1 files changed, 116 insertions, 3 deletions

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 8ea0618576..be8160ed19 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -24,14 +24,18 @@
 #include <sys/types.h>
 
 #include "core/manager.h"
-#include "core/unit.h"
 #include "systemd-basic/fileio.h"
 #include "systemd-basic/fs-util.h"
 #include "systemd-basic/macro.h"
 #include "systemd-basic/mkdir.h"
 #include "systemd-basic/path-util.h"
 #include "systemd-basic/rm-rf.h"
+#ifdef HAVE_SECCOMP
+#include "systemd-shared/seccomp-util.h"
+#endif
+#include "core/unit.h"
 #include "systemd-basic/util.h"
+#include "systemd-basic/virt.h"
 
 #include "test-helper.h"
 
@@ -67,6 +71,24 @@ static void check(Manager *m, Unit *unit, int status_expected, int code_expected
         assert_se(service->main_exec_status.code == code_expected);
 }
 
+static bool is_inaccessible_available(void) {
+        char *p;
+
+        FOREACH_STRING(p,
+                "/run/systemd/inaccessible/reg",
+                "/run/systemd/inaccessible/dir",
+                "/run/systemd/inaccessible/chr",
+                "/run/systemd/inaccessible/blk",
+                "/run/systemd/inaccessible/fifo",
+                "/run/systemd/inaccessible/sock"
+        ) {
+                if (access(p, F_OK) < 0)
+                        return false;
+        }
+
+        return true;
+}
+
 static void test(Manager *m, const char *unit_name, int status_expected, int code_expected) {
         Unit *unit;
 
@@ -92,6 +114,16 @@ static void test_exec_personality(Manager *m) {
 #elif defined(__s390__)
         test(m, "exec-personality-s390.service", 0, CLD_EXITED);
 
+#elif defined(__powerpc64__)
+#  if __BYTE_ORDER == __BIG_ENDIAN
+        test(m, "exec-personality-ppc64.service", 0, CLD_EXITED);
+#  else
+        test(m, "exec-personality-ppc64le.service", 0, CLD_EXITED);
+#  endif
+
+#elif defined(__aarch64__)
+        test(m, "exec-personality-aarch64.service", 0, CLD_EXITED);
+
 #elif defined(__i386__)
         test(m, "exec-personality-x86.service", 0, CLD_EXITED);
 #endif
@@ -112,27 +144,86 @@ static void test_exec_privatetmp(Manager *m) {
 }
 
 static void test_exec_privatedevices(Manager *m) {
+        if (detect_container() > 0) {
+                log_notice("testing in container, skipping private device tests");
+                return;
+        }
+        if (!is_inaccessible_available()) {
+                log_notice("testing without inaccessible, skipping private device tests");
+                return;
+        }
+
         test(m, "exec-privatedevices-yes.service", 0, CLD_EXITED);
         test(m, "exec-privatedevices-no.service", 0, CLD_EXITED);
 }
 
+static void test_exec_privatedevices_capabilities(Manager *m) {
+        if (detect_container() > 0) {
+                log_notice("testing in container, skipping private device tests");
+                return;
+        }
+        if (!is_inaccessible_available()) {
+                log_notice("testing without inaccessible, skipping private device tests");
+                return;
+        }
+
+        test(m, "exec-privatedevices-yes-capability-mknod.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-yes-capability-sys-rawio.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
+}
+
+static void test_exec_protectkernelmodules(Manager *m) {
+        if (detect_container() > 0) {
+                log_notice("testing in container, skipping protectkernelmodules tests");
+                return;
+        }
+        if (!is_inaccessible_available()) {
+                log_notice("testing without inaccessible, skipping protectkernelmodules tests");
+                return;
+        }
+
+        test(m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED);
+        test(m, "exec-protectkernelmodules-yes-capabilities.service", 0, CLD_EXITED);
+        test(m, "exec-protectkernelmodules-yes-mount-propagation.service", 0, CLD_EXITED);
+}
+
+static void test_exec_readonlypaths(Manager *m) {
+        test(m, "exec-readonlypaths.service", 0, CLD_EXITED);
+        test(m, "exec-readonlypaths-mount-propagation.service", 0, CLD_EXITED);
+}
+
+static void test_exec_readwritepaths(Manager *m) {
+        test(m, "exec-readwritepaths-mount-propagation.service", 0, CLD_EXITED);
+}
+
+static void test_exec_inaccessiblepaths(Manager *m) {
+        test(m, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED);
+}
+
 static void test_exec_systemcallfilter(Manager *m) {
 #ifdef HAVE_SECCOMP
+        if (!is_seccomp_available())
+                return;
         test(m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED);
         test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED);
         test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED);
         test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED);
+
 #endif
 }
 
