|
|
803fb7 |
From 900251c41dab192ff863024e07864c09462e86d2 Mon Sep 17 00:00:00 2001
|
|
|
803fb7 |
From: Lukas Nykryn <lnykryn@redhat.com>
|
|
|
803fb7 |
Date: Mon, 20 Mar 2017 12:24:09 +0100
|
|
|
803fb7 |
Subject: [PATCH] test-capability: rebase to upstream version
|
|
|
803fb7 |
|
|
|
803fb7 |
Related: #1387398
|
|
|
803fb7 |
---
|
|
|
de8967 |
src/test/test-capability.c | 80 +++++++++++++++++--
|
|
|
de8967 |
src/test/test-execute.c | 43 ++++++++++
|
|
|
de8967 |
...pabilityambientset-merge-nfsnobody.service | 9 +++
|
|
|
de8967 |
test/exec-capabilityambientset-merge.service | 9 +++
|
|
|
de8967 |
...xec-capabilityambientset-nfsnobody.service | 8 ++
|
|
|
de8967 |
test/exec-capabilityambientset.service | 8 ++
|
|
|
de8967 |
.../exec-capabilityboundingset-invert.service | 7 ++
|
|
|
de8967 |
test/exec-capabilityboundingset-merge.service | 8 ++
|
|
|
de8967 |
test/exec-capabilityboundingset-reset.service | 8 ++
|
|
|
de8967 |
.../exec-capabilityboundingset-simple.service | 7 ++
|
|
|
803fb7 |
10 files changed, 179 insertions(+), 8 deletions(-)
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityambientset-merge-nfsnobody.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityambientset-merge.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityambientset-nfsnobody.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityambientset.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityboundingset-invert.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityboundingset-merge.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityboundingset-reset.service
|
|
|
803fb7 |
create mode 100644 test/exec-capabilityboundingset-simple.service
|
|
|
803fb7 |
|
|
|
803fb7 |
diff --git a/src/test/test-capability.c b/src/test/test-capability.c
|
|
|
803fb7 |
index 43769923b..67a9ec2d1 100644
|
|
|
803fb7 |
--- a/src/test/test-capability.c
|
|
|
803fb7 |
+++ b/src/test/test-capability.c
|
|
|
803fb7 |
@@ -17,21 +17,22 @@
|
|
|
803fb7 |
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
803fb7 |
***/
|
|
|
803fb7 |
|
|
|
803fb7 |
-#include <sys/types.h>
|
|
|
803fb7 |
-#include <sys/wait.h>
|
|
|
803fb7 |
-#include <sys/capability.h>
|
|
|
803fb7 |
-#include <sys/socket.h>
|
|
|
803fb7 |
#include <netinet/in.h>
|
|
|
803fb7 |
#include <pwd.h>
|
|
|
803fb7 |
+#include <sys/capability.h>
|
|
|
803fb7 |
+#include <sys/prctl.h>
|
|
|
803fb7 |
+#include <sys/socket.h>
|
|
|
803fb7 |
+#include <sys/wait.h>
|
|
|
803fb7 |
#include <unistd.h>
|
|
|
803fb7 |
|
|
|
803fb7 |
#include "capability.h"
|
|
|
803fb7 |
-#include "util.h"
|
|
|
803fb7 |
#include "macro.h"
|
|
|
803fb7 |
+#include "util.h"
|
|
|
803fb7 |
|
|
|
803fb7 |
static uid_t test_uid = -1;
|
|
|
803fb7 |
static gid_t test_gid = -1;
|
|
|
803fb7 |
-// We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+/* We keep CAP_DAC_OVERRIDE to avoid errors with gcov when doing test coverage */
|
|
|
803fb7 |
static uint64_t test_flags = 1ULL << CAP_DAC_OVERRIDE;
|
|
|
803fb7 |
|
|
|
803fb7 |
static void fork_test(void (*test_func)(void)) {
|
|
|
803fb7 |
@@ -65,8 +66,9 @@ static void show_capabilities(void) {
|
|
|
803fb7 |
cap_free(text);
|
|
|
803fb7 |
}
|
|
|
803fb7 |
|
|
|
803fb7 |
-static int setup_tests(void) {
|
|
|
803fb7 |
+static int setup_tests(bool *run_ambient) {
|
|
|
803fb7 |
struct passwd *nobody;
|
|
|
803fb7 |
+ int r;
|
|
|
803fb7 |
|
|
|
803fb7 |
nobody = getpwnam("nobody");
|
|
|
803fb7 |
if (!nobody) {
|
|
|
803fb7 |
@@ -76,6 +78,18 @@ static int setup_tests(void) {
|
|
|
803fb7 |
test_uid = nobody->pw_uid;
|
|
|
803fb7 |
test_gid = nobody->pw_gid;
|
|
|
803fb7 |
|
|
|
803fb7 |
+ *run_ambient = false;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ /* There's support for PR_CAP_AMBIENT if the prctl() call
