tests: Add capability tests for ProtectKernelLogs

diff --git a/test/meson.build b/test/meson.build
index 24ab4d1deef400c7b066e7b3d5d5e120d9e5b7cc..eeb3c5f8f0bc45028af3ddce27b1de31e723c84c 100644 (file)
--- a/test/meson.build
+++ b/test/meson.build
@@ -109,6 +109,8 @@ test_data_files = '''
         test-execute/exec-privatetmp-no.service
         test-execute/exec-privatetmp-yes.service
         test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service
+        test-execute/exec-protectkernellogs-yes-capabilities.service
+        test-execute/exec-protectkernellogs-no-capabilities.service
         test-execute/exec-protectkernelmodules-no-capabilities.service
         test-execute/exec-protectkernelmodules-yes-capabilities.service
         test-execute/exec-protectkernelmodules-yes-mount-propagation.service

diff --git a/test/test-execute/exec-protectkernellogs-no-capabilities.service b/test/test-execute/exec-protectkernellogs-no-capabilities.service
new file mode 100644 (file)
index 0000000..f0c7d4d
--- /dev/null
+++ b/test/test-execute/exec-protectkernellogs-no-capabilities.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYSLOG for ProtectKernelLogs=no
+
+[Service]
+ProtectKernelLogs=no
+ExecStart=/bin/sh -x -c 'capsh --print | grep cap_syslog'
+Type=oneshot

diff --git a/test/test-execute/exec-protectkernellogs-yes-capabilities.service b/test/test-execute/exec-protectkernellogs-yes-capabilities.service
new file mode 100644 (file)
index 0000000..803ba7d
--- /dev/null
+++ b/test/test-execute/exec-protectkernellogs-yes-capabilities.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
+
+[Service]
+ProtectKernelLogs=yes
+ExecStart=/bin/sh -x -c '! capsh --print | grep cap_syslog'
+Type=oneshot