richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
17aa40
From 68c487956659bb0bc3e04be4c8f0687d46d23248 Mon Sep 17 00:00:00 2001
17aa40
From: Frantisek Sumsal <frantisek@sumsal.cz>
17aa40
Date: Mon, 9 Mar 2020 11:00:58 +0100
17aa40
Subject: [PATCH] test: ignore IAB capabilities in `test-execute`
17aa40
17aa40
libcap v2.33 introduces a new capability set called IAB[0] which is shown
17aa40
in the output of `capsh --print` and interferes with the test checks. Let's
17aa40
drop the IAB set from the output, for now, to mitigate this.
17aa40
17aa40
This could be (and probably should be) replaced in the future by the
17aa40
newly introduced testing options[1][2] in libcap v2.32, namely:
17aa40
    --has-p=xxx
17aa40
    --has-i=xxx
17aa40
    --has-a=xxx
17aa40
17aa40
but this needs to wait until the respective libcap version gets a wider
17aa40
adoption. Until then, let's stick with the relatively ugly sed.
17aa40
17aa40
Fixes: #15046
17aa40
17aa40
[0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd
17aa40
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7
17aa40
[2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
17aa40
17aa40
(cherry picked from commit e9cdcbed77971da3cb0b98b3eb91081142c91eb7)
17aa40
17aa40
Related: #2017033
17aa40
---
17aa40
 test/test-execute/exec-capabilityboundingset-invert.service   | 4 ++--
17aa40
 .../exec-privatedevices-no-capability-mknod.service           | 4 ++--
17aa40
 .../exec-privatedevices-no-capability-sys-rawio.service       | 4 ++--
17aa40
 .../exec-privatedevices-yes-capability-mknod.service          | 4 ++--
17aa40
 .../exec-privatedevices-yes-capability-sys-rawio.service      | 4 ++--
17aa40
 .../exec-protectkernelmodules-no-capabilities.service         | 4 ++--
17aa40
 .../exec-protectkernelmodules-yes-capabilities.service        | 4 ++--
17aa40
 7 files changed, 14 insertions(+), 14 deletions(-)
17aa40
17aa40
diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service
17aa40
index 5f37427603..4486f6c25d 100644
17aa40
--- a/test/test-execute/exec-capabilityboundingset-invert.service
17aa40
+++ b/test/test-execute/exec-capabilityboundingset-invert.service
17aa40
@@ -2,7 +2,7 @@
17aa40
 Description=Test for CapabilityBoundingSet
17aa40
 
17aa40
 [Service]
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
17aa40
 Type=oneshot
17aa40
 CapabilityBoundingSet=~CAP_CHOWN
17aa40
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
17aa40
index 4d61d9ffaa..8f135be0b5 100644
17aa40
--- a/test/test-execute/exec-privatedevices-no-capability-mknod.service
17aa40
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
17aa40
@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=no
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
17aa40
index f7f7a16736..30ce549254 100644
17aa40
--- a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
17aa40
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
17aa40
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=no
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
17aa40
index 5bcace0845..b98cfb5c7e 100644
17aa40
--- a/test/test-execute/exec-privatedevices-yes-capability-mknod.service
17aa40
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
17aa40
@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=yes
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
17aa40
index a246f950c1..5b0c0700f2 100644
17aa40
--- a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
17aa40
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
17aa40
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=yes
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
17aa40
index 8d7e2b52d4..1b73656305 100644
17aa40
--- a/test/test-execute/exec-protectkernelmodules-no-capabilities.service
17aa40
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
17aa40
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
17aa40
 
17aa40
 [Service]
17aa40
 ProtectKernelModules=no
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
17aa40
index fe2ae208dd..e43e72733c 100644
17aa40
--- a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
17aa40
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
17aa40
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
17aa40
 
17aa40
 [Service]
17aa40
 ProtectKernelModules=yes
17aa40
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
17aa40
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
17aa40
 Type=oneshot