summaryrefslogtreecommitdiffstats
path: root/test/test-execute
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service10
-rw-r--r--test/test-execute/exec-ambientcapabilities-merge-nobody.service10
-rw-r--r--test/test-execute/exec-ambientcapabilities-merge.service10
-rw-r--r--test/test-execute/exec-ambientcapabilities-nfsnobody.service9
-rw-r--r--test/test-execute/exec-ambientcapabilities-nobody.service9
-rw-r--r--test/test-execute/exec-ambientcapabilities.service9
-rw-r--r--test/test-execute/exec-basic.service17
-rw-r--r--test/test-execute/exec-bindpaths.service18
-rw-r--r--test/test-execute/exec-capabilityboundingset-invert.service9
-rw-r--r--test/test-execute/exec-capabilityboundingset-merge.service9
-rw-r--r--test/test-execute/exec-capabilityboundingset-reset.service9
-rw-r--r--test/test-execute/exec-capabilityboundingset-simple.service8
-rw-r--r--test/test-execute/exec-condition-failed.service12
-rw-r--r--test/test-execute/exec-condition-skip.service16
-rw-r--r--test/test-execute/exec-cpuaffinity1.service7
-rw-r--r--test/test-execute/exec-cpuaffinity2.service9
-rw-r--r--test/test-execute/exec-cpuaffinity3.service8
-rw-r--r--test/test-execute/exec-dynamicuser-fixeduser-adm.service12
-rw-r--r--test/test-execute/exec-dynamicuser-fixeduser-games.service12
-rw-r--r--test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service11
-rw-r--r--test/test-execute/exec-dynamicuser-fixeduser.service10
-rw-r--r--test/test-execute/exec-dynamicuser-runtimedirectory1.service12
-rw-r--r--test/test-execute/exec-dynamicuser-runtimedirectory2.service13
-rw-r--r--test/test-execute/exec-dynamicuser-runtimedirectory3.service12
-rw-r--r--test/test-execute/exec-dynamicuser-statedir-migrate-step1.service18
-rw-r--r--test/test-execute/exec-dynamicuser-statedir-migrate-step2.service26
-rw-r--r--test/test-execute/exec-dynamicuser-statedir.service76
-rw-r--r--test/test-execute/exec-dynamicuser-supplementarygroups.service10
-rw-r--r--test/test-execute/exec-environment-empty.service9
-rw-r--r--test/test-execute/exec-environment-multiple.service9
-rw-r--r--test/test-execute/exec-environment-no-substitute.service9
-rw-r--r--test/test-execute/exec-environment.service8
-rw-r--r--test/test-execute/exec-environmentfile.service8
-rw-r--r--test/test-execute/exec-execsearchpath-environment-path-set.service6
-rw-r--r--test/test-execute/exec-execsearchpath-environment.service6
-rw-r--r--test/test-execute/exec-execsearchpath-environmentfile-set.service9
-rw-r--r--test/test-execute/exec-execsearchpath-environmentfile.service9
-rw-r--r--test/test-execute/exec-execsearchpath-passenvironment-set.service9
-rw-r--r--test/test-execute/exec-execsearchpath-passenvironment.service9
-rw-r--r--test/test-execute/exec-execsearchpath-unit-specifier.service8
-rw-r--r--test/test-execute/exec-execsearchpath.service5
-rw-r--r--test/test-execute/exec-group-nfsnobody.service8
-rw-r--r--test/test-execute/exec-group-nobody.service8
-rw-r--r--test/test-execute/exec-group-nogroup.service8
-rw-r--r--test/test-execute/exec-group.service8
-rw-r--r--test/test-execute/exec-ignoresigpipe-no.service8
-rw-r--r--test/test-execute/exec-ignoresigpipe-yes.service8
-rw-r--r--test/test-execute/exec-inaccessiblepaths-mount-propagation.service8
-rw-r--r--test/test-execute/exec-inaccessiblepaths-sys.service8
-rw-r--r--test/test-execute/exec-ioschedulingclass-best-effort.service8
-rw-r--r--test/test-execute/exec-ioschedulingclass-idle.service8
-rw-r--r--test/test-execute/exec-ioschedulingclass-none.service9
-rw-r--r--test/test-execute/exec-ioschedulingclass-realtime.service8
-rw-r--r--test/test-execute/exec-mount-apivfs-no.service16
-rw-r--r--test/test-execute/exec-noexecpaths-simple.service11
-rw-r--r--test/test-execute/exec-oomscoreadjust-negative.service8
