rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0743-test-ignore-IAB-capabilities-in-test-execute.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c8s-sig-hyperscale-hotfix-252 c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-hotfix-252
  1.   be0c12a59dacd6ab6e96ebb1254716083eda9a42
  2.   SOURCES
  3.   0743-test-ignore-IAB-capabilities-in-test-execute.patch
Blob History Raw
be0c12 
From 68c487956659bb0bc3e04be4c8f0687d46d23248 Mon Sep 17 00:00:00 2001
be0c12 
From: Frantisek Sumsal <frantisek@sumsal.cz>
be0c12 
Date: Mon, 9 Mar 2020 11:00:58 +0100
be0c12 
Subject: [PATCH] test: ignore IAB capabilities in `test-execute`
be0c12
be0c12 
libcap v2.33 introduces a new capability set called IAB[0] which is shown
be0c12 
in the output of `capsh --print` and interferes with the test checks. Let's
be0c12 
drop the IAB set from the output, for now, to mitigate this.
be0c12
be0c12 
This could be (and probably should be) replaced in the future by the
be0c12 
newly introduced testing options[1][2] in libcap v2.32, namely:
be0c12 
    --has-p=xxx
be0c12 
    --has-i=xxx
be0c12 
    --has-a=xxx
be0c12
be0c12 
but this needs to wait until the respective libcap version gets a wider
be0c12 
adoption. Until then, let's stick with the relatively ugly sed.
be0c12
be0c12 
Fixes: #15046
be0c12
be0c12 
[0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=943b011b5e53624eb9cab4e96c1985326e077cdd
be0c12 
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=588d0439cb6495b03f0ab9f213f0b6b339e7d4b7
be0c12 
[2] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=e7709bbc1c4712f2ddfc6e6f42892928a8a03782
be0c12
be0c12 
(cherry picked from commit e9cdcbed77971da3cb0b98b3eb91081142c91eb7)
be0c12
be0c12 
Related: #2017033
be0c12 
---
be0c12 
 test/test-execute/exec-capabilityboundingset-invert.service   | 4 ++--
be0c12 
 .../exec-privatedevices-no-capability-mknod.service           | 4 ++--
be0c12 
 .../exec-privatedevices-no-capability-sys-rawio.service       | 4 ++--
be0c12 
 .../exec-privatedevices-yes-capability-mknod.service          | 4 ++--
be0c12 
 .../exec-privatedevices-yes-capability-sys-rawio.service      | 4 ++--
be0c12 
 .../exec-protectkernelmodules-no-capabilities.service         | 4 ++--
be0c12 
 .../exec-protectkernelmodules-yes-capabilities.service        | 4 ++--
be0c12 
 7 files changed, 14 insertions(+), 14 deletions(-)
be0c12
be0c12 
diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service
be0c12 
index 5f37427603..4486f6c25d 100644
be0c12 
--- a/test/test-execute/exec-capabilityboundingset-invert.service
be0c12 
+++ b/test/test-execute/exec-capabilityboundingset-invert.service
be0c12 
@@ -2,7 +2,7 @@
be0c12 
 Description=Test for CapabilityBoundingSet
be0c12
be0c12 
 [Service]
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
be0c12 
 Type=oneshot
be0c12 
 CapabilityBoundingSet=~CAP_CHOWN
be0c12 
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
be0c12 
index 4d61d9ffaa..8f135be0b5 100644
be0c12 
--- a/test/test-execute/exec-privatedevices-no-capability-mknod.service
be0c12 
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
be0c12 
@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
be0c12
be0c12 
 [Service]
be0c12 
 PrivateDevices=no
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
be0c12 
 Type=oneshot
be0c12 
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
be0c12 
index f7f7a16736..30ce549254 100644
be0c12 
--- a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
be0c12 
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
be0c12 
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
be0c12
be0c12 
 [Service]
be0c12 
 PrivateDevices=no
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
be0c12 
 Type=oneshot
be0c12 
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
be0c12 
index 5bcace0845..b98cfb5c7e 100644
be0c12 
--- a/test/test-execute/exec-privatedevices-yes-capability-mknod.service
be0c12 
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
be0c12 
@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
be0c12
be0c12 
 [Service]
be0c12 
 PrivateDevices=yes
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
be0c12 
 Type=oneshot
be0c12 
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
be0c12 
index a246f950c1..5b0c0700f2 100644
be0c12 
--- a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
be0c12 
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
be0c12 
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
be0c12
be0c12 
 [Service]
be0c12 
 PrivateDevices=yes
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
be0c12 
 Type=oneshot
be0c12 
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
be0c12 
index 8d7e2b52d4..1b73656305 100644
be0c12 
--- a/test/test-execute/exec-protectkernelmodules-no-capabilities.service
be0c12 
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
be0c12 
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
be0c12
be0c12 
 [Service]
be0c12 
 ProtectKernelModules=no
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
be0c12 
 Type=oneshot
be0c12 
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
be0c12 
index fe2ae208dd..e43e72733c 100644
be0c12 
--- a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
be0c12 
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
be0c12 
@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
be0c12
be0c12 
 [Service]
be0c12 
 ProtectKernelModules=yes
be0c12 
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
be0c12 
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
be0c12 
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
be0c12 
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
be0c12 
 Type=oneshot

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation