diff options
Diffstat (limited to '')
163 files changed, 1789 insertions, 0 deletions
diff --git a/test/test-execute/exec-ambientcapabilities-dynuser.service b/test/test-execute/exec-ambientcapabilities-dynuser.service new file mode 100644 index 0000000..560628e --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities-dynuser.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities (dynamic user) + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002081"' +Type=oneshot +AmbientCapabilities=CAP_CHOWN CAP_SETUID CAP_NET_RAW +DynamicUser=yes +PrivateUsers=yes diff --git a/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service new file mode 100644 index 0000000..4960da5 --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' +Type=oneshot +User=nfsnobody +AmbientCapabilities=CAP_CHOWN +AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-merge-nobody.service b/test/test-execute/exec-ambientcapabilities-merge-nobody.service new file mode 100644 index 0000000..4c72b2e --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities-merge-nobody.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' +Type=oneshot +User=nobody +AmbientCapabilities=CAP_CHOWN +AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-merge.service b/test/test-execute/exec-ambientcapabilities-merge.service new file mode 100644 index 0000000..13a5d45 --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities-merge.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities (daemon) + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' +Type=oneshot +User=daemon +AmbientCapabilities=CAP_CHOWN +AmbientCapabilities=CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-nfsnobody.service new file mode 100644 index 0000000..10cb440 --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities-nfsnobody.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' +Type=oneshot +User=nfsnobody +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities-nobody.service b/test/test-execute/exec-ambientcapabilities-nobody.service new file mode 100644 index 0000000..5400cac --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities-nobody.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' +Type=oneshot +User=nobody +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-ambientcapabilities.service b/test/test-execute/exec-ambientcapabilities.service new file mode 100644 index 0000000..5336bec --- /dev/null +++ b/test/test-execute/exec-ambientcapabilities.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for AmbientCapabilities (daemon) + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"' +Type=oneshot +User=daemon +AmbientCapabilities=CAP_CHOWN CAP_NET_RAW diff --git a/test/test-execute/exec-basic.service b/test/test-execute/exec-basic.service new file mode 100644 index 0000000..a54aca9 --- /dev/null +++ b/test/test-execute/exec-basic.service @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for basic execution +ConditionKernelVersion=">=3.0" +ConditionKernelVersion=">=2.0" "<=60" "!=1.4" +ConditionKernelVersion=" >= 2.0" " <= 60 " "!= 1.4" +ConditionKernelVersion=" >= 2.0" " * " "*.*" + +[Service] +ExecStart=touch /tmp/a ; /bin/sh -c 'touch /tmp/b' ; touch /tmp/c +ExecStart=test -f /tmp/a +ExecStart=!test -f /tmp/b +ExecStart=!!test -f /tmp/c +ExecStartPost=rm /tmp/a /tmp/b /tmp/c + +PrivateTmp=true +Type=oneshot diff --git a/test/test-execute/exec-bindpaths.service b/test/test-execute/exec-bindpaths.service new file mode 100644 index 0000000..bf6968f --- /dev/null +++ b/test/test-execute/exec-bindpaths.service @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for BindPaths= and BindReadOnlyPaths= + +[Service] +Type=oneshot +# Create a file in /tmp/test-exec-bindpaths +ExecStart=touch /tmp/test-exec-bindpaths/thisisasimpletest +# Then, the file can be access through /tmp +ExecStart=test -f /tmp/thisisasimpletest +# Also, through /tmp/test-exec-bindreadonlypaths +ExecStart=test -f /tmp/test-exec-bindreadonlypaths/thisisasimpletest +# The file cannot modify through /tmp/test-exec-bindreadonlypaths +ExecStart=/bin/sh -x -c '! touch /tmp/test-exec-bindreadonlypaths/thisisasimpletest' +# Cleanup +ExecStart=rm /tmp/thisisasimpletest +BindPaths=/tmp:/tmp/test-exec-bindpaths +BindReadOnlyPaths=/tmp:/tmp/test-exec-bindreadonlypaths diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service new file mode 100644 index 0000000..1b1217e --- /dev/null +++ b/test/test-execute/exec-capabilityboundingset-invert.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CapabilityBoundingSet + +[Service] +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"' +Type=oneshot +CapabilityBoundingSet=~CAP_CHOWN diff --git a/test/test-execute/exec-capabilityboundingset-merge.service b/test/test-execute/exec-capabilityboundingset-merge.service new file mode 100644 index 0000000..1ed3ccb --- /dev/null +++ b/test/test-execute/exec-capabilityboundingset-merge.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CapabilityBoundingSet + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_chown,cap_fowner,cap_kill"' +Type=oneshot +CapabilityBoundingSet=CAP_FOWNER +CapabilityBoundingSet=CAP_KILL CAP_CHOWN diff --git a/test/test-execute/exec-capabilityboundingset-reset.service b/test/test-execute/exec-capabilityboundingset-reset.service new file mode 100644 index 0000000..8eb142c --- /dev/null +++ b/test/test-execute/exec-capabilityboundingset-reset.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CapabilityBoundingSet + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set ="' +Type=oneshot +CapabilityBoundingSet=CAP_FOWNER CAP_KILL +CapabilityBoundingSet= diff --git a/test/test-execute/exec-capabilityboundingset-simple.service b/test/test-execute/exec-capabilityboundingset-simple.service new file mode 100644 index 0000000..be5a5e5 --- /dev/null +++ b/test/test-execute/exec-capabilityboundingset-simple.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CapabilityBoundingSet + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_fowner,cap_kill"' +Type=oneshot +CapabilityBoundingSet=CAP_FOWNER CAP_KILL diff --git a/test/test-execute/exec-condition-failed.service b/test/test-execute/exec-condition-failed.service new file mode 100644 index 0000000..342219c --- /dev/null +++ b/test/test-execute/exec-condition-failed.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for exec condition that fails the unit + +[Service] +Type=oneshot + +# exit 255 will fail the unit +ExecCondition=/bin/sh -c 'exit 255' + +# This should not get run +ExecStart=/bin/sh -c 'true' diff --git a/test/test-execute/exec-condition-skip.service b/test/test-execute/exec-condition-skip.service new file mode 100644 index 0000000..b69e161 --- /dev/null +++ b/test/test-execute/exec-condition-skip.service @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for exec condition that triggers skipping + +[Service] +Type=oneshot + +# exit codes [1, 254] will result in skipping the rest of execution +ExecCondition=/bin/sh -c 'exit 0' +ExecCondition=/bin/sh -c 'exit 254' + +# This would normally fail the unit but will not get run due to the skip above +ExecCondition=/bin/sh -c 'exit 255' + +# This should not get run +ExecStart=/bin/sh -c 'true' diff --git a/test/test-execute/exec-cpuaffinity1.service b/test/test-execute/exec-cpuaffinity1.service new file mode 100644 index 0000000..2a8544a --- /dev/null +++ b/test/test-execute/exec-cpuaffinity1.service @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CPUAffinity (simple) + +[Service] +ExecStart=/bin/sh -c 'test $$(cat /proc/self/status | grep Cpus_allowed: | rev | cut -c 1) = 1' +CPUAffinity=0 diff --git a/test/test-execute/exec-cpuaffinity2.service b/test/test-execute/exec-cpuaffinity2.service new file mode 100644 index 0000000..bed48c8 --- /dev/null +++ b/test/test-execute/exec-cpuaffinity2.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CPUAffinity (reset) + +[Service] +ExecStart=/bin/sh -c 'test $$(cat /proc/self/status | grep Cpus_allowed: | rev | cut -c 1) = 1' +CPUAffinity=0-1 3 +CPUAffinity= +CPUAffinity=0 diff --git a/test/test-execute/exec-cpuaffinity3.service b/test/test-execute/exec-cpuaffinity3.service new file mode 100644 index 0000000..774cd64 --- /dev/null +++ b/test/test-execute/exec-cpuaffinity3.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for CPUAffinity (merge) + +[Service] +ExecStart=/bin/sh -c 'test $$(cat /proc/self/status | grep Cpus_allowed: | rev | cut -c 1) = 7' +CPUAffinity=0,1 +CPUAffinity=1-2 diff --git a/test/test-execute/exec-credentials-dir-specifier.service b/test/test-execute/exec-credentials-dir-specifier.service new file mode 100644 index 0000000..5e71eee --- /dev/null +++ b/test/test-execute/exec-credentials-dir-specifier.service @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for specifiers + +[Service] +Type=oneshot +Environment=TOP_SECRET=%d/very_top_secret +# Test if the specifier is resolved correctly both before and after LoadCredential= +ExecStart=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret" +LoadCredential=very_top_secret +ExecStart=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret" +ExecStart=sh -c 'test %d/very_top_secret = "$TOP_SECRET"' +ExecStartPost=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret" +ExecStartPost=sh -c 'test %d/very_top_secret = "$TOP_SECRET"' +ExecStop=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret" +ExecStop=sh -c 'test %d/very_top_secret = "$TOP_SECRET"' +ExecStopPost=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret" +ExecStopPost=sh -c 'test %d/very_top_secret = "$TOP_SECRET"' diff --git a/test/test-execute/exec-dynamicuser-fixeduser-adm.service b/test/test-execute/exec-dynamicuser-fixeduser-adm.service new file mode 100644 index 0000000..daaed6c --- /dev/null +++ b/test/test-execute/exec-dynamicuser-fixeduser-adm.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser with static User= whose uid and gid are different +# On Fedora, user adm has uid==3 and gid==4. + +[Service] +Type=oneshot +ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "adm" && test "$$(id -ng)" = "adm" && test "$$(id -nu)" = "adm"' +# Multiple ExecStart= lines causes the issue #9702. +ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "adm" && test "$$(id -ng)" = "adm" && test "$$(id -nu)" = "adm"' +DynamicUser=yes +User=adm diff --git a/test/test-execute/exec-dynamicuser-fixeduser-games.service b/test/test-execute/exec-dynamicuser-fixeduser-games.service new file mode 100644 index 0000000..db8b88e --- /dev/null +++ b/test/test-execute/exec-dynamicuser-fixeduser-games.