17aa40
From 9070c6d48645b948d996f9c26bc590c07d46ca1f Mon Sep 17 00:00:00 2001
17aa40
From: Frantisek Sumsal <frantisek@sumsal.cz>
17aa40
Date: Tue, 4 Feb 2020 13:49:01 +0100
17aa40
Subject: [PATCH] test: adapt to the new capsh format
17aa40
17aa40
Since libcap v2.29 the format of cap_to_text() has been changed which
17aa40
makes certain `test-execute` subtest fail. Let's remove the offending
17aa40
part of the output (dropped capabilities) to make it compatible with
17aa40
both the old and the new libcap.
17aa40
17aa40
(cherry picked from commit 9569e385036c05c0bf9fbccdbf3d131161398e2e)
17aa40
17aa40
Related: #2017033
17aa40
---
17aa40
 test/test-execute/exec-capabilityboundingset-invert.service    | 3 ++-
17aa40
 .../exec-privatedevices-no-capability-mknod.service            | 3 ++-
17aa40
 .../exec-privatedevices-no-capability-sys-rawio.service        | 3 ++-
17aa40
 .../exec-privatedevices-yes-capability-mknod.service           | 3 ++-
17aa40
 .../exec-privatedevices-yes-capability-sys-rawio.service       | 3 ++-
17aa40
 .../exec-protectkernelmodules-no-capabilities.service          | 3 ++-
17aa40
 .../exec-protectkernelmodules-yes-capabilities.service         | 3 ++-
17aa40
 7 files changed, 14 insertions(+), 7 deletions(-)
17aa40
17aa40
diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service
17aa40
index 1abe390601..5f37427603 100644
17aa40
--- a/test/test-execute/exec-capabilityboundingset-invert.service
17aa40
+++ b/test/test-execute/exec-capabilityboundingset-invert.service
17aa40
@@ -2,6 +2,7 @@
17aa40
 Description=Test for CapabilityBoundingSet
17aa40
 
17aa40
 [Service]
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | grep "^Bounding set .*cap_chown"'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
17aa40
 Type=oneshot
17aa40
 CapabilityBoundingSet=~CAP_CHOWN
17aa40
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
17aa40
index 6d39469da8..4d61d9ffaa 100644
17aa40
--- a/test/test-execute/exec-privatedevices-no-capability-mknod.service
17aa40
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
17aa40
@@ -3,5 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=no
17aa40
-ExecStart=/bin/sh -x -c 'capsh --print | grep cap_mknod'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
17aa40
index e7f529c44c..f7f7a16736 100644
17aa40
--- a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
17aa40
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
17aa40
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=no
17aa40
-ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_rawio'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
17aa40
index fb1fc2875a..5bcace0845 100644
17aa40
--- a/test/test-execute/exec-privatedevices-yes-capability-mknod.service
17aa40
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
17aa40
@@ -3,5 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=yes
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | grep cap_mknod'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
17aa40
index cebc493a7a..a246f950c1 100644
17aa40
--- a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
17aa40
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
17aa40
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
17aa40
 
17aa40
 [Service]
17aa40
 PrivateDevices=yes
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_rawio'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
17aa40
index b2f2cd6b8a..8d7e2b52d4 100644
17aa40
--- a/test/test-execute/exec-protectkernelmodules-no-capabilities.service
17aa40
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
17aa40
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
17aa40
 
17aa40
 [Service]
17aa40
 ProtectKernelModules=no
17aa40
-ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_module'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
17aa40
 Type=oneshot
17aa40
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
17aa40
index 84bf39be56..fe2ae208dd 100644
17aa40
--- a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
17aa40
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
17aa40
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
17aa40
 
17aa40
 [Service]
17aa40
 ProtectKernelModules=yes
17aa40
-ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_module'
17aa40
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
17aa40
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
17aa40
 Type=oneshot