-rw-r--r--test/test-execute/exec-oomscoreadjust-positive.service8
-rw-r--r--test/test-execute/exec-passenvironment-absent.service8
-rw-r--r--test/test-execute/exec-passenvironment-empty.service9
-rw-r--r--test/test-execute/exec-passenvironment-repeated.service11
-rw-r--r--test/test-execute/exec-passenvironment.service8
-rw-r--r--test/test-execute/exec-personality-aarch64.service8
-rw-r--r--test/test-execute/exec-personality-loongarch64.service7
-rw-r--r--test/test-execute/exec-personality-ppc64.service8
-rw-r--r--test/test-execute/exec-personality-ppc64le.service8
-rw-r--r--test/test-execute/exec-personality-s390.service8
-rw-r--r--test/test-execute/exec-personality-x86-64.service8
-rw-r--r--test/test-execute/exec-personality-x86.service8
-rw-r--r--test/test-execute/exec-privatedevices-disabled-by-prefix.service9
-rw-r--r--test/test-execute/exec-privatedevices-no-capability-mknod.service9
-rw-r--r--test/test-execute/exec-privatedevices-no-capability-sys-rawio.service9
-rw-r--r--test/test-execute/exec-privatedevices-no.service8
-rw-r--r--test/test-execute/exec-privatedevices-yes-capability-mknod.service9
-rw-r--r--test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service9
-rw-r--r--test/test-execute/exec-privatedevices-yes-with-group.service17
-rw-r--r--test/test-execute/exec-privatedevices-yes.service8
-rw-r--r--test/test-execute/exec-privatenetwork-yes.service8
-rw-r--r--test/test-execute/exec-privatetmp-disabled-by-prefix.service9
-rw-r--r--test/test-execute/exec-privatetmp-no.service8
-rw-r--r--test/test-execute/exec-privatetmp-yes.service8
-rw-r--r--test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service10
-rw-r--r--test/test-execute/exec-protectkernellogs-no-capabilities.service9
-rw-r--r--test/test-execute/exec-protectkernellogs-yes-capabilities.service9
-rw-r--r--test/test-execute/exec-protectkernelmodules-no-capabilities.service9
-rw-r--r--test/test-execute/exec-protectkernelmodules-yes-capabilities.service9
-rw-r--r--test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service8
-rw-r--r--test/test-execute/exec-readonlypaths-mount-propagation.service8
-rw-r--r--test/test-execute/exec-readonlypaths-simple.service12
-rw-r--r--test/test-execute/exec-readonlypaths-with-bindpaths.service9
-rw-r--r--test/test-execute/exec-readonlypaths.service10
-rw-r--r--test/test-execute/exec-readwritepaths-mount-propagation.service8
-rw-r--r--test/test-execute/exec-restrictnamespaces-merge-all.service9
-rw-r--r--test/test-execute/exec-restrictnamespaces-merge-and.service10
-rw-r--r--test/test-execute/exec-restrictnamespaces-merge-or.service10
-rw-r--r--test/test-execute/exec-restrictnamespaces-mnt-deny-list.service8
-rw-r--r--test/test-execute/exec-restrictnamespaces-mnt.service8
-rw-r--r--test/test-execute/exec-restrictnamespaces-no.service8
-rw-r--r--test/test-execute/exec-restrictnamespaces-yes.service8
-rw-r--r--test/test-execute/exec-runtimedirectory-mode.service10
-rw-r--r--test/test-execute/exec-runtimedirectory-owner-nfsnobody.service10
-rw-r--r--test/test-execute/exec-runtimedirectory-owner-nobody.service10
-rw-r--r--test/test-execute/exec-runtimedirectory-owner-nogroup.service10
-rw-r--r--test/test-execute/exec-runtimedirectory-owner.service10
-rw-r--r--test/test-execute/exec-runtimedirectory.service11
-rw-r--r--test/test-execute/exec-specifier-credentials-dir.service12
-rw-r--r--test/test-execute/exec-specifier-interpolation.service7
-rw-r--r--test/test-execute/exec-specifier.service32
-rw-r--r--test/test-execute/exec-specifier@.service29
-rw-r--r--test/test-execute/exec-standardinput-data.service20
-rw-r--r--test/test-execute/exec-standardinput-file-cat.service10
-rw-r--r--test/test-execute/exec-standardinput-file.service8