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser with static User= whose uid and gid are different +# On Ubuntu or Debian, user games has uid==5 and gid==60. + +[Service] +Type=oneshot +ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "games" && test "$$(id -ng)" = "games" && test "$$(id -nu)" = "games"' +# Multiple ExecStart= lines causes the issue #9702. +ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "games" && test "$$(id -ng)" = "games" && test "$$(id -nu)" = "games"' +DynamicUser=yes +User=games diff --git a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service new file mode 100644 index 0000000..bbb1af5 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser with User= and SupplementaryGroups= + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' +Type=oneshot +User=1 +DynamicUser=yes +SupplementaryGroups=1 diff --git a/test/test-execute/exec-dynamicuser-fixeduser.service b/test/test-execute/exec-dynamicuser-fixeduser.service new file mode 100644 index 0000000..c5828c2 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-fixeduser.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser with User= + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' +Type=oneshot +User=1 +DynamicUser=yes diff --git a/test/test-execute/exec-dynamicuser-runtimedirectory1.service b/test/test-execute/exec-dynamicuser-runtimedirectory1.service new file mode 100644 index 0000000..790279a --- /dev/null +++ b/test/test-execute/exec-dynamicuser-runtimedirectory1.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory with RuntimeDirectoryPreserve=yes and DynamicUser=yes + +[Service] +ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectorypreserve' +ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectorypreserve"' +ExecStart=/bin/sh -x -c 'touch $$RUNTIME_DIRECTORY/test' +Type=oneshot +RuntimeDirectory=test-exec_runtimedirectorypreserve +RuntimeDirectoryPreserve=yes +DynamicUser=yes diff --git a/test/test-execute/exec-dynamicuser-runtimedirectory2.service b/test/test-execute/exec-dynamicuser-runtimedirectory2.service new file mode 100644 index 0000000..18df74e --- /dev/null +++ b/test/test-execute/exec-dynamicuser-runtimedirectory2.service @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory with RuntimeDirectoryPreserve=yes and DynamicUser=yes 2nd trial + +[Service] +ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectorypreserve' +ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectorypreserve"' +ExecStart=/bin/sh -x -c 'test -f $$RUNTIME_DIRECTORY/test' +ExecStart=/bin/sh -x -c 'touch $$RUNTIME_DIRECTORY/test' +Type=oneshot +RuntimeDirectory=test-exec_runtimedirectorypreserve +RuntimeDirectoryPreserve=yes +DynamicUser=yes diff --git a/test/test-execute/exec-dynamicuser-runtimedirectory3.service b/test/test-execute/exec-dynamicuser-runtimedirectory3.service new file mode 100644 index 0000000..831a808 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-runtimedirectory3.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory with DynamicUser=yes migrated from RuntimeDirectoryPreserve=yes + +[Service] +ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectorypreserve' +ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectorypreserve"' +ExecStart=/bin/sh -x -c 'test -f $$RUNTIME_DIRECTORY/test' +ExecStart=/bin/sh -x -c 'touch $$RUNTIME_DIRECTORY/test' +Type=oneshot +RuntimeDirectory=test-exec_runtimedirectorypreserve +DynamicUser=yes diff --git a/test/test-execute/exec-dynamicuser-statedir-migrate-step1.service b/test/test-execute/exec-dynamicuser-statedir-migrate-step1.service new file mode 100644 index 0000000..2a5a1e1 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-statedir-migrate-step1.service @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser= migrate StateDirectory= (preparation) + +[Service] +ExecStart=test -w %S/test-dynamicuser-migrate +ExecStart=test -w %S/test-dynamicuser-migrate2/hoge +ExecStart=test ! -L %S/test-dynamicuser-migrate +ExecStart=test ! -L %S/test-dynamicuser-migrate2/hoge +ExecStart=test -d %S/test-dynamicuser-migrate +ExecStart=test -d %S/test-dynamicuser-migrate2/hoge +ExecStart=touch %S/test-dynamicuser-migrate/yay +ExecStart=touch %S/test-dynamicuser-migrate2/hoge/yayyay +ExecStart=/bin/sh -x -c 'test "$$STATE_DIRECTORY" = "%S/test-dynamicuser-migrate:%S/test-dynamicuser-migrate2/hoge"' + +Type=oneshot +DynamicUser=no +StateDirectory=test-dynamicuser-migrate test-dynamicuser-migrate2/hoge diff --git a/test/test-execute/exec-dynamicuser-statedir-migrate-step2.service b/test/test-execute/exec-dynamicuser-statedir-migrate-step2.service new file mode 100644 index 0000000..e89f0c5 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-statedir-migrate-step2.service @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser= migrate StateDirectory= + +[Service] +ExecStart=test -w %S/test-dynamicuser-migrate +ExecStart=test -w %S/test-dynamicuser-migrate2/hoge +ExecStart=test -L %S/test-dynamicuser-migrate +ExecStart=test -L %S/test-dynamicuser-migrate2/hoge +ExecStart=test -d %S/test-dynamicuser-migrate +ExecStart=test -d %S/test-dynamicuser-migrate2/hoge +ExecStart=test -f %S/test-dynamicuser-migrate/yay +ExecStart=test -f %S/test-dynamicuser-migrate2/hoge/yayyay +ExecStart=test -d %S/private/test-dynamicuser-migrate +ExecStart=test -d %S/private/test-dynamicuser-migrate2/hoge +ExecStart=test -f %S/private/test-dynamicuser-migrate/yay +ExecStart=test -f %S/private/test-dynamicuser-migrate2/hoge/yayyay +ExecStart=touch %S/test-dynamicuser-migrate/yay +ExecStart=touch %S/test-dynamicuser-migrate2/hoge/yayyay +ExecStart=touch %S/private/test-dynamicuser-migrate/yay +ExecStart=touch %S/private/test-dynamicuser-migrate2/hoge/yayyay +ExecStart=/bin/sh -x -c 'test "$$STATE_DIRECTORY" = "%S/test-dynamicuser-migrate:%S/test-dynamicuser-migrate2/hoge"' + +Type=oneshot +DynamicUser=yes +StateDirectory=test-dynamicuser-migrate test-dynamicuser-migrate2/hoge diff --git a/test/test-execute/exec-dynamicuser-statedir.service b/test/test-execute/exec-dynamicuser-statedir.service new file mode 100644 index 0000000..734fa20 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-statedir.service @@ -0,0 +1,85 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser= with StateDirectory= + +[Service] +ExecStart=test -w %S/waldo +ExecStart=test -w %S/quux/pief +ExecStart=test -w %S/aaa +ExecStart=test -w %S/aaa/bbb +ExecStart=test -w %S/aaa/ccc +ExecStart=test -w %S/xxx +ExecStart=test -w %S/xxx/yyy +ExecStart=test -w %S/xxx/zzz +ExecStart=test -w %S/abc +ExecStart=test -w %S/aaa/111 +ExecStart=test -w %S/aaa/222 +ExecStart=test -w %S/aaa/333 +ExecStart=test -w %S/d:ef + +ExecStart=test -d %S/waldo +ExecStart=test -d %S/quux/pief +ExecStart=test -d %S/aaa +ExecStart=test -d %S/aaa/bbb +ExecStart=test -d %S/aaa/ccc +ExecStart=test -d %S/xxx +ExecStart=test -d %S/xxx/yyy +ExecStart=test -d %S/xxx/zzz +ExecStart=test -d %S/abc +ExecStart=test -L %S/aaa/111 +ExecStart=test -L %S/aaa/222 +ExecStart=test -L %S/aaa/333 +ExecStart=test -L %S/d:ef + +ExecStart=touch %S/waldo/hoge +ExecStart=touch %S/quux/pief/hoge +ExecStart=touch %S/aaa/hoge +ExecStart=touch %S/aaa/bbb/hoge +ExecStart=touch %S/aaa/ccc/hoge +ExecStart=touch %S/xxx/hoge +ExecStart=touch %S/xxx/yyy/hoge +ExecStart=touch %S/xxx/zzz/hoge +ExecStart=touch %S/abc/hoge +ExecStart=touch %S/aaa/111/foo +ExecStart=touch %S/aaa/222/foo +ExecStart=touch %S/aaa/333/foo +ExecStart=touch %S/d:ef/foo + +ExecStart=test -f %S/waldo/hoge +ExecStart=test -f %S/quux/pief/hoge +ExecStart=test -f %S/aaa/hoge +ExecStart=test -f %S/aaa/bbb/hoge +ExecStart=test -f %S/aaa/ccc/hoge +ExecStart=test -f %S/xxx/hoge +ExecStart=test -f %S/xxx/yyy/hoge +ExecStart=test -f %S/xxx/zzz/hoge +ExecStart=test -f %S/abc/hoge +ExecStart=test -f %S/aaa/111/foo +ExecStart=test -f %S/aaa/222/foo +ExecStart=test -f %S/aaa/333/foo +ExecStart=test -f %S/xxx/foo +ExecStart=test -f %S/xxx/yyy/foo +ExecStart=test -f %S/xxx/zzz/foo +ExecStart=test -f %S/d:ef/foo + +ExecStart=test -f %S/private/waldo/hoge +ExecStart=test -f %S/private/quux/pief/hoge +ExecStart=test -f %S/private/aaa/hoge +ExecStart=test -f %S/private/aaa/bbb/hoge +ExecStart=test -f %S/private/aaa/ccc/hoge +ExecStart=test -f %S/private/xxx/hoge +ExecStart=test -f %S/private/xxx/yyy/hoge +ExecStart=test -f %S/private/xxx/zzz/hoge +ExecStart=test -f %S/private/abc/hoge +ExecStart=test -f %S/private/aaa/111/foo +ExecStart=test -f %S/private/aaa/222/foo +ExecStart=test -f %S/private/aaa/333/foo +ExecStart=test -f %S/private/xxx/foo +ExecStart=test -f %S/private/xxx/yyy/foo +ExecStart=test -f %S/private/xxx/zzz/foo + +ExecStart=sh -x -c 'test "$$STATE_DIRECTORY" = "%S/aaa:%S/aaa/bbb:%S/aaa/ccc:%S/abc:%S/quux/pief:%S/waldo:%S/xxx:%S/xxx/yyy:%S/xxx/zzz"' + +Type=oneshot +DynamicUser=yes +StateDirectory=waldo quux/pief aaa/bbb aaa aaa/ccc xxx/yyy:aaa/111 xxx:aaa/222 xxx/zzz:aaa/333 abc:d\:ef diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service new file mode 100644 index 0000000..d601af2 --- /dev/null +++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test DynamicUser with SupplementaryGroups= + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' +Type=oneshot +DynamicUser=yes +SupplementaryGroups=1 2 diff --git a/test/test-execute/exec-environment-empty.service b/test/test-execute/exec-environment-empty.service new file mode 100644 index 0000000..6c31186 --- /dev/null +++ b/test/test-execute/exec-environment-empty.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Environment + +[Service] +ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2-unset}" = "unset" && test "$${VAR3-unset}" = "unset"' +Type=oneshot +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" +Environment= diff --git a/test/test-execute/exec-environment-multiple.service b/test/test-execute/exec-environment-multiple.service new file mode 100644 index 0000000..d9b8d22 --- /dev/null +++ b/test/test-execute/exec-environment-multiple.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Environment + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = foobar' +Type=oneshot +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" +Environment="VAR3=foobar" diff --git a/test/test-execute/exec-environment-no-substitute.service b/test/test-execute/exec-environment-no-substitute.service new file mode 100644 index 0000000..b5cb2a4 --- /dev/null +++ b/test/test-execute/exec-environment-no-substitute.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for No Environment Variable Substitution + +[Service] +ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2}" = "word3" && test "$${VAR3-unset}" = \'$word 5 6\'' +ExecStart=:/bin/sh -x -c 'test "$${VAR1-unset}" != "unset" && test "$${VAR2}" != "word3" && test "$${VAR3-unset}" != \'$word 5 6\'' +Type=oneshot +Environment="VAR2=word3" "VAR3=$word 5 6" diff --git a/test/test-execute/exec-environment.service b/test/test-execute/exec-environment.service new file mode 100644 index 0000000..5655be0 --- /dev/null +++ b/test/test-execute/exec-environment.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Environment + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6"' +Type=oneshot +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" diff --git a/test/test-execute/exec-environmentfile.service b/test/test-execute/exec-environmentfile.service new file mode 100644 index 0000000..4ad5a9b --- /dev/null +++ b/test/test-execute/exec-environmentfile.