Merge pull request #2760 from ronnychevalier/rc/core_no_new_privileges_seccompv3

core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN

7 files changed, 62 insertions, 0 deletions

diff --git a/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service b/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service
new file mode 100644
index 0000000000..00bec581b5
--- /dev/null
+++ b/test/test-execute/exec-capabilityambientset-merge-nfsnobody.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+Type=oneshot
+User=nfsnobody
+AmbientCapabilities=CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-capabilityambientset-nfsnobody.service b/test/test-execute/exec-capabilityambientset-nfsnobody.service
new file mode 100644
index 0000000000..614cfdd584
--- /dev/null
+++ b/test/test-execute/exec-capabilityambientset-nfsnobody.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000003000"'
+Type=oneshot
+User=nfsnobody
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
diff --git a/test/test-execute/exec-group-nfsnobody.service b/test/test-execute/exec-group-nfsnobody.service
new file mode 100644
index 0000000000..e02100a869
--- /dev/null
+++ b/test/test-execute/exec-group-nfsnobody.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nfsnobody"'
+Type=oneshot
+Group=nfsnobody
diff --git a/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service
new file mode 100644
index 0000000000..e962af8a4b
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G /tmp/test-exec_runtimedirectory-owner); test "$$group" = "nfsnobody"'
+Type=oneshot
+Group=nfsnobody
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner
diff --git a/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service
new file mode 100644
index 0000000000..9393e0a998
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Test for SystemCallFilter in system mode with User set
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+Type=oneshot
+User=nfsnobody
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-systemcallfilter-system-user.service b/test/test-execute/exec-systemcallfilter-system-user.service
new file mode 100644
index 0000000000..462f94133d
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-system-user.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Test for SystemCallFilter in system mode with User set
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+Type=oneshot
+User=nobody
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-user-nfsnobody.service b/test/test-execute/exec-user-nfsnobody.service
new file mode 100644
index 0000000000..aafda3aa26
--- /dev/null
+++ b/test/test-execute/exec-user-nfsnobody.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for User
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$USER" = "nfsnobody"'
+Type=oneshot
+User=nfsnobody