-rw-r--r--test/test-execute/exec-standardoutput-append.service14
-rw-r--r--test/test-execute/exec-standardoutput-file.service14
-rw-r--r--test/test-execute/exec-standardoutput-truncate.service13
-rw-r--r--test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service11
-rw-r--r--test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service11
-rw-r--r--test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service10
-rw-r--r--test/test-execute/exec-supplementarygroups-single-group-user.service11
-rw-r--r--test/test-execute/exec-supplementarygroups-single-group.service10
-rw-r--r--test/test-execute/exec-supplementarygroups.service9
-rw-r--r--test/test-execute/exec-systemcallerrornumber-name.service9
-rw-r--r--test/test-execute/exec-systemcallerrornumber-number.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-failing.service11
-rw-r--r--test/test-execute/exec-systemcallfilter-failing2.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-failing3.service10
-rw-r--r--test/test-execute/exec-systemcallfilter-not-failing.service11
-rw-r--r--test/test-execute/exec-systemcallfilter-not-failing2.service8
-rw-r--r--test/test-execute/exec-systemcallfilter-not-failing3.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-override-error-action.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-override-error-action2.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service12
-rw-r--r--test/test-execute/exec-systemcallfilter-system-user-nobody.service12
-rw-r--r--test/test-execute/exec-systemcallfilter-system-user.service12
-rw-r--r--test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service10
-rw-r--r--test/test-execute/exec-systemcallfilter-with-errno-multi.service10
-rw-r--r--test/test-execute/exec-systemcallfilter-with-errno-name.service9
-rw-r--r--test/test-execute/exec-systemcallfilter-with-errno-number.service9
-rw-r--r--test/test-execute/exec-temporaryfilesystem-options.service17
-rw-r--r--test/test-execute/exec-temporaryfilesystem-ro.service37
-rw-r--r--test/test-execute/exec-temporaryfilesystem-rw.service37
-rw-r--r--test/test-execute/exec-temporaryfilesystem-usr.service16
-rw-r--r--test/test-execute/exec-umask-0177.service9
-rw-r--r--test/test-execute/exec-umask-default.service8
-rw-r--r--test/test-execute/exec-umask-namespace.service12
-rw-r--r--test/test-execute/exec-unsetenvironment.service9
-rw-r--r--test/test-execute/exec-user-nfsnobody.service8
-rw-r--r--test/test-execute/exec-user-nobody.service8
-rw-r--r--test/test-execute/exec-user.service8
-rw-r--r--test/test-execute/exec-workingdirectory-trailing-dot.service8
-rw-r--r--test/test-execute/exec-workingdirectory.service8
150 files changed, 1634 insertions, 0 deletions
diff --git a/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service
new file mode 100644
index 0000000..4960da5
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-merge-nfsnobody.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
+Type=oneshot
+User=nfsnobody
+AmbientCapabilities=CAP_CHOWN
+AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-ambientcapabilities-merge-nobody.service b/test/test-execute/exec-ambientcapabilities-merge-nobody.service
new file mode 100644
index 0000000..4c72b2e
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-merge-nobody.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
+Type=oneshot
+User=nobody
+AmbientCapabilities=CAP_CHOWN
+AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-ambientcapabilities-merge.service b/test/test-execute/exec-ambientcapabilities-merge.service
new file mode 100644
index 0000000..13a5d45
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-merge.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities (daemon)
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