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for EnvironmentFile + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes' +Type=oneshot +EnvironmentFile=/tmp/test-exec_environmentfile.conf diff --git a/test/test-execute/exec-execsearchpath-environment-path-set.service b/test/test-execute/exec-execsearchpath-environment-path-set.service new file mode 100644 index 0000000..5969cc6 --- /dev/null +++ b/test/test-execute/exec-execsearchpath-environment-path-set.service @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Service] +ExecStart=/bin/sh -x -c 'test "$$PATH" = "/usr" && test "$$VAR1" = word3 && test "$$VAR2" = "\\$$word 5 6"' +Type=oneshot +ExecSearchPath=/tmp:/bin +Environment="PATH=/usr" VAR1=word3 "VAR2=$word 5 6" diff --git a/test/test-execute/exec-execsearchpath-environment.service b/test/test-execute/exec-execsearchpath-environment.service new file mode 100644 index 0000000..b0fa6a3 --- /dev/null +++ b/test/test-execute/exec-execsearchpath-environment.service @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$PATH" = "/tmp:/bin"' +Type=oneshot +ExecSearchPath=/tmp:/bin +Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6" diff --git a/test/test-execute/exec-execsearchpath-environmentfile-set.service b/test/test-execute/exec-execsearchpath-environmentfile-set.service new file mode 100644 index 0000000..5f55a4b --- /dev/null +++ b/test/test-execute/exec-execsearchpath-environmentfile-set.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for ExecSearchPath with EnvironmentFile where EnvironmentFile sets PATH + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = /usr' +Type=oneshot +EnvironmentFile=/tmp/test-exec_execsearchpath_environmentfile-set.conf +ExecSearchPath=/tmp:/bin diff --git a/test/test-execute/exec-execsearchpath-environmentfile.service b/test/test-execute/exec-execsearchpath-environmentfile.service new file mode 100644 index 0000000..b8335bc --- /dev/null +++ b/test/test-execute/exec-execsearchpath-environmentfile.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for ExecSearchPath with EnvironmentFile where EnvironmentFile does not set PATH + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = "/tmp:/bin"' +Type=oneshot +ExecSearchPath=/tmp:/bin +EnvironmentFile=/tmp/test-exec_execsearchpath_environmentfile.conf diff --git a/test/test-execute/exec-execsearchpath-passenvironment-set.service b/test/test-execute/exec-execsearchpath-passenvironment-set.service new file mode 100644 index 0000000..a151161 --- /dev/null +++ b/test/test-execute/exec-execsearchpath-passenvironment-set.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PassEnvironment with ExecSearchPath with PATH set by user + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = "/usr"' +Type=oneshot +PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5 PATH +ExecSearchPath=/tmp:/bin diff --git a/test/test-execute/exec-execsearchpath-passenvironment.service b/test/test-execute/exec-execsearchpath-passenvironment.service new file mode 100644 index 0000000..d8a41c1 --- /dev/null +++ b/test/test-execute/exec-execsearchpath-passenvironment.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PassEnvironment with ExecSearchPath with PATH not set by user + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = "/tmp:/bin"' +Type=oneshot +PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5 +ExecSearchPath=/tmp:/bin diff --git a/test/test-execute/exec-execsearchpath-unit-specifier.service b/test/test-execute/exec-execsearchpath-unit-specifier.service new file mode 100644 index 0000000..30d6b32 --- /dev/null +++ b/test/test-execute/exec-execsearchpath-unit-specifier.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for specifiers with exec search path + +[Service] +Type=oneshot +ExecSearchPath=/tmp:/bin:/usr/bin:%V +ExecStart=/bin/sh -x -c 'test %V = /var/tmp && test "$$PATH" = "/tmp:/bin:/usr/bin:/var/tmp"' diff --git a/test/test-execute/exec-execsearchpath.service b/test/test-execute/exec-execsearchpath.service new file mode 100644 index 0000000..150afe2 --- /dev/null +++ b/test/test-execute/exec-execsearchpath.service @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Service] +ExecStart=ls_temp +Type=oneshot +ExecSearchPath=/tmp/test-exec_execsearchpath diff --git a/test/test-execute/exec-group-nfsnobody.service b/test/test-execute/exec-group-nfsnobody.service new file mode 100644 index 0000000..a1e59c5 --- /dev/null +++ b/test/test-execute/exec-group-nfsnobody.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Group + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nfsnobody"' +Type=oneshot +Group=nfsnobody diff --git a/test/test-execute/exec-group-nobody.service b/test/test-execute/exec-group-nobody.service new file mode 100644 index 0000000..58dce1e --- /dev/null +++ b/test/test-execute/exec-group-nobody.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Group + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nobody"' +Type=oneshot +Group=nobody diff --git a/test/test-execute/exec-group-nogroup.service b/test/test-execute/exec-group-nogroup.service new file mode 100644 index 0000000..7f16729 --- /dev/null +++ b/test/test-execute/exec-group-nogroup.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Group + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nogroup"' +Type=oneshot +Group=nogroup diff --git a/test/test-execute/exec-group.service b/test/test-execute/exec-group.service new file mode 100644 index 0000000..9f21557 --- /dev/null +++ b/test/test-execute/exec-group.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Group (daemon) + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"' +Type=oneshot +Group=daemon diff --git a/test/test-execute/exec-ignoresigpipe-no.service b/test/test-execute/exec-ignoresigpipe-no.service new file mode 100644 index 0000000..e972481 --- /dev/null +++ b/test/test-execute/exec-ignoresigpipe-no.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for IgnoreSIGPIPE=no + +[Service] +ExecStart=/bin/sh -x -c 'kill -PIPE 0' +Type=oneshot +IgnoreSIGPIPE=no diff --git a/test/test-execute/exec-ignoresigpipe-yes.service b/test/test-execute/exec-ignoresigpipe-yes.service new file mode 100644 index 0000000..ee3aa9a --- /dev/null +++ b/test/test-execute/exec-ignoresigpipe-yes.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for IgnoreSIGPIPE=yes + +[Service] +ExecStart=/bin/sh -x -c 'kill -PIPE 0' +Type=oneshot +IgnoreSIGPIPE=yes diff --git a/test/test-execute/exec-inaccessiblepaths-mount-propagation.service b/test/test-execute/exec-inaccessiblepaths-mount-propagation.service new file mode 100644 index 0000000..520bc53 --- /dev/null +++ b/test/test-execute/exec-inaccessiblepaths-mount-propagation.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test to make sure that InaccessiblePaths= disconnect mount propagation + +[Service] +InaccessiblePaths=-/i-dont-exist +ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo' +Type=oneshot diff --git a/test/test-execute/exec-inaccessiblepaths-sys.service b/test/test-execute/exec-inaccessiblepaths-sys.service new file mode 100644 index 0000000..0d64aa1 --- /dev/null +++ b/test/test-execute/exec-inaccessiblepaths-sys.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test to make sure that mount namespace setup works properly with the 'InaccessiblePaths=/proc' option + +[Service] +InaccessiblePaths=/sys +ExecStart=/bin/sh -x -c 'test "$$(stat -c %%a /sys)" = "0"' +Type=oneshot diff --git a/test/test-execute/exec-ioschedulingclass-best-effort.service b/test/test-execute/exec-ioschedulingclass-best-effort.service new file mode 100644 index 0000000..3b946b7 --- /dev/null +++ b/test/test-execute/exec-ioschedulingclass-best-effort.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for IOSchedulingClass=best-effort + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "best-effort"' +Type=oneshot +IOSchedulingClass=best-effort diff --git a/test/test-execute/exec-ioschedulingclass-idle.service b/test/test-execute/exec-ioschedulingclass-idle.service new file mode 100644 index 0000000..b1e64bb --- /dev/null +++ b/test/test-execute/exec-ioschedulingclass-idle.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for IOSchedulingClass=idle + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "idle"' +Type=oneshot +IOSchedulingClass=idle diff --git a/test/test-execute/exec-ioschedulingclass-none.service b/test/test-execute/exec-ioschedulingclass-none.service new file mode 100644 index 0000000..0494d45 --- /dev/null +++ b/test/test-execute/exec-ioschedulingclass-none.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for IOSchedulingClass=none + +[Service] +# Old kernels might report "none" here, new kernels "best-effort". +ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "none" -o "$${c%%:*}" = "best-effort"' +Type=oneshot +IOSchedulingClass=none diff --git a/test/test-execute/exec-ioschedulingclass-realtime.service b/test/test-execute/exec-ioschedulingclass-realtime.service new file mode 100644 index 0000000..ef8e2eb --- /dev/null +++ b/test/test-execute/exec-ioschedulingclass-realtime.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for IOSchedulingClass=realtime + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "realtime"' +Type=oneshot +IOSchedulingClass=realtime diff --git a/test/test-execute/exec-load-credential.service b/test/test-execute/exec-load-credential.service new file mode 100644 index 0000000..3a29b6d --- /dev/null +++ b/test/test-execute/exec-load-credential.