projects / systemd / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 24832d1) | patch
test-execute: add no_new_privs tests for SystemCallFilter
authorIago López Galeiras <iagol@microsoft.com>
Wed, 20 Sep 2023 09:40:47 +0000 (11:40 +0200)
committerIago López Galeiras <iagol@microsoft.com>
Tue, 7 Nov 2023 10:31:53 +0000 (11:31 +0100)
commite720cebf7cce7a6fe7d160ac968c2dc51a5c613a
tree1ad0a6d4e610d51781994511e5a949c736b2a94etree | snapshot
parent24832d10b604848cf46624bb439c7fac27f3ce3fcommit | diff
test-execute: add no_new_privs tests for SystemCallFilter

When starting a service with a non-root user and a SystemCallFilter and
other settings (like ProtectClock), the no_new_privs flag should not be set.

Also, test that CapabilityBoundingSet behaves correctly, since we need
to preserve some capabilities to do the seccomp filter and restore the
ones set by the service before executing.
src/test/test-execute.c diff | blob | history
test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service [new file with mode: 0644] blob
test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service [new file with mode: 0644] blob
test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service [new file with mode: 0644] blob
test/test-execute/exec-systemcallfilter-nonewprivileges.service [new file with mode: 0644] blob
https://github.com/systemd/systemd.git