From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 4 Sep 2025 10:48:35 +0000 (+0200)
Subject: test: Add test for nspawn's handling of cap_net_bind_service
X-Git-Tag: v258-rc4~7^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cadeaef67cb0f11bd968cfd6a183bcbfc73b0c70;p=thirdparty%2Fsystemd.git

test: Add test for nspawn's handling of cap_net_bind_service
---

diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh
index eccf183d22f..fabb1a3d306 100755
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1470,4 +1470,22 @@ testcase_link_journal_host() {
     rm -fr "$root"
 }
 
+testcase_cap_net_bind_service() {
+    local root
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.cap-net-bind-service.XXX)"
+    create_dummy_container "$root"
+
+    # Check that CAP_NET_BIND_SERVICE is available without --private-users
+    systemd-nspawn --register=no --directory="$root" capsh --has-p=cap_net_bind_service
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=identity
+    (! systemd-nspawn --register=no --directory="$root" --private-users=identity capsh --has-p=cap_net_bind_service)
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=pick
+    (! systemd-nspawn --register=no --directory="$root" --private-users=pick capsh --has-p=cap_net_bind_service)
+
+    rm -fr "$root"
+}
+
 run_testcases