+Type=oneshot
+User=daemon
+AmbientCapabilities=CAP_CHOWN
+AmbientCapabilities=CAP_NET_RAW
diff --git a/test/test-execute/exec-ambientcapabilities-nfsnobody.service b/test/test-execute/exec-ambientcapabilities-nfsnobody.service
new file mode 100644
index 0000000..10cb440
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-nfsnobody.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
+Type=oneshot
+User=nfsnobody
+AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
diff --git a/test/test-execute/exec-ambientcapabilities-nobody.service b/test/test-execute/exec-ambientcapabilities-nobody.service
new file mode 100644
index 0000000..5400cac
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-nobody.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
+Type=oneshot
+User=nobody
+AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
diff --git a/test/test-execute/exec-ambientcapabilities.service b/test/test-execute/exec-ambientcapabilities.service
new file mode 100644
index 0000000..5336bec
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities (daemon)
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002001"'
+Type=oneshot
+User=daemon
+AmbientCapabilities=CAP_CHOWN CAP_NET_RAW
diff --git a/test/test-execute/exec-basic.service b/test/test-execute/exec-basic.service
new file mode 100644
index 0000000..a54aca9
--- /dev/null
+++ b/test/test-execute/exec-basic.service
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for basic execution
+ConditionKernelVersion=">=3.0"
+ConditionKernelVersion=">=2.0" "<=60" "!=1.4"
+ConditionKernelVersion=" >= 2.0" " <= 60 " "!= 1.4"
+ConditionKernelVersion=" >= 2.0" " * " "*.*"
+
+[Service]
+ExecStart=touch /tmp/a ; /bin/sh -c 'touch /tmp/b' ; touch /tmp/c
+ExecStart=test -f /tmp/a
+ExecStart=!test -f /tmp/b
+ExecStart=!!test -f /tmp/c
+ExecStartPost=rm /tmp/a /tmp/b /tmp/c
+
+PrivateTmp=true
+Type=oneshot
diff --git a/test/test-execute/exec-bindpaths.service b/test/test-execute/exec-bindpaths.service
new file mode 100644
index 0000000..bf6968f
--- /dev/null
+++ b/test/test-execute/exec-bindpaths.service
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for BindPaths= and BindReadOnlyPaths=
+
+[Service]
+Type=oneshot
+# Create a file in /tmp/test-exec-bindpaths
+ExecStart=touch /tmp/test-exec-bindpaths/thisisasimpletest
+# Then, the file can be access through /tmp
+ExecStart=test -f /tmp/thisisasimpletest
+# Also, through /tmp/test-exec-bindreadonlypaths
+ExecStart=test -f /tmp/test-exec-bindreadonlypaths/thisisasimpletest
+# The file cannot modify through /tmp/test-exec-bindreadonlypaths
+ExecStart=/bin/sh -x -c '! touch /tmp/test-exec-bindreadonlypaths/thisisasimpletest'
+# Cleanup
+ExecStart=rm /tmp/thisisasimpletest
+BindPaths=/tmp:/tmp/test-exec-bindpaths
+BindReadOnlyPaths=/tmp:/tmp/test-exec-bindreadonlypaths
diff --git a/test/test-execute/exec-capabilityboundingset-invert.service b/test/test-execute/exec-capabilityboundingset-invert.service
new file mode 100644
index 0000000..1b1217e
--- /dev/null
+++ b/test/test-execute/exec-capabilityboundingset-invert.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CapabilityBoundingSet
+
+[Service]
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
+Type=oneshot
+CapabilityBoundingSet=~CAP_CHOWN
diff --git a/test/test-execute/exec-capabilityboundingset-merge.service b/test/test-execute/exec-capabilityboundingset-merge.service
new file mode 100644
index 0000000..1ed3ccb
--- /dev/null
+++ b/test/test-execute/exec-capabilityboundingset-merge.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CapabilityBoundingSet
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_chown,cap_fowner,cap_kill"'
+Type=oneshot
+CapabilityBoundingSet=CAP_FOWNER