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for LoadCredential= + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(cat %d/test-execute.load-credential)" = "foo"' +ExecStartPost=/bin/sh -x -c 'test "$$(cat %d/test-execute.load-credential)" = "foo"' +ExecStop=/bin/sh -x -c 'test "$$(cat %d/test-execute.load-credential)" = "foo"' +ExecStopPost=/bin/sh -x -c 'test "$$(cat %d/test-execute.load-credential)" = "foo"' +Type=oneshot +LoadCredential=test-execute.load-credential diff --git a/test/test-execute/exec-mount-apivfs-no.service b/test/test-execute/exec-mount-apivfs-no.service new file mode 100644 index 0000000..3fec1b7 --- /dev/null +++ b/test/test-execute/exec-mount-apivfs-no.service @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for find_executable() with MountAPIVFS=no + +[Service] +Type=oneshot + +MountAPIVFS=false +PrivateDevices=false +PrivateMounts=true +PrivateTmp=false +PrivateUsers=false +ProtectControlGroups=false +ProtectKernelModules=false +ProtectKernelTunables=false +RootDirectory=/tmp/test-exec-mount-apivfs-no/root diff --git a/test/test-execute/exec-networknamespacepath-privatemounts-no.service b/test/test-execute/exec-networknamespacepath-privatemounts-no.service new file mode 100644 index 0000000..49277e3 --- /dev/null +++ b/test/test-execute/exec-networknamespacepath-privatemounts-no.service @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for NetworkNamespacePath= without mount namespacing + +[Service] +ExecStart=/bin/sh -x -c '! ip link show dummy-test-exec' +ExecStart=/bin/sh -x -c 'test ! -e /proc/sys/net/ipv4/conf/dummy-test-exec' +# Without mount namespacing, we can access the dummy-test-exec interface through sysfs. +ExecStart=/bin/sh -x -c 'test -e /sys/class/net/dummy-test-exec' +ExecStart=/bin/sh -x -c 'ip link show dummy-test-ns' +ExecStart=/bin/sh -x -c 'test -e /proc/sys/net/ipv4/conf/dummy-test-ns' +# Without mount namespacing, we cannot access the dummy-test-ns interface through sysfs. +ExecStart=/bin/sh -x -c 'test ! -e /sys/class/net/dummy-test-ns' +Type=oneshot +NetworkNamespacePath=/run/netns/test-execute-netns +PrivateMounts=no diff --git a/test/test-execute/exec-networknamespacepath-privatemounts-yes.service b/test/test-execute/exec-networknamespacepath-privatemounts-yes.service new file mode 100644 index 0000000..078fba8 --- /dev/null +++ b/test/test-execute/exec-networknamespacepath-privatemounts-yes.service @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for NetworkNamespacePath= with mount namespacing + +[Service] +ExecStart=/bin/sh -x -c '! ip link show dummy-test-exec' +ExecStart=/bin/sh -x -c 'test ! -e /proc/sys/net/ipv4/conf/dummy-test-exec' +# With mount namespacing, we cannot access the dummy-test-exec interface through sysfs. +ExecStart=/bin/sh -x -c 'test ! -e /sys/class/net/dummy-test-exec' +ExecStart=/bin/sh -x -c 'ip link show dummy-test-ns' +ExecStart=/bin/sh -x -c 'test -e /proc/sys/net/ipv4/conf/dummy-test-ns' +# With mount namespacing, we can access the dummy-test-ns interface through sysfs. +ExecStart=/bin/sh -x -c 'test -e /sys/class/net/dummy-test-ns' +Type=oneshot +NetworkNamespacePath=/run/netns/test-execute-netns +# NetworkNamespacePath= implies PrivateMounts=yes diff --git a/test/test-execute/exec-noexecpaths-simple.service b/test/test-execute/exec-noexecpaths-simple.service new file mode 100644 index 0000000..5d954da --- /dev/null +++ b/test/test-execute/exec-noexecpaths-simple.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for NoExecPaths= + +[Service] +Type=oneshot +# This should work, as we explicitly disable the effect of NoExecPaths= +ExecStart=+/bin/sh -c '/bin/cat /dev/null' +# This should also work, as we do not disable the effect of NoExecPaths= but invert the exit code +ExecStart=/bin/sh -x -c '! /bin/cat /dev/null' +NoExecPaths=/bin/cat diff --git a/test/test-execute/exec-oomscoreadjust-negative.service b/test/test-execute/exec-oomscoreadjust-negative.service new file mode 100644 index 0000000..25b5f1f --- /dev/null +++ b/test/test-execute/exec-oomscoreadjust-negative.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for OOMScoreAdjust + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/oom_score_adj); test "$$c" -eq -100' +Type=oneshot +OOMScoreAdjust=-100 diff --git a/test/test-execute/exec-oomscoreadjust-positive.service b/test/test-execute/exec-oomscoreadjust-positive.service new file mode 100644 index 0000000..ea6c23f --- /dev/null +++ b/test/test-execute/exec-oomscoreadjust-positive.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for OOMScoreAdjust + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/oom_score_adj); test "$$c" -eq 100' +Type=oneshot +OOMScoreAdjust=100 diff --git a/test/test-execute/exec-passenvironment-absent.service b/test/test-execute/exec-passenvironment-absent.service new file mode 100644 index 0000000..6b19a12 --- /dev/null +++ b/test/test-execute/exec-passenvironment-absent.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PassEnvironment with variables absent from the execution environment + +[Service] +ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2-unset}" = "unset" && test "$${VAR3-unset}" = "unset" && test "$${VAR4-unset}" = "unset" && test "$${VAR5-unset}" = "unset"' +Type=oneshot +PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5 diff --git a/test/test-execute/exec-passenvironment-empty.service b/test/test-execute/exec-passenvironment-empty.service new file mode 100644 index 0000000..6ffc5e7 --- /dev/null +++ b/test/test-execute/exec-passenvironment-empty.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PassEnvironment and erasing the variable list + +[Service] +ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2-unset}" = "unset" && test "$${VAR3-unset}" = "unset" && test "$${VAR4-unset}" = "unset" && test "$${VAR5-unset}" = "unset"' +Type=oneshot +PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5 +PassEnvironment= diff --git a/test/test-execute/exec-passenvironment-repeated.service b/test/test-execute/exec-passenvironment-repeated.service new file mode 100644 index 0000000..b8e904f --- /dev/null +++ b/test/test-execute/exec-passenvironment-repeated.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PassEnvironment with a variable name repeated + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes' +Type=oneshot +PassEnvironment=VAR1 VAR2 +PassEnvironment=VAR1 VAR3 +PassEnvironment=VAR1 VAR4 +PassEnvironment=VAR1 VAR5 diff --git a/test/test-execute/exec-passenvironment.service b/test/test-execute/exec-passenvironment.service new file mode 100644 index 0000000..b69592a --- /dev/null +++ b/test/test-execute/exec-passenvironment.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PassEnvironment + +[Service] +ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes' +Type=oneshot +PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5 diff --git a/test/test-execute/exec-personality-aarch64.service b/test/test-execute/exec-personality-aarch64.service new file mode 100644 index 0000000..0783a87 --- /dev/null +++ b/test/test-execute/exec-personality-aarch64.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Personality=aarch64 + +[Service] +ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "aarch64")' +Type=oneshot +Personality=aarch64 diff --git a/test/test-execute/exec-personality-loongarch64.service b/test/test-execute/exec-personality-loongarch64.service new file mode 100644 index 0000000..0531ad1 --- /dev/null +++ b/test/test-execute/exec-personality-loongarch64.service @@ -0,0 +1,7 @@ +[Unit] +Description=Test for Personality=loongarch64 + +[Service] +ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "loongarch64")' +Type=oneshot +Personality=loongarch64 diff --git a/test/test-execute/exec-personality-ppc64.service b/test/test-execute/exec-personality-ppc64.service new file mode 100644 index 0000000..72f063a --- /dev/null +++ b/test/test-execute/exec-personality-ppc64.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Personality=ppc64 + +[Service] +ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "ppc64")' +Type=oneshot +Personality=ppc64 diff --git a/test/test-execute/exec-personality-ppc64le.service b/test/test-execute/exec-personality-ppc64le.service new file mode 100644 index 0000000..5e38029 --- /dev/null +++ b/test/test-execute/exec-personality-ppc64le.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Personality=ppc64le + +[Service] +ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "ppc64le")' +Type=oneshot +Personality=ppc64le diff --git a/test/test-execute/exec-personality-s390.service b/test/test-execute/exec-personality-s390.service new file mode 100644 index 0000000..439dc5f --- /dev/null +++ b/test/test-execute/exec-personality-s390.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Personality=s390 + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(uname -m); test "$$c" = "s390"' +Type=oneshot +Personality=s390 diff --git a/test/test-execute/exec-personality-x86-64.service b/test/test-execute/exec-personality-x86-64.service new file mode 100644 index 0000000..c6a0a40 --- /dev/null +++ b/test/test-execute/exec-personality-x86-64.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Personality=x86-64 + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(uname -m); test "$$c" = "x86_64"' +Type=oneshot +Personality=x86-64 diff --git a/test/test-execute/exec-personality-x86.service b/test/test-execute/exec-personality-x86.service new file mode 100644 index 0000000..8b820b3 --- /dev/null +++ b/test/test-execute/exec-personality-x86.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Personality=x86 + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(uname -m); test "$$c" = "i686" -o "$$c" = "x86_64"' +Type=oneshot +Personality=x86 diff --git a/test/test-execute/exec-privatedevices-bind.service b/test/test-execute/exec-privatedevices-bind.service new file mode 100644 index 0000000..dbbbb4e --- /dev/null +++ b/test/test-execute/exec-privatedevices-bind.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateDevices=yes with a bind mounted device + +[Service] +ExecStart=/bin/sh -c 'test -c /dev/kmsg' +ExecStart=/bin/sh -c 'test ! -w /dev/' +Type=oneshot +PrivateDevices=yes +BindPaths=/dev/kmsg diff --git a/test/test-execute/exec-privatedevices-disabled-by-prefix.service b/test/test-execute/exec-privatedevices-disabled-by-prefix.service new file mode 100644 index 0000000..021cadf --- /dev/null +++ b/test/test-execute/exec-privatedevices-disabled-by-prefix.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateDevices=yes with prefix + +[Service] +ExecStart=/bin/sh -x -c '! test -c /dev/kmsg' +ExecStart=+/bin/sh -x -c 'test -c /dev/kmsg' +Type=oneshot +PrivateDevices=yes diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service new file mode 100644 index 0000000..a07e822 --- /dev/null +++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_MKNOD capability for PrivateDevices=no + +[Service] +PrivateDevices=no +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod' +Type=oneshot diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service new file mode 100644 index 0000000..b0ce2d4 --- /dev/null +++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no + +[Service] +PrivateDevices=no +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio' +Type=oneshot diff --git a/test/test-execute/exec-privatedevices-no.service b/test/test-execute/exec-privatedevices-no.service new file mode 100644 index 0000000..31a5e3c --- /dev/null +++ b/test/test-execute/exec-privatedevices-no.