|
|
|
803fb7 |
+ * succeeded or error code was something else than EINVAL. The
|
|
|
803fb7 |
+ * EINVAL check should be good enough to rule out false
|
|
|
803fb7 |
+ * positives. */
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ if (r >= 0 || errno != EINVAL)
|
|
|
803fb7 |
+ *run_ambient = true;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
return 0;
|
|
|
803fb7 |
}
|
|
|
803fb7 |
|
|
|
803fb7 |
@@ -139,8 +153,53 @@ static void test_have_effective_cap(void) {
|
|
|
803fb7 |
assert_se(!have_effective_cap(CAP_CHOWN));
|
|
|
803fb7 |
}
|
|
|
803fb7 |
|
|
|
803fb7 |
+static void test_update_inherited_set(void) {
|
|
|
803fb7 |
+ cap_t caps;
|
|
|
803fb7 |
+ uint64_t set = 0;
|
|
|
803fb7 |
+ cap_flag_value_t fv;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ caps = cap_get_proc();
|
|
|
803fb7 |
+ assert_se(caps);
|
|
|
803fb7 |
+ assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
|
|
|
803fb7 |
+ assert(fv == CAP_CLEAR);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ set = (UINT64_C(1) << CAP_CHOWN);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ assert_se(!capability_update_inherited_set(caps, set));
|
|
|
803fb7 |
+ assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
|
|
|
803fb7 |
+ assert(fv == CAP_SET);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ cap_free(caps);
|
|
|
803fb7 |
+}
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+static void test_set_ambient_caps(void) {
|
|
|
803fb7 |
+ cap_t caps;
|
|
|
803fb7 |
+ uint64_t set = 0;
|
|
|
803fb7 |
+ cap_flag_value_t fv;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ caps = cap_get_proc();
|
|
|
803fb7 |
+ assert_se(caps);
|
|
|
803fb7 |
+ assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
|
|
|
803fb7 |
+ assert(fv == CAP_CLEAR);
|
|
|
803fb7 |
+ cap_free(caps);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ set = (UINT64_C(1) << CAP_CHOWN);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ assert_se(!capability_ambient_set_apply(set, true));
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ caps = cap_get_proc();
|
|
|
803fb7 |
+ assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
|
|
|
803fb7 |
+ assert(fv == CAP_SET);
|
|
|
803fb7 |
+ cap_free(caps);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
|
|
|
803fb7 |
+}
|
|
|
803fb7 |
+
|
|
|
803fb7 |
int main(int argc, char *argv[]) {
|
|
|
803fb7 |
int r;
|
|
|
803fb7 |
+ bool run_ambient;
|
|
|
803fb7 |
|
|
|
803fb7 |
log_parse_environment();
|
|
|
803fb7 |
log_open();
|
|
|
803fb7 |
@@ -148,14 +207,19 @@ int main(int argc, char *argv[]) {
|
|
|
803fb7 |
if (getuid() != 0)
|
|
|
803fb7 |
return EXIT_TEST_SKIP;
|
|
|
803fb7 |
|
|
|
803fb7 |
- r = setup_tests();
|
|
|
803fb7 |
+ r = setup_tests(&run_ambient);
|
|
|
803fb7 |
if (r < 0)
|
|
|
803fb7 |
return -r;
|
|
|
803fb7 |
|
|
|
803fb7 |
show_capabilities();
|
|
|
803fb7 |
|
|
|
803fb7 |
test_drop_privileges();
|
|
|
803fb7 |
+ test_update_inherited_set();
|
|
|
803fb7 |
+
|
|
|
803fb7 |
fork_test(test_have_effective_cap);
|
|
|
803fb7 |
|
|
|
803fb7 |
+ if (run_ambient)
|
|
|
803fb7 |
+ fork_test(test_set_ambient_caps);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
return 0;
|
|
|
803fb7 |
}
|
|
|
803fb7 |
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
|
|
|
803fb7 |
index 6e5567c3e..8e70702cb 100644
|
|
|
803fb7 |
--- a/src/test/test-execute.c
|
|
|
803fb7 |
+++ b/src/test/test-execute.c
|
|
|
803fb7 |
@@ -17,7 +17,11 @@
|
|
|
803fb7 |
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
803fb7 |
***/
|
|
|
803fb7 |
|
|
|
803fb7 |
+#include <grp.h>
|
|
|
803fb7 |
+#include <pwd.h>
|
|
|
803fb7 |
#include <stdio.h>
|
|
|
803fb7 |
+#include <sys/prctl.h>
|
|
|
803fb7 |
+#include <sys/types.h>