+CapabilityBoundingSet=CAP_KILL CAP_CHOWN
diff --git a/test/test-execute/exec-capabilityboundingset-reset.service b/test/test-execute/exec-capabilityboundingset-reset.service
new file mode 100644
index 0000000..8eb142c
--- /dev/null
+++ b/test/test-execute/exec-capabilityboundingset-reset.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CapabilityBoundingSet
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set ="'
+Type=oneshot
+CapabilityBoundingSet=CAP_FOWNER CAP_KILL
+CapabilityBoundingSet=
diff --git a/test/test-execute/exec-capabilityboundingset-simple.service b/test/test-execute/exec-capabilityboundingset-simple.service
new file mode 100644
index 0000000..be5a5e5
--- /dev/null
+++ b/test/test-execute/exec-capabilityboundingset-simple.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CapabilityBoundingSet
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_fowner,cap_kill"'
+Type=oneshot
+CapabilityBoundingSet=CAP_FOWNER CAP_KILL
diff --git a/test/test-execute/exec-condition-failed.service b/test/test-execute/exec-condition-failed.service
new file mode 100644
index 0000000..342219c
--- /dev/null
+++ b/test/test-execute/exec-condition-failed.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for exec condition that fails the unit
+
+[Service]
+Type=oneshot
+
+# exit 255 will fail the unit
+ExecCondition=/bin/sh -c 'exit 255'
+
+# This should not get run
+ExecStart=/bin/sh -c 'true'
diff --git a/test/test-execute/exec-condition-skip.service b/test/test-execute/exec-condition-skip.service
new file mode 100644
index 0000000..b69e161
--- /dev/null
+++ b/test/test-execute/exec-condition-skip.service
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for exec condition that triggers skipping
+
+[Service]
+Type=oneshot
+
+# exit codes [1, 254] will result in skipping the rest of execution
+ExecCondition=/bin/sh -c 'exit 0'
+ExecCondition=/bin/sh -c 'exit 254'
+
+# This would normally fail the unit but will not get run due to the skip above
+ExecCondition=/bin/sh -c 'exit 255'
+
+# This should not get run
+ExecStart=/bin/sh -c 'true'
diff --git a/test/test-execute/exec-cpuaffinity1.service b/test/test-execute/exec-cpuaffinity1.service
new file mode 100644
index 0000000..2a8544a
--- /dev/null
+++ b/test/test-execute/exec-cpuaffinity1.service
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CPUAffinity (simple)
+
+[Service]
+ExecStart=/bin/sh -c 'test $$(cat /proc/self/status | grep Cpus_allowed: | rev | cut -c 1) = 1'
+CPUAffinity=0
diff --git a/test/test-execute/exec-cpuaffinity2.service b/test/test-execute/exec-cpuaffinity2.service
new file mode 100644
index 0000000..bed48c8
--- /dev/null
+++ b/test/test-execute/exec-cpuaffinity2.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CPUAffinity (reset)
+
+[Service]
+ExecStart=/bin/sh -c 'test $$(cat /proc/self/status | grep Cpus_allowed: | rev | cut -c 1) = 1'
+CPUAffinity=0-1 3
+CPUAffinity=
+CPUAffinity=0
diff --git a/test/test-execute/exec-cpuaffinity3.service b/test/test-execute/exec-cpuaffinity3.service
new file mode 100644
index 0000000..774cd64
--- /dev/null
+++ b/test/test-execute/exec-cpuaffinity3.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for CPUAffinity (merge)
+
+[Service]
+ExecStart=/bin/sh -c 'test $$(cat /proc/self/status | grep Cpus_allowed: | rev | cut -c 1) = 7'
+CPUAffinity=0,1
+CPUAffinity=1-2
diff --git a/test/test-execute/exec-dynamicuser-fixeduser-adm.service b/test/test-execute/exec-dynamicuser-fixeduser-adm.service
new file mode 100644
index 0000000..daaed6c
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-fixeduser-adm.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser with static User= whose uid and gid are different
+# On Fedora, user adm has uid==3 and gid==4.