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateDevices=no + +[Service] +ExecStart=/bin/sh -x -c 'test -c /dev/kmsg' +Type=oneshot +PrivateDevices=no diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service new file mode 100644 index 0000000..f798f31 --- /dev/null +++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_MKNOD capability for PrivateDevices=yes + +[Service] +PrivateDevices=yes +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod' +Type=oneshot diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service new file mode 100644 index 0000000..d902c23 --- /dev/null +++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes + +[Service] +PrivateDevices=yes +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio' +Type=oneshot diff --git a/test/test-execute/exec-privatedevices-yes-with-group.service b/test/test-execute/exec-privatedevices-yes-with-group.service new file mode 100644 index 0000000..a39ae0f --- /dev/null +++ b/test/test-execute/exec-privatedevices-yes-with-group.service @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test Group=group is applied after PrivateDevices=yes + +[Service] +PrivateDevices=yes +Group=daemon +Type=oneshot + +# Check the group applied +ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"' + +# Check that the namespace applied +ExecStart=/bin/sh -c 'test ! -c /dev/kmsg' + +# Check that the owning group of a node is not daemon (should be the host root) +ExecStart=/bin/sh -x -c 'test ! "$$(stat -c %%G /dev/stderr)" = "daemon"' diff --git a/test/test-execute/exec-privatedevices-yes.service b/test/test-execute/exec-privatedevices-yes.service new file mode 100644 index 0000000..564e958 --- /dev/null +++ b/test/test-execute/exec-privatedevices-yes.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateDevices=yes + +[Service] +ExecStart=/bin/sh -c 'test ! -c /dev/kmsg' +Type=oneshot +PrivateDevices=yes diff --git a/test/test-execute/exec-privatenetwork-yes-privatemounts-no.service b/test/test-execute/exec-privatenetwork-yes-privatemounts-no.service new file mode 100644 index 0000000..83708df --- /dev/null +++ b/test/test-execute/exec-privatenetwork-yes-privatemounts-no.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateNetwork= without mount namespacing + +[Service] +ExecStart=/bin/sh -x -c '! ip link show dummy-test-exec' +ExecStart=/bin/sh -x -c 'test ! -e /proc/sys/net/ipv4/conf/dummy-test-exec' +# Without mount namespacing, we can access the dummy-test-exec interface through sysfs +ExecStart=/bin/sh -x -c 'test -d /sys/class/net/dummy-test-exec' +Type=oneshot +PrivateNetwork=yes +PrivateMounts=no diff --git a/test/test-execute/exec-privatenetwork-yes-privatemounts-yes.service b/test/test-execute/exec-privatenetwork-yes-privatemounts-yes.service new file mode 100644 index 0000000..874f100 --- /dev/null +++ b/test/test-execute/exec-privatenetwork-yes-privatemounts-yes.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateNetwork= with mount namespacing + +[Service] +ExecStart=/bin/sh -x -c '! ip link show dummy-test-exec' +ExecStart=/bin/sh -x -c 'test ! -e /proc/sys/net/ipv4/conf/dummy-test-exec' +# With mount namespacing, we cannot access the dummy-test-exec interface through sysfs. +ExecStart=/bin/sh -x -c 'test ! -e /sys/class/net/dummy-test-exec' +Type=oneshot +PrivateNetwork=yes +# PrivateNetwork=yes implies PrivateMounts=yes diff --git a/test/test-execute/exec-privatetmp-disabled-by-prefix.service b/test/test-execute/exec-privatetmp-disabled-by-prefix.service new file mode 100644 index 0000000..f67afee --- /dev/null +++ b/test/test-execute/exec-privatetmp-disabled-by-prefix.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateTmp=yes with prefix + +[Service] +ExecStart=/bin/sh -x -c 'test ! -f /tmp/test-exec_privatetmp' +ExecStart=+/bin/sh -x -c 'test -f /tmp/test-exec_privatetmp' +Type=oneshot +PrivateTmp=yes diff --git a/test/test-execute/exec-privatetmp-no.service b/test/test-execute/exec-privatetmp-no.service new file mode 100644 index 0000000..6a8a3fc --- /dev/null +++ b/test/test-execute/exec-privatetmp-no.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateTmp=no + +[Service] +ExecStart=/bin/sh -x -c 'test -f /tmp/test-exec_privatetmp' +Type=oneshot +PrivateTmp=no diff --git a/test/test-execute/exec-privatetmp-yes.service b/test/test-execute/exec-privatetmp-yes.service new file mode 100644 index 0000000..6395be0 --- /dev/null +++ b/test/test-execute/exec-privatetmp-yes.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for PrivateTmp=yes + +[Service] +ExecStart=/bin/sh -x -c 'test ! -f /tmp/test-exec_privatetmp' +Type=oneshot +PrivateTmp=yes diff --git a/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service b/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service new file mode 100644 index 0000000..f84e6b6 --- /dev/null +++ b/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test ProtectHome=tmpfs vs ProtectSystem=strict +# Test for #11276 + +[Service] +ProtectHome=tmpfs +ProtectSystem=strict +Type=oneshot +ExecStart=/bin/sh -x -c 'test "$$(stat -fc %%T /home)" = "tmpfs"' diff --git a/test/test-execute/exec-protectkernellogs-no-capabilities.service b/test/test-execute/exec-protectkernellogs-no-capabilities.service new file mode 100644 index 0000000..5478962 --- /dev/null +++ b/test/test-execute/exec-protectkernellogs-no-capabilities.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_SYSLOG for ProtectKernelLogs=no + +[Service] +ProtectKernelLogs=no +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog' +Type=oneshot diff --git a/test/test-execute/exec-protectkernellogs-yes-capabilities.service b/test/test-execute/exec-protectkernellogs-yes-capabilities.service new file mode 100644 index 0000000..6fe1241 --- /dev/null +++ b/test/test-execute/exec-protectkernellogs-yes-capabilities.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_SYSLOG for ProtectKernelLogs=yes + +[Service] +ProtectKernelLogs=yes +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog' +Type=oneshot diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service new file mode 100644 index 0000000..7236af2 --- /dev/null +++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_SYS_MODULE ProtectKernelModules=no + +[Service] +ProtectKernelModules=no +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module' +Type=oneshot diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service new file mode 100644 index 0000000..e40160d --- /dev/null +++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes + +[Service] +ProtectKernelModules=yes +# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output +ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module' +Type=oneshot diff --git a/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service b/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service new file mode 100644 index 0000000..0ecf1a2 --- /dev/null +++ b/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test to make sure that passing ProtectKernelModules=yes disconnect mount propagation + +[Service] +ProtectKernelModules=yes +ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo' +Type=oneshot diff --git a/test/test-execute/exec-readonlypaths-mount-propagation.service b/test/test-execute/exec-readonlypaths-mount-propagation.service new file mode 100644 index 0000000..abc180b --- /dev/null +++ b/test/test-execute/exec-readonlypaths-mount-propagation.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test to make sure that passing ReadOnlyPaths= disconnect mount propagation + +[Service] +ReadOnlyPaths=-/i-dont-exist +ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo' +Type=oneshot diff --git a/test/test-execute/exec-readonlypaths-simple.service b/test/test-execute/exec-readonlypaths-simple.service new file mode 100644 index 0000000..5587e8d --- /dev/null +++ b/test/test-execute/exec-readonlypaths-simple.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for ReadOnlyPaths= + +[Service] +Type=oneshot +# This should work, as we explicitly disable the effect of ReadOnlyPaths= +ExecStart=+/bin/sh -c 'touch /tmp/thisisasimpletest' +# This should also work, as we do not disable the effect of ReadOnlyPaths= but invert the exit code +ExecStart=/bin/sh -x -c '! touch /tmp/thisisasimpletest' +ExecStart=+/bin/sh -c 'rm /tmp/thisisasimpletest' +ReadOnlyPaths=/tmp diff --git a/test/test-execute/exec-readonlypaths-with-bindpaths.service b/test/test-execute/exec-readonlypaths-with-bindpaths.service new file mode 100644 index 0000000..71c7e7b --- /dev/null +++ b/test/test-execute/exec-readonlypaths-with-bindpaths.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for ReadOnlyPaths= + +[Service] +ReadOnlyPaths=/etc -/i-dont-exist /usr +BindPaths=/etc:/tmp/etc2 +ExecStart=/bin/sh -x -c 'test ! -w /etc && test ! -w /usr && test ! -e /i-dont-exist && test -w /var' +Type=oneshot diff --git a/test/test-execute/exec-readonlypaths.service b/test/test-execute/exec-readonlypaths.service new file mode 100644 index 0000000..21814c2 --- /dev/null +++ b/test/test-execute/exec-readonlypaths.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for ReadOnlyPaths= + +[Service] +ReadOnlyPaths=/usr /etc /sys /dev -/i-dont-exist +PrivateDevices=yes +ExecStart=/bin/sh -x -c 'test ! -w /usr && test ! -w /etc && test ! -w /sys && test ! -w /sys/fs/cgroup' +ExecStart=/bin/sh -x -c 'test ! -w /dev && test ! -w /dev/shm && test ! -e /i-dont-exist && test -w /var' +Type=oneshot diff --git a/test/test-execute/exec-readwritepaths-mount-propagation.service b/test/test-execute/exec-readwritepaths-mount-propagation.service new file mode 100644 index 0000000..35e736f --- /dev/null +++ b/test/test-execute/exec-readwritepaths-mount-propagation.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test to make sure that passing ReadWritePaths= disconnect mount propagation + +[Service] +ReadWritePaths=-/i-dont-exist +ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo' +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-merge-all.service b/test/test-execute/exec-restrictnamespaces-merge-all.service new file mode 100644 index 0000000..1270b60 --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-merge-all.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test merging RestrictNamespaces= with all flags + +[Service] +RestrictNamespaces=mnt pid cgroup net uts ipc user +RestrictNamespaces=net +ExecStart=unshare -m -u -i -n -p -f +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-merge-and.service b/test/test-execute/exec-restrictnamespaces-merge-and.service new file mode 100644 index 0000000..fdeb3f1 --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-merge-and.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test merging RestrictNamespaces= with AND + +[Service] +RestrictNamespaces=mnt pid +RestrictNamespaces=~mnt usr +ExecStart=unshare -p -f +ExecStart=sh -c '! unshare -m -u -i -n' +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-merge-or.service b/test/test-execute/exec-restrictnamespaces-merge-or.service new file mode 100644 index 0000000..fca3718 --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-merge-or.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test merging RestrictNamespaces= with OR + +[Service] +RestrictNamespaces=mnt pid +RestrictNamespaces=mnt uts +ExecStart=unshare -m -u -p -f +ExecStart=sh -c '! unshare -u -i -n' +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-mnt-deny-list.service b/test/test-execute/exec-restrictnamespaces-mnt-deny-list.service new file mode 100644 index 0000000..b257afb --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-mnt-deny-list.