|
|
17aa40 |
From 68c487956659bb0bc3e04be4c8f0687d46d23248 Mon Sep 17 00:00:00 2001
|
|
|
17aa40 |
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
|
|
17aa40 |
Date: Mon, 9 Mar 2020 11:00:58 +0100
|
|
|
17aa40 |
Subject: [PATCH] test: ignore IAB capabilities in `test-execute`
|
|
|
17aa40 |
|
|
|
17aa40 |
libcap v2.33 introduces a new capability set called IAB[0] which is shown
|
|
|
17aa40 |
in the output of `capsh --print` and interferes with the test checks. Let's
|
|
|
17aa40 |
drop the IAB set from the output, for now, to mitigate this.
|
|
|
17aa40 |
|
|
|
17aa40 |
This could be (and probably should be) replaced in the future by the
|
|
|
17aa40 |
newly introduced testing options[1][2] in libcap v2.32, namely:
|
|
|
17aa40 |
--has-p=xxx
|
|
|
17aa40 |
--has-i=xxx
|
|
|
17aa40 |
--has-a=xxx
|
|
|
17aa40 |
|
|
|
17aa40 |
but this needs to wait until the respective libcap version gets a wider
|
|
|
17aa40 |
adoption. Until then, let's stick with the relatively ugly sed.
|
|
|
17aa40 |
|
|
|
17aa40 |
Fixes: #15046
|
|
|
17aa40 |
|
|
|
17aa40 |
[0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd
|
|
|
17aa40 |
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7
|
|
|
17aa40 |
[2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
|
|
|
17aa40 |
|
|
|
17aa40 |
(cherry picked from commit e9cdcbed77971da3cb0b98b3eb91081142c91eb7)
|
|
|
17aa40 |
|
|
|
17aa40 |
Related: #2017033
|
|
|
17aa40 |
---
|
|
|
17aa40 |
test/test-execute/exec-capabilityboundingset-invert.service | 4 ++--
|
|
|
17aa40 |
.../exec-privatedevices-no-capability-mknod.service | 4 ++--
|
|
|
17aa40 |
.../exec-privatedevices-no-capability-sys-rawio.service | 4 ++--
|
|
|
17aa40 |
.../exec-privatedevices-yes-capability-mknod.service | 4 ++--
|
|
|
17aa40 |
.../exec-privatedevices-yes-capability-sys-rawio.service | 4 ++--
|
|
|
17aa40 |
.../exec-protectkernelmodules-no-capabilities.service | 4 ++--
|
|
|
17aa40 |
.../exec-protectkernelmodules-yes-capabilities.service | 4 ++--
|
|
|
17aa40 |
7 files changed, 14 insertions(+), 14 deletions(-)
|
|
|
17aa40 |
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service
|
|
|
17aa40 |
index 5f37427603..4486f6c25d 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-capabilityboundingset-invert.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-capabilityboundingset-invert.service
|
|
|
17aa40 |
@@ -2,7 +2,7 @@
|
|
|
17aa40 |
Description=Test for CapabilityBoundingSet
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
|
|
|
17aa40 |
Type=oneshot
|
|
|
17aa40 |
CapabilityBoundingSet=~CAP_CHOWN
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
|
|
|
17aa40 |
index 4d61d9ffaa..8f135be0b5 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-privatedevices-no-capability-mknod.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
|
|
|
17aa40 |
@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
PrivateDevices=no
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
|
|
17aa40 |
Type=oneshot
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
|
|
17aa40 |
index f7f7a16736..30ce549254 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
|
|
17aa40 |
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
PrivateDevices=no
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
|
|
17aa40 |
Type=oneshot
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
|
|
|
17aa40 |
index 5bcace0845..b98cfb5c7e 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-privatedevices-yes-capability-mknod.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
|
|
|
17aa40 |
@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
PrivateDevices=yes
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
|
|
|
17aa40 |
Type=oneshot
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
|
|
17aa40 |
index a246f950c1..5b0c0700f2 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
|
|
17aa40 |
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
PrivateDevices=yes
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
|
|
|
17aa40 |
Type=oneshot
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
|
|
|
17aa40 |
index 8d7e2b52d4..1b73656305 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-protectkernelmodules-no-capabilities.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
|
|
|
17aa40 |
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
ProtectKernelModules=no
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
|
|
17aa40 |
Type=oneshot
|
|
|
17aa40 |
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
|
|
|
17aa40 |
index fe2ae208dd..e43e72733c 100644
|
|
|
17aa40 |
--- a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
|
|
|
17aa40 |
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
|
|
|
17aa40 |
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
|
|
|
17aa40 |
|
|
|
17aa40 |
[Service]
|
|
|
17aa40 |
ProtectKernelModules=yes
|
|
|
17aa40 |
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
17aa40 |
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
|
|
17aa40 |
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
|
|
|
17aa40 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
|
|
|
17aa40 |
Type=oneshot
|