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "adm" && test "$$(id -ng)" = "adm" && test "$$(id -nu)" = "adm"'
+# Multiple ExecStart= lines causes the issue #9702.
+ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "adm" && test "$$(id -ng)" = "adm" && test "$$(id -nu)" = "adm"'
+DynamicUser=yes
+User=adm
diff --git a/test/test-execute/exec-dynamicuser-fixeduser-games.service b/test/test-execute/exec-dynamicuser-fixeduser-games.service
new file mode 100644
index 0000000..db8b88e
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-fixeduser-games.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser with static User= whose uid and gid are different
+# On Ubuntu or Debian, user games has uid==5 and gid==60.
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "games" && test "$$(id -ng)" = "games" && test "$$(id -nu)" = "games"'
+# Multiple ExecStart= lines causes the issue #9702.
+ExecStart=/bin/sh -x -c 'test "$$(id -nG)" = "games" && test "$$(id -ng)" = "games" && test "$$(id -nu)" = "games"'
+DynamicUser=yes
+User=games
diff --git a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
new file mode 100644
index 0000000..bbb1af5
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser with User= and SupplementaryGroups=
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+DynamicUser=yes
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-dynamicuser-fixeduser.service b/test/test-execute/exec-dynamicuser-fixeduser.service
new file mode 100644
index 0000000..c5828c2
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-fixeduser.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser with User=
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+DynamicUser=yes
diff --git a/test/test-execute/exec-dynamicuser-runtimedirectory1.service b/test/test-execute/exec-dynamicuser-runtimedirectory1.service
new file mode 100644
index 0000000..790279a
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-runtimedirectory1.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory with RuntimeDirectoryPreserve=yes and DynamicUser=yes
+
+[Service]
+ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectorypreserve'
+ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectorypreserve"'
+ExecStart=/bin/sh -x -c 'touch $$RUNTIME_DIRECTORY/test'
+Type=oneshot
+RuntimeDirectory=test-exec_runtimedirectorypreserve
+RuntimeDirectoryPreserve=yes
+DynamicUser=yes
diff --git a/test/test-execute/exec-dynamicuser-runtimedirectory2.service b/test/test-execute/exec-dynamicuser-runtimedirectory2.service
new file mode 100644
index 0000000..18df74e
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-runtimedirectory2.service
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory with RuntimeDirectoryPreserve=yes and DynamicUser=yes 2nd trial
+
+[Service]
+ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectorypreserve'
+ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectorypreserve"'
+ExecStart=/bin/sh -x -c 'test -f $$RUNTIME_DIRECTORY/test'
+ExecStart=/bin/sh -x -c 'touch $$RUNTIME_DIRECTORY/test'
+Type=oneshot
+RuntimeDirectory=test-exec_runtimedirectorypreserve
+RuntimeDirectoryPreserve=yes
+DynamicUser=yes
diff --git a/test/test-execute/exec-dynamicuser-runtimedirectory3.service b/test/test-execute/exec-dynamicuser-runtimedirectory3.service
