summaryrefslogtreecommitdiffstats
path: root/test/units/TEST-07-PID1.exec-context.sh
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xtest/units/TEST-07-PID1.exec-context.sh (renamed from test/units/testsuite-07.exec-context.sh)19
1 files changed, 14 insertions, 5 deletions
diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh
index b44658f..a3379ef 100755
--- a/test/units/testsuite-07.exec-context.sh
+++ b/test/units/TEST-07-PID1.exec-context.sh
@@ -32,10 +32,19 @@ proc_supports_option() {
# the transient stuff from systemd-run. Let's just skip the following tests
# in that case instead of complicating the test setup even more */
if [[ -z "${COVERAGE_BUILD_DIR:-}" ]]; then
+ if ! systemd-detect-virt -cq && command -v bootctl >/dev/null; then
+ boot_path="$(bootctl --print-boot-path)"
+ esp_path="$(bootctl --print-esp-path)"
+
+ # If the mount points are handled by automount units, make sure we trigger
+ # them before proceeding further
+ ls -l "$boot_path" "$esp_path"
+ fi
+
systemd-run --wait --pipe -p ProtectSystem=yes \
- bash -xec "test ! -w /usr; test ! -w /boot; test -w /etc; test -w /var"
+ bash -xec "test ! -w /usr; ${boot_path:+"test ! -w $boot_path; test ! -w $esp_path;"} test -w /etc; test -w /var"
systemd-run --wait --pipe -p ProtectSystem=full \
- bash -xec "test ! -w /usr; test ! -w /boot; test ! -w /etc; test -w /var"
+ bash -xec "test ! -w /usr; ${boot_path:+"test ! -w $boot_path; test ! -w $esp_path;"} test ! -w /etc; test -w /var"
systemd-run --wait --pipe -p ProtectSystem=strict \
bash -xec "test ! -w /; test ! -w /etc; test ! -w /var; test -w /dev; test -w /proc"
systemd-run --wait --pipe -p ProtectSystem=no \
@@ -149,13 +158,13 @@ if ! systemd-detect-virt -cq; then
-p DevicePolicy=closed
-p DevicePolicy=strict
-p DeviceAllow="char-mem rm" # Allow read & mknod for /dev/{null,zero,...}
- -p DeviceAllow="/dev/loop0 rw"
- -p DeviceAllow="/dev/loop0 w" # Allow write for /dev/loop0
+ -p DeviceAllow="$LODEV rw"
+ -p DeviceAllow="$LODEV w" # Allow write for the loop
# Everything else should be disallowed per the strict policy
)
systemd-run --wait --pipe --unit "$SERVICE_NAME" "${ARGUMENTS[@]}" \
- bash -xec 'test -r /dev/null; test ! -w /dev/null; test ! -r /dev/loop0; test -w /dev/loop0; test ! -r /dev/tty; test ! -w /dev/tty'
+ bash -xec "test -r /dev/null; test ! -w /dev/null; test ! -r $LODEV; test -w $LODEV; test ! -r /dev/tty; test ! -w /dev/tty"
if ! systemctl --version | grep -qF -- "-BPF_FRAMEWORK"; then
# SocketBind*=
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-08 10:36:44 +0000