morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
9178398f2e117fe0ad7c8bbdca86a112e73feeea
systemd/test/test-execute/exec-capabilityboundingset-invert.service
Frantisek Sumsal e9cdcbed77 test: ignore IAB capabilities in test-execute 
libcap v2.33 introduces a new capability set called IAB[0] which is shown
in the output of `capsh --print` and interferes with the test checks. Let's
drop the IAB set from the output, for now, to mitigate this.

This could be (and probably should be) replaced in the future by the
newly introduced testing options[1][2] in libcap v2.32, namely:
    --has-p=xxx
    --has-i=xxx
    --has-a=xxx

but this needs to wait until the respective libcap version gets a wider
adoption. Until then, let's stick with the relatively ugly sed.

Fixes: #15046

[0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7
[2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
2020-03-09 18:22:16 +01:00

9 lines
303 B
Desktop File
Raw Blame History

[Unit]
Description=Test for CapabilityBoundingSet
[Service]
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
Type=oneshot
CapabilityBoundingSet=~CAP_CHOWN
Reference in New Issue View Git Blame Copy Permalink