test-execute: add no_new_privs tests for SystemCallFilter

When starting a service with a non-root user and a SystemCallFilter and
other settings (like ProtectClock), the no_new_privs flag should not be set.

Also, test that CapabilityBoundingSet behaves correctly, since we need
to preserve some capabilities to do the seccomp filter and restore the
ones set by the service before executing.

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index ab0c4e905dd48aa2e3b5ac371624e7fa4a610618..64779d0cf2de091045a5aadffad9fd90a1d1dfa1 100644 (file)
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -754,6 +754,18 @@ static void test_exec_systemcallfilter(Manager *m) {
         test(m, "exec-systemcallfilter-with-errno-in-allow-list.service", errno_from_name("EILSEQ"), CLD_EXITED);
         test(m, "exec-systemcallfilter-override-error-action.service", SIGSYS, CLD_KILLED);
         test(m, "exec-systemcallfilter-override-error-action2.service", errno_from_name("EILSEQ"), CLD_EXITED);
+
+        test(m, "exec-systemcallfilter-nonewprivileges.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
+        test(m, "exec-systemcallfilter-nonewprivileges-protectclock.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
+
+        r = find_executable("capsh", NULL);
+        if (r < 0) {
+                log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
+                return;
+        }
+
+        test(m, "exec-systemcallfilter-nonewprivileges-bounding1.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
+        test(m, "exec-systemcallfilter-nonewprivileges-bounding2.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
 #endif
 }
 

diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service
new file mode 100644 (file)
index 0000000..8f8192c
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test bounding set is right with SystemCallFilter and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_net_bind_service"'
+Type=oneshot
+User=1
+SystemCallFilter=@system-service
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE

diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service
new file mode 100644 (file)
index 0000000..d78c323
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test bounding set is right with SystemCallFilter and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_setpcap,cap_net_bind_service,cap_sys_admin"'
+Type=oneshot
+User=1
+SystemCallFilter=@system-service
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETPCAP CAP_NET_BIND_SERVICE

diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service
new file mode 100644 (file)
index 0000000..f33a2a0
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test no_new_privs is unset for ProtectClock and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs:        "); test "$$c" = "NoNewPrivs:   0"'
+Type=oneshot
+User=1
+ProtectClock=yes

diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges.service b/test/test-execute/exec-systemcallfilter-nonewprivileges.service
new file mode 100644 (file)
index 0000000..8bfd0a7
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test no_new_privs is unset for SystemCallFilter and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs:        "); test "$$c" = "NoNewPrivs:   0"'
+Type=oneshot
+User=1
+SystemCallFilter=@system-service