diff --git a/src/test/test-execute.c b/src/test/test-execute.c index ab0c4e905d..64779d0cf2 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -754,6 +754,18 @@ static void test_exec_systemcallfilter(Manager *m) { test(m, "exec-systemcallfilter-with-errno-in-allow-list.service", errno_from_name("EILSEQ"), CLD_EXITED); test(m, "exec-systemcallfilter-override-error-action.service", SIGSYS, CLD_KILLED); test(m, "exec-systemcallfilter-override-error-action2.service", errno_from_name("EILSEQ"), CLD_EXITED); + + test(m, "exec-systemcallfilter-nonewprivileges.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED); + test(m, "exec-systemcallfilter-nonewprivileges-protectclock.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED); + + r = find_executable("capsh", NULL); + if (r < 0) { + log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__); + return; + } + + test(m, "exec-systemcallfilter-nonewprivileges-bounding1.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED); + test(m, "exec-systemcallfilter-nonewprivileges-bounding2.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED); #endif } diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service new file mode 100644 index 0000000000..8f8192cc94 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test bounding set is right with SystemCallFilter and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_net_bind_service"' +Type=oneshot +User=1 +SystemCallFilter=@system-service +CapabilityBoundingSet=CAP_NET_BIND_SERVICE diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service new file mode 100644 index 0000000000..d78c3232bb --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test bounding set is right with SystemCallFilter and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_setpcap,cap_net_bind_service,cap_sys_admin"' +Type=oneshot +User=1 +SystemCallFilter=@system-service +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETPCAP CAP_NET_BIND_SERVICE diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service new file mode 100644 index 0000000000..f33a2a05c4 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test no_new_privs is unset for ProtectClock and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"' +Type=oneshot +User=1 +ProtectClock=yes diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges.service b/test/test-execute/exec-systemcallfilter-nonewprivileges.service new file mode 100644 index 0000000000..8bfd0a79d9 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test no_new_privs is unset for SystemCallFilter and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"' +Type=oneshot +User=1 +SystemCallFilter=@system-service