|
|
|
803fb7 |
|
|
|
803fb7 |
#include "unit.h"
|
|
|
803fb7 |
#include "manager.h"
|
|
|
803fb7 |
@@ -25,6 +29,7 @@
|
|
|
803fb7 |
#include "macro.h"
|
|
|
803fb7 |
#include "strv.h"
|
|
|
803fb7 |
#include "mkdir.h"
|
|
|
803fb7 |
+#include "path-util.h"
|
|
|
803fb7 |
|
|
|
803fb7 |
typedef void (*test_function_t)(Manager *m);
|
|
|
803fb7 |
|
|
|
803fb7 |
@@ -177,6 +182,42 @@ static void test_exec_runtimedirectory(Manager *m) {
|
|
|
803fb7 |
test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
|
|
|
803fb7 |
}
|
|
|
803fb7 |
|
|
|
803fb7 |
+static void test_exec_capabilityboundingset(Manager *m) {
|
|
|
803fb7 |
+ int r;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ r = find_binary("capsh", true, NULL);
|
|
|
803fb7 |
+ if (r < 0) {
|
|
|
803fb7 |
+ log_error_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
|
|
|
803fb7 |
+ return;
|
|
|
803fb7 |
+ }
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ test(m, "exec-capabilityboundingset-simple.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ test(m, "exec-capabilityboundingset-reset.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ test(m, "exec-capabilityboundingset-merge.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+}
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+static void test_exec_capabilityambientset(Manager *m) {
|
|
|
803fb7 |
+ int r;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ /* Check if the kernel has support for ambient capabilities. Run
|
|
|
803fb7 |
+ * the tests only if that's the case. Clearing all ambient
|
|
|
803fb7 |
+ * capabilities is fine, since we are expecting them to be unset
|
|
|
803fb7 |
+ * in the first place for the tests. */
|
|
|
803fb7 |
+ r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
|
|
|
803fb7 |
+ if (r >= 0 || errno != EINVAL) {
|
|
|
803fb7 |
+ if (getpwnam("nobody")) {
|
|
|
803fb7 |
+ test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ } else if (getpwnam("nfsnobody")) {
|
|
|
803fb7 |
+ test(m, "exec-capabilityambientset-nfsnobody.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ test(m, "exec-capabilityambientset-merge-nfsnobody.service", 0, CLD_EXITED);
|
|
|
803fb7 |
+ } else
|
|
|
803fb7 |
+ log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__);
|
|
|
803fb7 |
+ } else
|
|
|
803fb7 |
+ log_error_errno(errno, "Skipping %s, the kernel does not support ambient capabilities: %m", __func__);
|
|
|
803fb7 |
+}
|
|
|
803fb7 |
+
|
|
|
803fb7 |
int main(int argc, char *argv[]) {
|
|
|
803fb7 |
test_function_t tests[] = {
|
|
|
803fb7 |
test_exec_workingdirectory,
|
|
|
803fb7 |
@@ -192,6 +233,8 @@ int main(int argc, char *argv[]) {
|
|
|
803fb7 |
test_exec_passenvironment,
|
|
|
803fb7 |
test_exec_umask,
|
|
|
803fb7 |
test_exec_runtimedirectory,
|
|
|
803fb7 |
+ test_exec_capabilityboundingset,
|
|
|
803fb7 |
+ test_exec_capabilityambientset,
|
|
|
803fb7 |
NULL,
|
|
|
803fb7 |
};
|
|
|
803fb7 |
test_function_t *test = NULL;
|
|
|
803fb7 |
diff --git a/test/exec-capabilityambientset-merge-nfsnobody.service b/test/exec-capabilityambientset-merge-nfsnobody.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..00bec581b
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityambientset-merge-nfsnobody.service
|
|
|
803fb7 |
@@ -0,0 +1,9 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for AmbientCapabilities
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+User=nfsnobody
|
|
|
803fb7 |
+AmbientCapabilities=CAP_NET_ADMIN
|
|
|
803fb7 |
+AmbientCapabilities=CAP_NET_RAW
|
|
|
803fb7 |
diff --git a/test/exec-capabilityambientset-merge.service b/test/exec-capabilityambientset-merge.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..64964380e