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test RestrictNamespaces=~mnt + +[Service] +RestrictNamespaces=~mnt +ExecStart=unshare -m +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-mnt.service b/test/test-execute/exec-restrictnamespaces-mnt.service new file mode 100644 index 0000000..cb28c0c --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-mnt.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test RestrictNamespaces=mnt + +[Service] +RestrictNamespaces=mnt +ExecStart=unshare -m +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-no.service b/test/test-execute/exec-restrictnamespaces-no.service new file mode 100644 index 0000000..035c8b5 --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-no.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test RestrictNamespaces=no + +[Service] +RestrictNamespaces=no +ExecStart=unshare -m -u -i -n -p -f +Type=oneshot diff --git a/test/test-execute/exec-restrictnamespaces-yes.service b/test/test-execute/exec-restrictnamespaces-yes.service new file mode 100644 index 0000000..f9436d2 --- /dev/null +++ b/test/test-execute/exec-restrictnamespaces-yes.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test RestrictNamespaces=yes + +[Service] +RestrictNamespaces=yes +ExecStart=unshare -m +Type=oneshot diff --git a/test/test-execute/exec-runtimedirectory-mode.service b/test/test-execute/exec-runtimedirectory-mode.service new file mode 100644 index 0000000..580bac9 --- /dev/null +++ b/test/test-execute/exec-runtimedirectory-mode.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectoryMode + +[Service] +ExecStart=/bin/sh -x -c 'mode=$$(stat -c %%a %t/test-exec_runtimedirectory-mode); test "$$mode" = "750"' +ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectory-mode"' +Type=oneshot +RuntimeDirectory=test-exec_runtimedirectory-mode +RuntimeDirectoryMode=0750 diff --git a/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service new file mode 100644 index 0000000..79bebc4 --- /dev/null +++ b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set) + +[Service] +ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nfsnobody"' +Type=oneshot +Group=nfsnobody +User=root +RuntimeDirectory=test-exec_runtimedirectory-owner diff --git a/test/test-execute/exec-runtimedirectory-owner-nobody.service b/test/test-execute/exec-runtimedirectory-owner-nobody.service new file mode 100644 index 0000000..3b42a9f --- /dev/null +++ b/test/test-execute/exec-runtimedirectory-owner-nobody.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set) + +[Service] +ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nobody"' +Type=oneshot +Group=nobody +User=root +RuntimeDirectory=test-exec_runtimedirectory-owner diff --git a/test/test-execute/exec-runtimedirectory-owner-nogroup.service b/test/test-execute/exec-runtimedirectory-owner-nogroup.service new file mode 100644 index 0000000..804048e --- /dev/null +++ b/test/test-execute/exec-runtimedirectory-owner-nogroup.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set) + +[Service] +ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nogroup"' +Type=oneshot +Group=nogroup +User=root +RuntimeDirectory=test-exec_runtimedirectory-owner diff --git a/test/test-execute/exec-runtimedirectory-owner.service b/test/test-execute/exec-runtimedirectory-owner.service new file mode 100644 index 0000000..e2c0890 --- /dev/null +++ b/test/test-execute/exec-runtimedirectory-owner.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set) + +[Service] +ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner-daemon); test "$$group" = "daemon"' +Type=oneshot +Group=daemon +User=root +RuntimeDirectory=test-exec_runtimedirectory-owner-daemon diff --git a/test/test-execute/exec-runtimedirectory.service b/test/test-execute/exec-runtimedirectory.service new file mode 100644 index 0000000..1928c57 --- /dev/null +++ b/test/test-execute/exec-runtimedirectory.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for RuntimeDirectory + +[Service] +ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectory' +ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectory2/hogehoge' +ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectory:%t/test-exec_runtimedirectory2/hogehoge"' +Type=oneshot +RuntimeDirectory=test-exec_runtimedirectory +RuntimeDirectory=./test-exec_runtimedirectory2///./hogehoge/. diff --git a/test/test-execute/exec-set-credential.service b/test/test-execute/exec-set-credential.service new file mode 100644 index 0000000..9db6c5f --- /dev/null +++ b/test/test-execute/exec-set-credential.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SetCredential= + +[Service] +ExecStart=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"' +ExecStartPost=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"' +ExecStop=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"' +ExecStopPost=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"' +Type=oneshot +SetCredential=test-execute.set-credential:hoge diff --git a/test/test-execute/exec-specifier-interpolation.service b/test/test-execute/exec-specifier-interpolation.service new file mode 100644 index 0000000..2e8882c --- /dev/null +++ b/test/test-execute/exec-specifier-interpolation.service @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=https://github.com/systemd/systemd/issues/2637 + +[Service] +Type=oneshot +ExecStart=/bin/bash -x -c "[[ %%U == ?U ]]" diff --git a/test/test-execute/exec-specifier-system.service b/test/test-execute/exec-specifier-system.service new file mode 100644 index 0000000..9e8ee56 --- /dev/null +++ b/test/test-execute/exec-specifier-system.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for specifiers (system) + +[Service] +Type=oneshot +ExecStart=test %t = /run +ExecStart=test %S = /var/lib +ExecStart=test %C = /var/cache +ExecStart=test %L = /var/log +ExecStart=test %E = /etc diff --git a/test/test-execute/exec-specifier-user.service b/test/test-execute/exec-specifier-user.service new file mode 100644 index 0000000..ab565fb --- /dev/null +++ b/test/test-execute/exec-specifier-user.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for specifiers + +[Service] +Type=oneshot +ExecStart=sh -c 'test %t = $$XDG_RUNTIME_DIR' +ExecStart=sh -c 'test %S = %h/.local/state' +ExecStart=sh -c 'test %C = %h/.cache' +ExecStart=sh -c 'test %L = %h/.local/state/log' +ExecStart=sh -c 'test %E = %h/.config' diff --git a/test/test-execute/exec-specifier.service b/test/test-execute/exec-specifier.service new file mode 100644 index 0000000..512f786 --- /dev/null +++ b/test/test-execute/exec-specifier.service @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for specifiers + +[Service] +Type=oneshot +ExecStart=test %n = exec-specifier.service +ExecStart=test %N = exec-specifier +ExecStart=test %p = exec-specifier +ExecStart=test %P = exec/specifier +ExecStart=test %i = "" +ExecStart=test %I = "" +ExecStart=test %j = specifier +ExecStart=test %J = specifier +ExecStart=test %f = /exec/specifier +ExecStart=test %T = /tmp +ExecStart=test %V = /var/tmp +ExecStart=test %d = %t/credentials/%n +ExecStart=sh -c 'test %u = $$(id -un)' +ExecStart=sh -c 'test %U = $$(id -u)' +ExecStart=sh -c 'test %g = $$(id -gn)' +ExecStart=sh -c 'test %G = $$(id -g)' +ExecStart=test %h = /root +ExecStart=sh -c 'test -x %s' +ExecStart=sh -c 'test %b = $$(cat /proc/sys/kernel/random/boot_id | sed -e 's/-//g')' +ExecStart=sh -c 'test %H = $$(uname -n)' +ExecStart=sh -c 'test %v = $$(uname -r)' diff --git a/test/test-execute/exec-specifier@.service b/test/test-execute/exec-specifier@.service new file mode 100644 index 0000000..cb9d0a1 --- /dev/null +++ b/test/test-execute/exec-specifier@.service @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for specifiers (template unit) + +[Service] +Type=oneshot +ExecStart=test %n = exec-specifier@foo-bar.service +ExecStart=test %N = exec-specifier@foo-bar +ExecStart=test %p = exec-specifier +ExecStart=test %P = exec/specifier +ExecStart=test %i = foo-bar +ExecStart=test %I = foo/bar +ExecStart=test %j = specifier +ExecStart=test %J = specifier +ExecStart=test %f = /foo/bar +ExecStart=sh -c 'test %u = $$(id -un)' +ExecStart=sh -c 'test %U = $$(id -u)' +ExecStart=sh -c 'test %g = $$(id -gn)' +ExecStart=sh -c 'test %G = $$(id -g)' +ExecStart=test %h = /root +ExecStart=sh -c 'test -x %s' +ExecStart=sh -c 'test %b = $$(cat /proc/sys/kernel/random/boot_id | sed -e 's/-//g')' +ExecStart=sh -c 'test %H = $$(uname -n)' +ExecStart=sh -c 'test %v = $$(uname -r)' diff --git a/test/test-execute/exec-standardinput-data.service b/test/test-execute/exec-standardinput-data.service new file mode 100644 index 0000000..838fea7 --- /dev/null +++ b/test/test-execute/exec-standardinput-data.service @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for StandardInputText= and StandardInputData= + +[Service] +ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); echo -e "this is a test\nand this is more\nsomething encoded!\nsomething in multiple lines\nand some more\nand a more bas64 data\nsomething with strange\nembedded\tcharacters\nand something with a exec-stdin-data.service specifier" >$d/text ; cmp $d/text ; rm -rf $d' +Type=oneshot +StandardInput=data +StandardInputText=this is a test +StandardInputText=and this is more +StandardInputData=c29tZXRoaW5nIGVuY29kZWQhCg== +StandardInputText=something \ + in multiple lines +StandardInputText=\ +and some more +StandardInputData=YW5kIGEgbW9y \ + ZSBiYXM2NCBk\ +YXRhCg== +StandardInputText=something with strange\nembedded\tcharacters +StandardInputText=and something with a %n specifier diff --git a/test/test-execute/exec-standardinput-file-cat.service b/test/test-execute/exec-standardinput-file-cat.service new file mode 100644 index 0000000..b115a6d --- /dev/null +++ b/test/test-execute/exec-standardinput-file-cat.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for StandardInput=file: + +[Service] +ExecStart=cat +Type=oneshot +StandardInput=file:/etc/os-release +# We leave StandardOutput= unset here, to verify https://github.com/systemd/systemd/issues/14560 works +# The "cat" tool is going to write to stdout, which fails if we dup() stdin to stdout diff --git a/test/test-execute/exec-standardinput-file.service b/test/test-execute/exec-standardinput-file.service new file mode 100644 index 0000000..618ae7d --- /dev/null +++ b/test/test-execute/exec-standardinput-file.