diff options
author | Ronny Chevalier <chevalier.ronny@gmail.com> | 2016-01-30 17:26:39 +0100 |
---|---|---|
committer | Ronny Chevalier <chevalier.ronny@gmail.com> | 2016-02-28 14:44:26 +0100 |
commit | 19c0b0b9a5039b842cf9e6c3e7ece75fb8725602 (patch) | |
tree | 0414f22ec6d435c0d23457280b067e4b897d8186 /test | |
parent | 06fb28b16eb4b6170c2e2c0cf1f673730309509b (diff) |
core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN
The manpage of seccomp specify that using seccomp with
SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have
CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence,
without NoNewPrivilege set, it is impossible to use a SystemCall*
directive with a User directive set in system mode.
Now, NoNewPrivileges is set if we are in user mode, or if we are in
system mode and we don't have CAP_SYS_ADMIN, and SystemCall*
directives are used.
Diffstat (limited to 'test')
-rw-r--r-- | test/test-execute/exec-systemcallfilter-system-user.service | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/test/test-execute/exec-systemcallfilter-system-user.service b/test/test-execute/exec-systemcallfilter-system-user.service new file mode 100644 index 0000000000..462f94133d --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-system-user.service @@ -0,0 +1,11 @@ +[Unit] +Description=Test for SystemCallFilter in system mode with User set + +[Service] +ExecStart=/bin/echo "Foo bar" +Type=oneshot +User=nobody +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm |