Compare commits
5 Commits
47cc458e97
...
3b5b6826aa
Author | SHA1 | Date |
---|---|---|
Topi Miettinen | 3b5b6826aa | |
Frantisek Sumsal | e9cdcbed77 | |
Zbigniew Jędrzejewski-Szmek | 908055f61f | |
Yu Watanabe | abaaa79b22 | |
Yu Watanabe | 578dc69f2a |
|
@ -2247,7 +2247,7 @@ static int setup_exec_directory(
|
|||
|
||||
if (type != EXEC_DIRECTORY_CONFIGURATION &&
|
||||
readlink_and_make_absolute(p, &target) >= 0) {
|
||||
_cleanup_free_ char *q = NULL;
|
||||
_cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
|
||||
|
||||
/* This already exists and is a symlink? Interesting. Maybe it's one created
|
||||
* by DynamicUser=1 (see above)?
|
||||
|
@ -2256,13 +2256,22 @@ static int setup_exec_directory(
|
|||
* since they all support the private/ symlink logic at least in some
|
||||
* configurations, see above. */
|
||||
|
||||
r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
||||
q = path_join(params->prefix[type], "private", *rt);
|
||||
if (!q) {
|
||||
r = -ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (path_equal(q, target)) {
|
||||
/* /var/lib or friends may be symlinks. So, let's chase them also. */
|
||||
r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
||||
if (path_equal(q_resolved, target_resolved)) {
|
||||
|
||||
/* Hmm, apparently DynamicUser= was once turned on for this service,
|
||||
* but is no longer. Let's move the directory back up. */
|
||||
|
|
|
@ -64,7 +64,7 @@ static const MountPoint mount_table[] = {
|
|||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
|
||||
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
|
||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
NULL, MNT_NONE },
|
||||
|
|
|
@ -561,6 +561,7 @@ static void test_exec_dynamicuser(Manager *m) {
|
|||
|
||||
test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
|
||||
test(__func__, m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||
test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
|
||||
|
||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
Description=Test for CapabilityBoundingSet
|
||||
|
||||
[Service]
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
|
||||
Type=oneshot
|
||||
CapabilityBoundingSet=~CAP_CHOWN
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
|
|||
|
||||
[Service]
|
||||
PrivateDevices=no
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
|
|||
|
||||
[Service]
|
||||
PrivateDevices=no
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
|
|||
|
||||
[Service]
|
||||
PrivateDevices=yes
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
|
|||
|
||||
[Service]
|
||||
PrivateDevices=yes
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=no
|
|||
|
||||
[Service]
|
||||
ProtectKernelLogs=no
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
|
|||
|
||||
[Service]
|
||||
ProtectKernelLogs=yes
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
|
|||
|
||||
[Service]
|
||||
ProtectKernelModules=no
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
||||
Type=oneshot
|
||||
|
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
|
|||
|
||||
[Service]
|
||||
ProtectKernelModules=yes
|
||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
||||
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
||||
Type=oneshot
|
||||
|
|
Loading…
Reference in New Issue