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for StandardInput=file: + +[Service] +ExecStart=/usr/bin/cmp /usr/bin/cmp +Type=oneshot +StandardInput=file:/usr/bin/cmp diff --git a/test/test-execute/exec-standardoutput-append.service b/test/test-execute/exec-standardoutput-append.service new file mode 100644 index 0000000..45d29ec --- /dev/null +++ b/test/test-execute/exec-standardoutput-append.service @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for StandardOutput=append: + +[Service] +ExecStartPre=sh -c 'printf "hello\n" >/tmp/test-exec-standardoutput-output' +ExecStartPre=sh -c 'printf "hello\nhello\n" >/tmp/test-exec-standardoutput-expected' +StandardInput=data +StandardInputText=hello +StandardOutput=append:/tmp/test-exec-standardoutput-output +StandardError=null +ExecStart=cat +ExecStart=cmp /tmp/test-exec-standardoutput-output /tmp/test-exec-standardoutput-expected +Type=oneshot diff --git a/test/test-execute/exec-standardoutput-file.service b/test/test-execute/exec-standardoutput-file.service new file mode 100644 index 0000000..8b689a2 --- /dev/null +++ b/test/test-execute/exec-standardoutput-file.service @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for StandardOutput=file: + +[Service] +ExecStartPre=sh -c 'printf "nooo\nhello\n" >/tmp/test-exec-standardoutput-output' +ExecStartPre=sh -c 'printf "hello\nello\n" >/tmp/test-exec-standardoutput-expected' +StandardInput=data +StandardInputText=hello +StandardOutput=file:/tmp/test-exec-standardoutput-output +StandardError=null +ExecStart=cat +ExecStart=cmp /tmp/test-exec-standardoutput-expected /tmp/test-exec-standardoutput-output +Type=oneshot diff --git a/test/test-execute/exec-standardoutput-truncate.service b/test/test-execute/exec-standardoutput-truncate.service new file mode 100644 index 0000000..1a86d92 --- /dev/null +++ b/test/test-execute/exec-standardoutput-truncate.service @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for StandardOutput=truncate: + +[Service] +ExecStartPre=sh -c 'printf "hello\n" >/tmp/test-exec-standardoutput-output' +ExecStartPre=sh -c 'printf "hi\n" >/tmp/test-exec-standardoutput-expected' +StandardInput=data +StandardInputText=hi +StandardOutput=truncate:/tmp/test-exec-standardoutput-output +StandardError=null +ExecStart=sh -c 'cat && cmp /tmp/test-exec-standardoutput-output /tmp/test-exec-standardoutput-expected' +Type=oneshot diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service new file mode 100644 index 0000000..0ecc344 --- /dev/null +++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Supplementary Group with multiple groups without Group and User + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"' +Type=oneshot +SupplementaryGroups=1 2 diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service new file mode 100644 index 0000000..cd1021b --- /dev/null +++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Supplementary Group with multiple groups and Group=1 + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"' +Type=oneshot +Group=1 +SupplementaryGroups=1 2 diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service new file mode 100644 index 0000000..7913a2c --- /dev/null +++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Supplementary Group with multiple groups and Uid=1 + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' +Type=oneshot +User=1 +SupplementaryGroups=1 2 diff --git a/test/test-execute/exec-supplementarygroups-single-group-user.service b/test/test-execute/exec-supplementarygroups-single-group-user.service new file mode 100644 index 0000000..ee4017e --- /dev/null +++ b/test/test-execute/exec-supplementarygroups-single-group-user.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Supplementary Group with only one group and uid 1 + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' +Type=oneshot +User=1 +Group=1 +SupplementaryGroups=1 diff --git a/test/test-execute/exec-supplementarygroups-single-group.service b/test/test-execute/exec-supplementarygroups-single-group.service new file mode 100644 index 0000000..6227520 --- /dev/null +++ b/test/test-execute/exec-supplementarygroups-single-group.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Supplementary Group with only one group + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "0"' +Type=oneshot +Group=1 +SupplementaryGroups=1 diff --git a/test/test-execute/exec-supplementarygroups.service b/test/test-execute/exec-supplementarygroups.service new file mode 100644 index 0000000..03406c3 --- /dev/null +++ b/test/test-execute/exec-supplementarygroups.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for Supplementary Group + +[Service] +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1' +ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' +Type=oneshot +SupplementaryGroups=1 diff --git a/test/test-execute/exec-systemcallerrornumber-name.service b/test/test-execute/exec-systemcallerrornumber-name.service new file mode 100644 index 0000000..f2be600 --- /dev/null +++ b/test/test-execute/exec-systemcallerrornumber-name.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallErrorNumber + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname +SystemCallErrorNumber=EACCES diff --git a/test/test-execute/exec-systemcallerrornumber-number.service b/test/test-execute/exec-systemcallerrornumber-number.service new file mode 100644 index 0000000..5d99a97 --- /dev/null +++ b/test/test-execute/exec-systemcallerrornumber-number.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallErrorNumber + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname +SystemCallErrorNumber=255 diff --git a/test/test-execute/exec-systemcallfilter-failing.service b/test/test-execute/exec-systemcallfilter-failing.service new file mode 100644 index 0000000..3aad372 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-failing.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/sh -c '/bin/echo "This should not be seen"' +Type=oneshot +LimitCORE=0 +SystemCallFilter=ioperm +SystemCallFilter=~ioperm +SystemCallFilter=ioperm diff --git a/test/test-execute/exec-systemcallfilter-failing2.service b/test/test-execute/exec-systemcallfilter-failing2.service new file mode 100644 index 0000000..8cdb8de --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-failing2.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/sh -c '/bin/echo "This should not be seen"' +Type=oneshot +LimitCORE=0 +SystemCallFilter=~write open execve fexecve execveat exit_group close mmap munmap fstat DONOTEXIST diff --git a/test/test-execute/exec-systemcallfilter-failing3.service b/test/test-execute/exec-systemcallfilter-failing3.service new file mode 100644 index 0000000..98c88fd --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-failing3.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/sh -c '/bin/echo "This should not be seen"' +Type=oneshot +LimitCORE=0 +SystemCallArchitectures=native +SystemCallFilter=~write open execve fexecve execveat exit_group close mmap munmap fstat DONOTEXIST diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service new file mode 100644 index 0000000..8f8192c --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test bounding set is right with SystemCallFilter and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_net_bind_service"' +Type=oneshot +User=1 +SystemCallFilter=@system-service +CapabilityBoundingSet=CAP_NET_BIND_SERVICE diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service new file mode 100644 index 0000000..d78c323 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test bounding set is right with SystemCallFilter and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_setpcap,cap_net_bind_service,cap_sys_admin"' +Type=oneshot +User=1 +SystemCallFilter=@system-service +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETPCAP CAP_NET_BIND_SERVICE diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service new file mode 100644 index 0000000..f33a2a0 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test no_new_privs is unset for ProtectClock and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"' +Type=oneshot +User=1 +ProtectClock=yes diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges.service b/test/test-execute/exec-systemcallfilter-nonewprivileges.service new file mode 100644 index 0000000..8bfd0a7 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-nonewprivileges.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test no_new_privs is unset for SystemCallFilter and non-root user + +[Service] +ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"' +Type=oneshot +User=1 +SystemCallFilter=@system-service diff --git a/test/test-execute/exec-systemcallfilter-not-failing.service b/test/test-execute/exec-systemcallfilter-not-failing.service new file mode 100644 index 0000000..c7eddea --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-not-failing.service @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/test-execute/exec-systemcallfilter-not-failing2.service b/test/test-execute/exec-systemcallfilter-not-failing2.service new file mode 100644 index 0000000..96eaf16 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-not-failing2.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +SystemCallFilter= diff --git a/test/test-execute/exec-systemcallfilter-not-failing3.service b/test/test-execute/exec-systemcallfilter-not-failing3.service new file mode 100644 index 0000000..f8f4092 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-not-failing3.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +SystemCallArchitectures=native +SystemCallFilter= diff --git a/test/test-execute/exec-systemcallfilter-override-error-action.service b/test/test-execute/exec-systemcallfilter-override-error-action.service new file mode 100644 index 0000000..de2c6ad --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-override-error-action.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter with specific kill action overriding default errno action + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:kill +SystemCallErrorNumber=EILSEQ diff --git a/test/test-execute/exec-systemcallfilter-override-error-action2.service b/test/test-execute/exec-systemcallfilter-override-error-action2.service new file mode 100644 index 0000000..ffa35e6 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-override-error-action2.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter with specific errno action overriding default kill action + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:EILSEQ +SystemCallErrorNumber=kill diff --git a/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service new file mode 100644 index 0000000..deba154 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter in system mode with User set + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +User=nfsnobody +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/test-execute/exec-systemcallfilter-system-user-nobody.service b/test/test-execute/exec-systemcallfilter-system-user-nobody.service new file mode 100644 index 0000000..43fb9c3 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-system-user-nobody.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter in system mode with User set + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +User=nobody +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/test-execute/exec-systemcallfilter-system-user.service b/test/test-execute/exec-systemcallfilter-system-user.service new file mode 100644 index 0000000..005c4ac --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-system-user.