Description=Test DynamicUser= with StateDirectory=
[Service]
-ExecStart=/usr/bin/test -w /var/lib/waldo
-ExecStart=/usr/bin/test -w /var/lib/quux/pief
-ExecStart=/bin/touch /var/lib/waldo/yay
-ExecStart=/bin/touch /var/lib/quux/pief/yayyay
-ExecStart=/usr/bin/test -f /var/lib/waldo/yay
-ExecStart=/usr/bin/test -f /var/lib/quux/pief/yayyay
-ExecStart=/usr/bin/test -f /var/lib/private/waldo/yay
-ExecStart=/usr/bin/test -f /var/lib/private/quux/pief/yayyay
+ExecStart=/bin/sh -c 'test -w /var/lib/waldo'
+ExecStart=/bin/sh -c 'test -w /var/lib/quux/pief'
+ExecStart=/bin/sh -c 'touch /var/lib/waldo/yay'
+ExecStart=/bin/sh -c 'touch /var/lib/quux/pief/yayyay'
+ExecStart=/bin/sh -c 'test -f /var/lib/waldo/yay'
+ExecStart=/bin/sh -c 'test -f /var/lib/quux/pief/yayyay'
+ExecStart=/bin/sh -c 'test -f /var/lib/private/waldo/yay'
+ExecStart=/bin/sh -c 'test -f /var/lib/private/quux/pief/yayyay'
# Make sure that /var/lib/private/waldo is really the only writable directory besides the obvious candidates
ExecStart=/bin/sh -x -c 'test $$(find / -type d -writable 2> /dev/null | egrep -v -e \'^(/var/tmp$$|/tmp$$|/proc/|/dev/mqueue$$|/dev/shm$$)\' | sort -u | tr -d '\\\\n') = /var/lib/private/quux/pief/var/lib/private/waldo'
[Service]
Type=oneshot
# This should work, as we explicitly disable the effect of ReadOnlyPaths=
-ExecStart=+/bin/touch /tmp/thisisasimpletest
+ExecStart=+/bin/sh -c 'touch /tmp/thisisasimpletest'
# This should also work, as we do not disable the effect of ReadOnlyPaths= but invert the exit code
-ExecStart=/bin/sh -x -c '! /bin/touch /tmp/thisisasimpletest'
-ExecStart=+/bin/rm /tmp/thisisasimpletest
+ExecStart=/bin/sh -x -c '! touch /tmp/thisisasimpletest'
+ExecStart=+/bin/sh -c 'rm /tmp/thisisasimpletest'
ReadOnlyPaths=/tmp
Description=Test for SystemCallFilter
[Service]
-ExecStart=/bin/echo "This should not be seen"
+ExecStart=/bin/sh -c 'echo "This should not be seen"'
Type=oneshot
SystemCallFilter=ioperm
SystemCallFilter=~ioperm
Description=Test for SystemCallFilter
[Service]
-ExecStart=/bin/echo "This should not be seen"
+ExecStart=/bin/sh -c 'echo "This should not be seen"'
Type=oneshot
SystemCallFilter=~write open execve exit_group close mmap munmap fstat DONOTEXIST
Description=Test for SystemCallFilter
[Service]
-ExecStart=/bin/echo "Foo bar"
+ExecStart=/bin/sh -c 'echo "Foo bar"'
Type=oneshot
SystemCallFilter=~read write open execve ioperm
SystemCallFilter=ioctl
Description=Test for SystemCallFilter
[Service]
-ExecStart=/bin/echo "Foo bar"
+ExecStart=/bin/sh -c 'echo "Foo bar"'
Type=oneshot
SystemCallFilter=
Description=Test for SystemCallFilter in system mode with User set
[Service]
-ExecStart=/bin/echo "Foo bar"
+ExecStart=/bin/sh -c 'echo "Foo bar"'
Type=oneshot
User=nfsnobody
SystemCallFilter=~read write open execve ioperm
Description=Test for SystemCallFilter in system mode with User set
[Service]
-ExecStart=/bin/echo "Foo bar"
+ExecStart=/bin/sh -c 'echo "Foo bar"'
Type=oneshot
User=nobody
SystemCallFilter=~read write open execve ioperm
projects / thirdparty / systemd.git / commitdiff