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityambientset-merge.service
|
|
|
803fb7 |
@@ -0,0 +1,9 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for AmbientCapabilities
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+User=nobody
|
|
|
803fb7 |
+AmbientCapabilities=CAP_NET_ADMIN
|
|
|
803fb7 |
+AmbientCapabilities=CAP_NET_RAW
|
|
|
803fb7 |
diff --git a/test/exec-capabilityambientset-nfsnobody.service b/test/exec-capabilityambientset-nfsnobody.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..614cfdd58
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityambientset-nfsnobody.service
|
|
|
803fb7 |
@@ -0,0 +1,8 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for AmbientCapabilities
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+User=nfsnobody
|
|
|
803fb7 |
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
|
|
803fb7 |
diff --git a/test/exec-capabilityambientset.service b/test/exec-capabilityambientset.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..d63f884ef
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityambientset.service
|
|
|
803fb7 |
@@ -0,0 +1,8 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for AmbientCapabilities
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000003000"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+User=nobody
|
|
|
803fb7 |
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
|
|
803fb7 |
diff --git a/test/exec-capabilityboundingset-invert.service b/test/exec-capabilityboundingset-invert.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..fd5d24870
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityboundingset-invert.service
|
|
|
803fb7 |
@@ -0,0 +1,7 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for CapabilityBoundingSet
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "^Bounding set .*cap_chown"); test -z "$$c"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+CapabilityBoundingSet=~CAP_CHOWN
|
|
|
803fb7 |
diff --git a/test/exec-capabilityboundingset-merge.service b/test/exec-capabilityboundingset-merge.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..5c7fcaf43
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityboundingset-merge.service
|
|
|
803fb7 |
@@ -0,0 +1,8 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for CapabilityBoundingSet
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_chown,cap_fowner,cap_kill"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+CapabilityBoundingSet=CAP_FOWNER
|
|
|
803fb7 |
+CapabilityBoundingSet=CAP_KILL CAP_CHOWN
|
|
|
803fb7 |
diff --git a/test/exec-capabilityboundingset-reset.service b/test/exec-capabilityboundingset-reset.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..d7d332020
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityboundingset-reset.service
|
|
|
803fb7 |
@@ -0,0 +1,8 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for CapabilityBoundingSet
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set ="'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+CapabilityBoundingSet=CAP_FOWNER CAP_KILL
|
|
|
803fb7 |
+CapabilityBoundingSet=
|
|
|
803fb7 |
diff --git a/test/exec-capabilityboundingset-simple.service b/test/exec-capabilityboundingset-simple.service
|
|
|
803fb7 |
new file mode 100644
|
|
|
803fb7 |
index 000000000..bf1a7f575
|
|
|
803fb7 |
--- /dev/null
|
|
|
803fb7 |
+++ b/test/exec-capabilityboundingset-simple.service
|
|
|
803fb7 |
@@ -0,0 +1,7 @@
|
|
|
803fb7 |
+[Unit]
|
|
|
803fb7 |
+Description=Test for CapabilityBoundingSet
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+[Service]
|
|
|
803fb7 |
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_fowner,cap_kill"'
|
|
|
803fb7 |
+Type=oneshot
|
|
|
803fb7 |
+CapabilityBoundingSet=CAP_FOWNER CAP_KILL
|