|
|
be0c12 |
From 9070c6d48645b948d996f9c26bc590c07d46ca1f Mon Sep 17 00:00:00 2001
|
|
|
be0c12 |
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
|
|
be0c12 |
Date: Tue, 4 Feb 2020 13:49:01 +0100
|
|
|
be0c12 |
Subject: [PATCH] test: adapt to the new capsh format
|
|
|
be0c12 |
|
|
|
be0c12 |
Since libcap v2.29 the format of cap_to_text() has been changed which
|
|
|
be0c12 |
makes certain `test-execute` subtest fail. Let's remove the offending
|
|
|
be0c12 |
part of the output (dropped capabilities) to make it compatible with
|
|
|
be0c12 |
both the old and the new libcap.
|
|
|
be0c12 |
|
|
|
be0c12 |
(cherry picked from commit 9569e385036c05c0bf9fbccdbf3d131161398e2e)
|
|
|
be0c12 |
|
|
|
be0c12 |
Related: #2017033
|
|
|
be0c12 |
---
|
|
|
be0c12 |
test/test-execute/exec-capabilityboundingset-invert.service | 3 ++-
|
|
|
be0c12 |
.../exec-privatedevices-no-capability-mknod.service | 3 ++-
|
|
|
be0c12 |
.../exec-privatedevices-no-capability-sys-rawio.service | 3 ++-
|
|
|
be0c12 |
.../exec-privatedevices-yes-capability-mknod.service | 3 ++-
|
|
|
be0c12 |
.../exec-privatedevices-yes-capability-sys-rawio.service | 3 ++-
|
|
|
be0c12 |
.../exec-protectkernelmodules-no-capabilities.service | 3 ++-
|
|
|
be0c12 |
.../exec-protectkernelmodules-yes-capabilities.service | 3 ++-
|
|
|
be0c12 |
7 files changed, 14 insertions(+), 7 deletions(-)
|
|
|
be0c12 |
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service
|
|
|
be0c12 |
index 1abe390601..5f37427603 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-capabilityboundingset-invert.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-capabilityboundingset-invert.service
|
|
|
be0c12 |
@@ -2,6 +2,7 @@
|
|
|
be0c12 |
Description=Test for CapabilityBoundingSet
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c '! capsh --print | grep "^Bounding set .*cap_chown"'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
|
|
|
be0c12 |
Type=oneshot
|
|
|
be0c12 |
CapabilityBoundingSet=~CAP_CHOWN
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
|
|
|
be0c12 |
index 6d39469da8..4d61d9ffaa 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-privatedevices-no-capability-mknod.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
|
|
|
be0c12 |
@@ -3,5 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
PrivateDevices=no
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c 'capsh --print | grep cap_mknod'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
|
|
be0c12 |
Type=oneshot
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
|
|
be0c12 |
index e7f529c44c..f7f7a16736 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
|
|
|
be0c12 |
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
PrivateDevices=no
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_rawio'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
|
|
be0c12 |
Type=oneshot
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
|
|
|
be0c12 |
index fb1fc2875a..5bcace0845 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-privatedevices-yes-capability-mknod.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
|
|
|
be0c12 |
@@ -3,5 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
PrivateDevices=yes
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c '! capsh --print | grep cap_mknod'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
|
|
|
be0c12 |
Type=oneshot
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
|
|
be0c12 |
index cebc493a7a..a246f950c1 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
|
|
|
be0c12 |
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
PrivateDevices=yes
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_rawio'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
|
|
|
be0c12 |
Type=oneshot
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
|
|
|
be0c12 |
index b2f2cd6b8a..8d7e2b52d4 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-protectkernelmodules-no-capabilities.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
|
|
|
be0c12 |
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
ProtectKernelModules=no
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c 'capsh --print | grep cap_sys_module'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
|
|
be0c12 |
Type=oneshot
|
|
|
be0c12 |
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
|
|
|
be0c12 |
index 84bf39be56..fe2ae208dd 100644
|
|
|
be0c12 |
--- a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
|
|
|
be0c12 |
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
|
|
|
be0c12 |
@@ -3,5 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
|
|
|
be0c12 |
|
|
|
be0c12 |
[Service]
|
|
|
be0c12 |
ProtectKernelModules=yes
|
|
|
be0c12 |
-ExecStart=/bin/sh -x -c '! capsh --print | grep cap_sys_module'
|
|
|
be0c12 |
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
|
|
|
be0c12 |
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
|
|
|
be0c12 |
Type=oneshot
|