Compare commits
5 Commits
47cc458e97
...
3b5b6826aa
| Author | SHA1 | Date |
|---|---|---|
Topi Miettinen
|
3b5b6826aa | |
|
Frantisek Sumsal
|
e9cdcbed77 | |
|
Zbigniew Jędrzejewski-Szmek
|
908055f61f | |
|
Yu Watanabe
|
abaaa79b22 | |
|
Yu Watanabe
|
578dc69f2a |
|
|
@ -2247,7 +2247,7 @@ static int setup_exec_directory(
|
||||||
|
|
||||||
if (type != EXEC_DIRECTORY_CONFIGURATION &&
|
if (type != EXEC_DIRECTORY_CONFIGURATION &&
|
||||||
readlink_and_make_absolute(p, &target) >= 0) {
|
readlink_and_make_absolute(p, &target) >= 0) {
|
||||||
_cleanup_free_ char *q = NULL;
|
_cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
|
||||||
|
|
||||||
/* This already exists and is a symlink? Interesting. Maybe it's one created
|
/* This already exists and is a symlink? Interesting. Maybe it's one created
|
||||||
* by DynamicUser=1 (see above)?
|
* by DynamicUser=1 (see above)?
|
||||||
|
|
@ -2256,13 +2256,22 @@ static int setup_exec_directory(
|
||||||
* since they all support the private/ symlink logic at least in some
|
* since they all support the private/ symlink logic at least in some
|
||||||
* configurations, see above. */
|
* configurations, see above. */
|
||||||
|
|
||||||
|
r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
|
||||||
|
if (r < 0)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
q = path_join(params->prefix[type], "private", *rt);
|
q = path_join(params->prefix[type], "private", *rt);
|
||||||
if (!q) {
|
if (!q) {
|
||||||
r = -ENOMEM;
|
r = -ENOMEM;
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (path_equal(q, target)) {
|
/* /var/lib or friends may be symlinks. So, let's chase them also. */
|
||||||
|
r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
|
||||||
|
if (r < 0)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
if (path_equal(q_resolved, target_resolved)) {
|
||||||
|
|
||||||
/* Hmm, apparently DynamicUser= was once turned on for this service,
|
/* Hmm, apparently DynamicUser= was once turned on for this service,
|
||||||
* but is no longer. Let's move the directory back up. */
|
* but is no longer. Let's move the directory back up. */
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@ static const MountPoint mount_table[] = {
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
|
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_NONE },
|
NULL, MNT_NONE },
|
||||||
|
|
|
||||||
|
|
@ -561,6 +561,7 @@ static void test_exec_dynamicuser(Manager *m) {
|
||||||
|
|
||||||
test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
|
test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
|
||||||
test(__func__, m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
test(__func__, m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
|
||||||
|
test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
|
||||||
|
|
||||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
|
(void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||||
(void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);
|
(void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
Description=Test for CapabilityBoundingSet
|
Description=Test for CapabilityBoundingSet
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
CapabilityBoundingSet=~CAP_CHOWN
|
CapabilityBoundingSet=~CAP_CHOWN
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=no
|
PrivateDevices=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=no
|
PrivateDevices=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=no
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelLogs=no
|
ProtectKernelLogs=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelModules=no
|
ProtectKernelModules=no
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
||||||
ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue