100
commit50f130c286c4a4cb87a94a0fc419a4462a98a7a1 (patch)
tree219c364b9c4576504de91171e023a8d8e179cbc9
parentcore: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN (diff)
downloadsystemd-50f130c286c4a4cb87a94a0fc419a4462a98a7a1.tar.xz
systemd-50f130c286c4a4cb87a94a0fc419a4462a98a7a1.zip
test-execute: add nfsnobody alternative as a nobody user
-rw-r--r--Makefile.am6
-rw-r--r--src/test/test-execute.c28
-rw-r--r--test/test-execute/exec-capabilityambientset-merge-nfsnobody.service9
-rw-r--r--test/test-execute/exec-capabilityambientset-nfsnobody.service8
-rw-r--r--test/test-execute/exec-group-nfsnobody.service7
-rw-r--r--test/test-execute/exec-runtimedirectory-owner-nfsnobody.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service11
-rw-r--r--test/test-execute/exec-user-nfsnobody.service7
8 files changed, 78 insertions, 7 deletions
diff --git a/Makefile.am b/Makefile.am
index 02557ef46a..ae1cda4c72 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1541,6 +1541,7 @@ EXTRA_DIST += \
test/test-execute/exec-passenvironment-repeated.service \
test/test-execute/exec-passenvironment.service \
test/test-execute/exec-group.service \
+ test/test-execute/exec-group-nfsnobody.service \
test/test-execute/exec-ignoresigpipe-no.service \
test/test-execute/exec-ignoresigpipe-yes.service \
test/test-execute/exec-personality-x86-64.service \
@@ -1557,7 +1558,9 @@ EXTRA_DIST += \
test/test-execute/exec-systemcallfilter-not-failing2.service \
test/test-execute/exec-systemcallfilter-not-failing.service \
test/test-execute/exec-systemcallfilter-system-user.service \
+ test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service \
test/test-execute/exec-user.service \
+ test/test-execute/exec-user-nfsnobody.service \
test/test-execute/exec-workingdirectory.service \
test/test-execute/exec-umask-0177.service \
test/test-execute/exec-umask-default.service \
@@ -1574,10 +1577,13 @@ EXTRA_DIST += \
test/test-execute/exec-capabilityboundingset-reset.service \
test/test-execute/exec-capabilityboundingset-simple.service \
test/test-execute/exec-capabilityambientset.service \
+ test/test-execute/exec-capabilityambientset-nfsnobody.service \
test/test-execute/exec-capabilityambientset-merge.service \
+ test/test-execute/exec-capabilityambientset-merge-nfsnobody.service \
test/test-execute/exec-runtimedirectory.service \
test/test-execute/exec-runtimedirectory-mode.service \
test/test-execute/exec-runtimedirectory-owner.service \
+ test/test-execute/exec-runtimedirectory-owner-nfsnobody.service \
test/bus-policy/hello.conf \
test/bus-policy/methods.conf \
test/bus-policy/ownerships.conf \
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 5645f5c086..3e91a5601e 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -134,23 +134,29 @@ static void test_exec_systemcall_system_mode_with_user(Manager *m) {
#ifdef HAVE_SECCOMP
if (getpwnam("nobody"))
test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
+ else if (getpwnam("nfsnobody"))
+ test(m, "exec-systemcallfilter-system-user-nfsnobody.service", 0, CLD_EXITED);
else
- log_error_errno(errno, "Skipping test_exec_systemcall_system_mode_with_user, could not find nobody user: %m");
+ log_error_errno(errno, "Skipping test_exec_systemcall_system_mode_with_user, could not find nobody/nfsnobody user: %m");
#endif
}
static void test_exec_user(Manager *m) {
if (getpwnam("nobody"))
test(m, "exec-user.service", 0, CLD_EXITED);
+ else if (getpwnam("nfsnobody"))
+ test(m, "exec-user-nfsnobody.service", 0, CLD_EXITED);
else
- log_error_errno(errno, "Skipping test_exec_user, could not find nobody user: %m");
+ log_error_errno(errno, "Skipping test_exec_user, could not find nobody/nfsnobody user: %m");
}
static void test_exec_group(Manager *m) {
if (getgrnam("nobody"))
test(m, "exec-group.service", 0, CLD_EXITED);
+ else if (getgrnam("nfsnobody"))
+ test(m, "exec-group-nfsnobody.service", 0, CLD_EXITED);
else
- log_error_errno(errno, "Skipping test_exec_group, could not find nobody group: %m");
+ log_error_errno(errno, "Skipping test_exec_group, could not find nobody/nfsnobody group: %m");
}
static void test_exec_environment(Manager *m) {
@@ -213,8 +219,10 @@ static void test_exec_runtimedirectory(Manager *m) {
test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED);
if (getgrnam("nobody"))
test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
+ else if (getgrnam("nfsnobody"))
+ test(m, "exec-runtimedirectory-owner-nfsnobody.service", 0, CLD_EXITED);
else
- log_error_errno(errno, "Skipping test_exec_runtimedirectory-owner, could not find nobody group: %m");
+ log_error_errno(errno, "Skipping test_exec_runtimedirectory-owner, could not find nobody/nfsnobody group: %m");
}
static void test_exec_capabilityboundingset(Manager *m) {
@@ -243,9 +251,15 @@ static void test_exec_capabilityambientset(Manager *m) {
* in the first place for the tests. */
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
if (r >= 0 || errno != EINVAL) {
- test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
- test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
- }
+ if (getpwnam("nobody")) {
+ test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
+ } else if (getpwnam("nfsnobody")) {
+ test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
+ test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
+ } else
+ log_error_errno(errno, "Skipping test_exec_capabilityambientset, could not find nobody/nfsnobody user: %m");
+ } else
+ log_error_errno(errno, "Skipping test_exec_capabilityambientset, the kernel does not support ambient capabilities: %m");
}
static void test_exec_privatenetwork(Manager *m) {
diff --git a/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service b/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service
new file mode 100644
index 0000000000..00bec581b5
--- /dev/null
+++ b/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
+Type=oneshot
+User=nfsnobody
+AmbientCapabilities=CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset-nfsnobody.service b/test/test-execute/exec-capabilityambientset-nfsnobody.service
new file mode 100644
index 0000000000..614cfdd584
--- /dev/null
+++ b/test/test-execute/exec-capabilityambientset-nfsnobody.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
+Type=oneshot
+User=nfsnobody
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
diff --git a/test/test-execute/exec-group-nfsnobody.service b/test/test-execute/exec-group-nfsnobody.service
new file mode 100644
index 0000000000..e02100a869
--- /dev/null
+++ b/test/test-execute/exec-group-nfsnobody.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nfsnobody"'
+Type=oneshot
+Group=nfsnobody
diff --git a/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service
new file mode 100644
index 0000000000..e962af8a4b
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G /tmp/test-exec_runtimedirectory-owner); test "$$group" = "nfsnobody"'
+Type=oneshot
+Group=nfsnobody
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner
diff --git a/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service
new file mode 100644
index 0000000000..9393e0a998
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Test for SystemCallFilter in system mode with User set
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+Type=oneshot
+User=nfsnobody
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-user-nfsnobody.service b/test/test-execute/exec-user-nfsnobody.service
new file mode 100644
index 0000000000..aafda3aa26
--- /dev/null
+++ b/test/test-execute/exec-user-nfsnobody.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for User
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$USER" = "nfsnobody"'
+Type=oneshot
+User=nfsnobody