new file mode 100644
index 0000000..831a808
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-runtimedirectory3.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory with DynamicUser=yes migrated from RuntimeDirectoryPreserve=yes
+
+[Service]
+ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectorypreserve'
+ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectorypreserve"'
+ExecStart=/bin/sh -x -c 'test -f $$RUNTIME_DIRECTORY/test'
+ExecStart=/bin/sh -x -c 'touch $$RUNTIME_DIRECTORY/test'
+Type=oneshot
+RuntimeDirectory=test-exec_runtimedirectorypreserve
+DynamicUser=yes
diff --git a/test/test-execute/exec-dynamicuser-statedir-migrate-step1.service b/test/test-execute/exec-dynamicuser-statedir-migrate-step1.service
new file mode 100644
index 0000000..1c79e4f
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-statedir-migrate-step1.service
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser= migrate StateDirectory= (preparation)
+
+[Service]
+ExecStart=test -w /var/lib/test-dynamicuser-migrate
+ExecStart=test -w /var/lib/test-dynamicuser-migrate2/hoge
+ExecStart=test ! -L /var/lib/test-dynamicuser-migrate
+ExecStart=test ! -L /var/lib/test-dynamicuser-migrate2/hoge
+ExecStart=test -d /var/lib/test-dynamicuser-migrate
+ExecStart=test -d /var/lib/test-dynamicuser-migrate2/hoge
+ExecStart=touch /var/lib/test-dynamicuser-migrate/yay
+ExecStart=touch /var/lib/test-dynamicuser-migrate2/hoge/yayyay
+ExecStart=/bin/sh -x -c 'test "$$STATE_DIRECTORY" = "%S/test-dynamicuser-migrate:%S/test-dynamicuser-migrate2/hoge"'
+
+Type=oneshot
+DynamicUser=no
+StateDirectory=test-dynamicuser-migrate test-dynamicuser-migrate2/hoge
diff --git a/test/test-execute/exec-dynamicuser-statedir-migrate-step2.service b/test/test-execute/exec-dynamicuser-statedir-migrate-step2.service
new file mode 100644
index 0000000..015b74c
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-statedir-migrate-step2.service
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser= migrate StateDirectory=
+
+[Service]
+ExecStart=test -w /var/lib/test-dynamicuser-migrate
+ExecStart=test -w /var/lib/test-dynamicuser-migrate2/hoge
+ExecStart=test -L /var/lib/test-dynamicuser-migrate
+ExecStart=test -L /var/lib/test-dynamicuser-migrate2/hoge
+ExecStart=test -d /var/lib/test-dynamicuser-migrate
+ExecStart=test -d /var/lib/test-dynamicuser-migrate2/hoge
+ExecStart=test -f /var/lib/test-dynamicuser-migrate/yay
+ExecStart=test -f /var/lib/test-dynamicuser-migrate2/hoge/yayyay
+ExecStart=test -d /var/lib/private/test-dynamicuser-migrate
+ExecStart=test -d /var/lib/private/test-dynamicuser-migrate2/hoge
+ExecStart=test -f /var/lib/private/test-dynamicuser-migrate/yay
+ExecStart=test -f /var/lib/private/test-dynamicuser-migrate2/hoge/yayyay
+ExecStart=touch /var/lib/test-dynamicuser-migrate/yay
+ExecStart=touch /var/lib/test-dynamicuser-migrate2/hoge/yayyay
+ExecStart=touch /var/lib/private/test-dynamicuser-migrate/yay
+ExecStart=touch /var/lib/private/test-dynamicuser-migrate2/hoge/yayyay
+ExecStart=/bin/sh -x -c 'test "$$STATE_DIRECTORY" = "%S/test-dynamicuser-migrate:%S/test-dynamicuser-migrate2/hoge"'
+
+Type=oneshot
+DynamicUser=yes
+StateDirectory=test-dynamicuser-migrate test-dynamicuser-migrate2/hoge
diff --git a/test/test-execute/exec-dynamicuser-statedir.service b/test/test-execute/exec-dynamicuser-statedir.service
