test: add test to make sure that CAP_SYS_RAWIO was removed on PrivateDevices=yes

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index f7d38fb0f3369a1e550f5573ee4a7f0d0b2dac56..1eade98ed353da622da75e7e1bf60a105a8de86f 100644 (file)
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -140,6 +140,8 @@ static void test_exec_privatedevices_capabilities(Manager *m) {
         }
         test(m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED);
         test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
 }
 
 static void test_exec_protectkernelmodules_capabilities(Manager *m) {

diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
new file mode 100644 (file)
index 0000000..e7f529c
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
+
+[Service]
+PrivateDevices=no
+ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_rawio'
+Type=oneshot

diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
new file mode 100644 (file)
index 0000000..cebc493
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_rawio'
+Type=oneshot