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter in system mode with User set (daemon) + +[Service] +ExecStart=/bin/sh -c 'echo "Foo bar"' +Type=oneshot +User=daemon +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service b/test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service new file mode 100644 index 0000000..c7a4c4a --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter with errno name (for issue #18916) + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=@system-service +SystemCallFilter=~uname:EILSEQ +SystemCallErrorNumber=EACCES diff --git a/test/test-execute/exec-systemcallfilter-with-errno-multi.service b/test/test-execute/exec-systemcallfilter-with-errno-multi.service new file mode 100644 index 0000000..2678323 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-with-errno-multi.service @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter updating errno +# test for issue #9939 which is fixed by a5404992cc7724ebf7572a0aa89d9fdb26ce0b62 (#9942) + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:ENOENT uname:EILSEQ +SystemCallErrorNumber=EACCES diff --git a/test/test-execute/exec-systemcallfilter-with-errno-name.service b/test/test-execute/exec-systemcallfilter-with-errno-name.service new file mode 100644 index 0000000..a902331 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-with-errno-name.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter with errno name + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:EILSEQ +SystemCallErrorNumber=EACCES diff --git a/test/test-execute/exec-systemcallfilter-with-errno-number.service b/test/test-execute/exec-systemcallfilter-with-errno-number.service new file mode 100644 index 0000000..ffbc84a --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-with-errno-number.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for SystemCallFilter with errno number + +[Service] +ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:255 +SystemCallErrorNumber=EACCES diff --git a/test/test-execute/exec-temporaryfilesystem-options.service b/test/test-execute/exec-temporaryfilesystem-options.service new file mode 100644 index 0000000..1610c63 --- /dev/null +++ b/test/test-execute/exec-temporaryfilesystem-options.service @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for TemporaryFileSystem with mount options + +[Service] +Type=oneshot + +# The mount options default to "mode=0755,nodev,strictatime". +# Let's override some of them, and test "ro". +TemporaryFileSystem=/var:ro,mode=0700,nostrictatime + +# Check /proc/self/mountinfo +ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$11 !~ /(^|,)mode=700(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""' + +ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$6 !~ /(^|,)ro(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""' +ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$6 !~ /(^|,)nodev(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""' +ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$6 ~ /(^|,)strictatime(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""' diff --git a/test/test-execute/exec-temporaryfilesystem-ro.service b/test/test-execute/exec-temporaryfilesystem-ro.service new file mode 100644 index 0000000..2ee5c26 --- /dev/null +++ b/test/test-execute/exec-temporaryfilesystem-ro.service @@ -0,0 +1,37 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for TemporaryFileSystem with read-only mode + +[Service] +Type=oneshot + +# Check directories exist +ExecStart=/bin/sh -c 'test -d /var/test-exec-temporaryfilesystem/rw && test -d /var/test-exec-temporaryfilesystem/ro' + +# Check TemporaryFileSystem= are empty +ExecStart=/bin/sh -c 'for i in $$(ls -A /var); do test $$i = test-exec-temporaryfilesystem || false; done' + +# Check default mode +ExecStart=sh -x -c 'test "$$(stat -c %%a /var)" = "755"' + +# Cannot create a file in /var +ExecStart=/bin/sh -c '! touch /var/hoge' + +# Create a file in /var/test-exec-temporaryfilesystem/rw +ExecStart=/bin/sh -c 'touch /var/test-exec-temporaryfilesystem/rw/thisisasimpletest-temporaryfilesystem' + +# Then, the file can be access through /tmp +ExecStart=/bin/sh -c 'test -f /tmp/thisisasimpletest-temporaryfilesystem' + +# Also, through /var/test-exec-temporaryfilesystem/ro +ExecStart=/bin/sh -c 'test -f /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem' + +# The file cannot modify through /var/test-exec-temporaryfilesystem/ro +ExecStart=/bin/sh -c '! touch /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem' + +# Cleanup +ExecStart=/bin/sh -c 'rm /tmp/thisisasimpletest-temporaryfilesystem' + +TemporaryFileSystem=/var:ro +BindPaths=/tmp:/var/test-exec-temporaryfilesystem/rw +BindReadOnlyPaths=/tmp:/var/test-exec-temporaryfilesystem/ro diff --git a/test/test-execute/exec-temporaryfilesystem-rw.service b/test/test-execute/exec-temporaryfilesystem-rw.service new file mode 100644 index 0000000..ff0aa04 --- /dev/null +++ b/test/test-execute/exec-temporaryfilesystem-rw.service @@ -0,0 +1,37 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for TemporaryFileSystem + +[Service] +Type=oneshot + +# Check directories exist +ExecStart=test -d /var/test-exec-temporaryfilesystem/rw -a -d /var/test-exec-temporaryfilesystem/ro + +# Check TemporaryFileSystem= are empty +ExecStart=sh -c 'for i in $$(ls -A /var); do test $$i = test-exec-temporaryfilesystem || false; done' + +# Check default mode +ExecStart=sh -x -c 'test "$$(stat -c %%a /var)" = "755"' + +# Create a file in /var +ExecStart=touch /var/hoge + +# Create a file in /var/test-exec-temporaryfilesystem/rw +ExecStart=touch /var/test-exec-temporaryfilesystem/rw/thisisasimpletest-temporaryfilesystem + +# Then, the file can be access through /tmp +ExecStart=test -f /tmp/thisisasimpletest-temporaryfilesystem + +# Also, through /var/test-exec-temporaryfilesystem/ro +ExecStart=test -f /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem + +# The file cannot modify through /var/test-exec-temporaryfilesystem/ro +ExecStart=sh -c '! touch /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem' + +# Cleanup +ExecStart=rm /tmp/thisisasimpletest-temporaryfilesystem + +TemporaryFileSystem=/var +BindPaths=/tmp:/var/test-exec-temporaryfilesystem/rw +BindReadOnlyPaths=/tmp:/var/test-exec-temporaryfilesystem/ro diff --git a/test/test-execute/exec-temporaryfilesystem-usr.service b/test/test-execute/exec-temporaryfilesystem-usr.service new file mode 100644 index 0000000..f62ce1a --- /dev/null +++ b/test/test-execute/exec-temporaryfilesystem-usr.service @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for TemporaryFileSystem on /usr + +[Service] +Type=oneshot + +# Check TemporaryFileSystem= are empty +ExecStart=/bin/sh -c 'for i in $$(ls -A /usr); do test $$i = lib -o $$i = lib64 -o $$i = bin -o $$i = sbin || false; done' + +# Cannot create files under /usr +ExecStart=/bin/sh -c '! touch /usr/hoge' +ExecStart=/bin/sh -c '! touch /usr/bin/hoge' + +TemporaryFileSystem=/usr:ro +BindReadOnlyPaths=-/usr/lib -/usr/lib64 /usr/bin /usr/sbin diff --git a/test/test-execute/exec-umask-0177.service b/test/test-execute/exec-umask-0177.service new file mode 100644 index 0000000..380cb82 --- /dev/null +++ b/test/test-execute/exec-umask-0177.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for UMask + +[Service] +ExecStart=/bin/sh -x -c 'rm /tmp/test-exec-umask; touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "600"' +Type=oneshot +UMask=0177 +PrivateTmp=yes diff --git a/test/test-execute/exec-umask-default.service b/test/test-execute/exec-umask-default.service new file mode 100644 index 0000000..b28023d --- /dev/null +++ b/test/test-execute/exec-umask-default.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for UMask default + +[Service] +ExecStart=/bin/sh -x -c 'rm /tmp/test-exec-umask; touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "644"' +Type=oneshot +PrivateTmp=yes diff --git a/test/test-execute/exec-umask-namespace.service b/test/test-execute/exec-umask-namespace.service new file mode 100644 index 0000000..8419c86 --- /dev/null +++ b/test/test-execute/exec-umask-namespace.service @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for UMask= + namespacing + +[Service] +ExecStart=/bin/ls -lahd /tmp/subdir +Type=oneshot +User=65534 +Group=65534 +TemporaryFileSystem=/tmp:ro +BindPaths=/etc:/tmp/subdir/subsub +UMask=0007 diff --git a/test/test-execute/exec-unsetenvironment.service b/test/test-execute/exec-unsetenvironment.service new file mode 100644 index 0000000..b79e3d4 --- /dev/null +++ b/test/test-execute/exec-unsetenvironment.service @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for UnsetEnvironment + +[Service] +ExecStart=/bin/sh -x -c 'test "$$FOO" = "bar" && test "$${QUUX-X}" = "X" && test "$$VAR3" = "value3" && test "$${VAR4-X}" = "X" && test "$$VAR5" = "value5" && test "$${X%b-X}" = "X"' +Type=oneshot +Environment=FOO=bar QUUX=waldo VAR3=value3 VAR4=value4 VAR5=value5 X%b=%U +UnsetEnvironment=QUUX=waldo VAR3=somethingelse VAR4 X%b=%U diff --git a/test/test-execute/exec-user-nfsnobody.service b/test/test-execute/exec-user-nfsnobody.service new file mode 100644 index 0000000..8f0943c --- /dev/null +++ b/test/test-execute/exec-user-nfsnobody.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for User + +[Service] +ExecStart=/bin/sh -x -c 'test "$$USER" = "nfsnobody"' +Type=oneshot +User=nfsnobody diff --git a/test/test-execute/exec-user-nobody.service b/test/test-execute/exec-user-nobody.service new file mode 100644 index 0000000..834d11a --- /dev/null +++ b/test/test-execute/exec-user-nobody.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for User + +[Service] +ExecStart=/bin/sh -x -c 'test "$$USER" = "nobody"' +Type=oneshot +User=nobody diff --git a/test/test-execute/exec-user.service b/test/test-execute/exec-user.service new file mode 100644 index 0000000..b9863d2 --- /dev/null +++ b/test/test-execute/exec-user.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for User (daemon) + +[Service] +ExecStart=/bin/sh -x -c 'test "$$USER" = "daemon"' +Type=oneshot +User=daemon diff --git a/test/test-execute/exec-workingdirectory-trailing-dot.service b/test/test-execute/exec-workingdirectory-trailing-dot.service new file mode 100644 index 0000000..130d9d5 --- /dev/null +++ b/test/test-execute/exec-workingdirectory-trailing-dot.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for WorkingDirectory with trailing dot + +[Service] +ExecStart=/bin/sh -x -c 'test "$$PWD" = "/tmp/test-exec_workingdirectory"' +Type=oneshot +WorkingDirectory=/tmp///./test-exec_workingdirectory/. diff --git a/test/test-execute/exec-workingdirectory.service b/test/test-execute/exec-workingdirectory.service new file mode 100644 index 0000000..b53bf60 --- /dev/null +++ b/test/test-execute/exec-workingdirectory.service @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +[Unit] +Description=Test for WorkingDirectory + +[Service] +ExecStart=/bin/sh -x -c 'test "$$PWD" = "/tmp/test-exec_workingdirectory"' +Type=oneshot +WorkingDirectory=/tmp/test-exec_workingdirectory |