test: Add test for nspawn's handling of cap_net_bind_service

author Daan De Meyer <daan.j.demeyer@gmail.com>

Thu, 4 Sep 2025 10:48:35 +0000 (12:48 +0200)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Fri, 5 Sep 2025 06:24:39 +0000 (08:24 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Thu, 4 Sep 2025 10:48:35 +0000 (12:48 +0200)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Fri, 5 Sep 2025 06:24:39 +0000 (08:24 +0200)
diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh

index eccf183d22f271ede6c57ccac828e1fe2e88c5f4..fabb1a3d3061f1ca52f268c7c611e49e63cd706a 100755 (executable)
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1470,4 +1470,22 @@ testcase_link_journal_host() {
      rm -fr "$root"
  }
  
+testcase_cap_net_bind_service() {
+    local root
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.cap-net-bind-service.XXX)"
+    create_dummy_container "$root"
+
+    # Check that CAP_NET_BIND_SERVICE is available without --private-users
+    systemd-nspawn --register=no --directory="$root" capsh --has-p=cap_net_bind_service
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=identity
+    (! systemd-nspawn --register=no --directory="$root" --private-users=identity capsh --has-p=cap_net_bind_service)
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=pick
+    (! systemd-nspawn --register=no --directory="$root" --private-users=pick capsh --has-p=cap_net_bind_service)
+
+    rm -fr "$root"
+}
+
  run_testcases
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Thu, 4 Sep 2025 10:48:35 +0000 (12:48 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Fri, 5 Sep 2025 06:24:39 +0000 (08:24 +0200)