 static void test_exec_systemcallerrornumber(Manager *m) {
 #ifdef HAVE_SECCOMP
-        test(m, "exec-systemcallerrornumber.service", 1, CLD_EXITED);
+        if (is_seccomp_available())
+                test(m, "exec-systemcallerrornumber.service", 1, CLD_EXITED);
 #endif
 }
 
 static void test_exec_systemcall_system_mode_with_user(Manager *m) {
 #ifdef HAVE_SECCOMP
+        if (!is_seccomp_available())
+                return;
         if (getpwnam("nobody"))
                 test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
         else if (getpwnam("nfsnobody"))
@@ -160,6 +251,21 @@ static void test_exec_group(Manager *m) {
                 log_error_errno(errno, "Skipping test_exec_group, could not find nobody/nfsnobody group: %m");
 }
 
+static void test_exec_supplementary_groups(Manager *m) {
+        test(m, "exec-supplementarygroups.service", 0, CLD_EXITED);
+        test(m, "exec-supplementarygroups-single-group.service", 0, CLD_EXITED);
+        test(m, "exec-supplementarygroups-single-group-user.service", 0, CLD_EXITED);
+        test(m, "exec-supplementarygroups-multiple-groups-default-group-user.service", 0, CLD_EXITED);
+        test(m, "exec-supplementarygroups-multiple-groups-withgid.service", 0, CLD_EXITED);
+        test(m, "exec-supplementarygroups-multiple-groups-withuid.service", 0, CLD_EXITED);
+}
+
+static void test_exec_dynamic_user(Manager *m) {
+        test(m, "exec-dynamicuser-fixeduser.service", 0, CLD_EXITED);
+        test(m, "exec-dynamicuser-fixeduser-one-supplementarygroup.service", 0, CLD_EXITED);
+        test(m, "exec-dynamicuser-supplementarygroups.service", 0, CLD_EXITED);
+}
+
 static void test_exec_environment(Manager *m) {
         test(m, "exec-environment.service", 0, CLD_EXITED);
         test(m, "exec-environment-multiple.service", 0, CLD_EXITED);
@@ -301,7 +407,7 @@ static int run_tests(UnitFileScope scope, test_function_t *tests) {
 
         r = manager_new(scope, true, &m);
         if (MANAGER_SKIP_TEST(r)) {
-                printf("Skipping test: manager_new: %s\n", strerror(-r));
+                log_notice_errno(r, "Skipping test: manager_new: %m");
                 return EXIT_TEST_SKIP;
         }
         assert_se(r >= 0);
@@ -322,11 +428,18 @@ int main(int argc, char *argv[]) {
                 test_exec_ignoresigpipe,
                 test_exec_privatetmp,
                 test_exec_privatedevices,
+                test_exec_privatedevices_capabilities,
+                test_exec_protectkernelmodules,
+                test_exec_readonlypaths,
+                test_exec_readwritepaths,
+                test_exec_inaccessiblepaths,
                 test_exec_privatenetwork,
                 test_exec_systemcallfilter,
                 test_exec_systemcallerrornumber,
                 test_exec_user,
                 test_exec_group,
+                test_exec_supplementary_groups,
+                test_exec_dynamic_user,
                 test_exec_environment,
                 test_exec_environmentfile,
                 test_exec_passenvironment,