new file mode 100644
index 0000000..b33b4da
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-statedir.service
@@ -0,0 +1,76 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser= with StateDirectory=
+
+[Service]
+ExecStart=test -w /var/lib/waldo
+ExecStart=test -w /var/lib/quux/pief
+ExecStart=test -w /var/lib/aaa
+ExecStart=test -w /var/lib/aaa/bbb
+ExecStart=test -w /var/lib/aaa/ccc
+ExecStart=test -w /var/lib/xxx
+ExecStart=test -w /var/lib/xxx/yyy
+ExecStart=test -w /var/lib/xxx/zzz
+ExecStart=test -w /var/lib/aaa/111
+ExecStart=test -w /var/lib/aaa/222
+ExecStart=test -w /var/lib/aaa/333
+
+ExecStart=test -d /var/lib/waldo
+ExecStart=test -d /var/lib/quux/pief
+ExecStart=test -d /var/lib/aaa
+ExecStart=test -d /var/lib/aaa/bbb
+ExecStart=test -d /var/lib/aaa/ccc
+ExecStart=test -d /var/lib/xxx
+ExecStart=test -d /var/lib/xxx/yyy
+ExecStart=test -d /var/lib/xxx/zzz
+ExecStart=test -L /var/lib/aaa/111
+ExecStart=test -L /var/lib/aaa/222
+ExecStart=test -L /var/lib/aaa/333
+
+ExecStart=touch /var/lib/waldo/hoge
+ExecStart=touch /var/lib/quux/pief/hoge
+ExecStart=touch /var/lib/aaa/hoge
+ExecStart=touch /var/lib/aaa/bbb/hoge
+ExecStart=touch /var/lib/aaa/ccc/hoge
+ExecStart=touch /var/lib/xxx/hoge
+ExecStart=touch /var/lib/xxx/yyy/hoge
+ExecStart=touch /var/lib/xxx/zzz/hoge
+ExecStart=touch /var/lib/aaa/111/foo
+ExecStart=touch /var/lib/aaa/222/foo
+ExecStart=touch /var/lib/aaa/333/foo
+
+ExecStart=test -f /var/lib/waldo/hoge
+ExecStart=test -f /var/lib/quux/pief/hoge
+ExecStart=test -f /var/lib/aaa/hoge
+ExecStart=test -f /var/lib/aaa/bbb/hoge
+ExecStart=test -f /var/lib/aaa/ccc/hoge
+ExecStart=test -f /var/lib/xxx/hoge
+ExecStart=test -f /var/lib/xxx/yyy/hoge
+ExecStart=test -f /var/lib/xxx/zzz/hoge
+ExecStart=test -f /var/lib/aaa/111/foo
+ExecStart=test -f /var/lib/aaa/222/foo
+ExecStart=test -f /var/lib/aaa/333/foo
+ExecStart=test -f /var/lib/xxx/foo
+ExecStart=test -f /var/lib/xxx/yyy/foo
+ExecStart=test -f /var/lib/xxx/zzz/foo
+
+ExecStart=test -f /var/lib/private/waldo/hoge
+ExecStart=test -f /var/lib/private/quux/pief/hoge
+ExecStart=test -f /var/lib/private/aaa/hoge
+ExecStart=test -f /var/lib/private/aaa/bbb/hoge
+ExecStart=test -f /var/lib/private/aaa/ccc/hoge
+ExecStart=test -f /var/lib/private/xxx/hoge
+ExecStart=test -f /var/lib/private/xxx/yyy/hoge
+ExecStart=test -f /var/lib/private/xxx/zzz/hoge
+ExecStart=test -f /var/lib/private/aaa/111/foo
+ExecStart=test -f /var/lib/private/aaa/222/foo
+ExecStart=test -f /var/lib/private/aaa/333/foo
+ExecStart=test -f /var/lib/private/xxx/foo
+ExecStart=test -f /var/lib/private/xxx/yyy/foo
+ExecStart=test -f /var/lib/private/xxx/zzz/foo
+
+ExecStart=sh -x -c 'test "$$STATE_DIRECTORY" = "%S/aaa:%S/aaa/bbb:%S/aaa/ccc:%S/quux/pief:%S/waldo:%S/xxx:%S/xxx/yyy:%S/xxx/zzz"'
+
+Type=oneshot
+DynamicUser=yes
+StateDirectory=waldo quux/pief aaa/bbb aaa aaa/ccc xxx/yyy:aaa/111 xxx:aaa/222 xxx/zzz:aaa/333
diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service
new file mode 100644
index 0000000..d601af2
--- /dev/null
+++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test DynamicUser with SupplementaryGroups=
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
+Type=oneshot
+DynamicUser=yes
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-environment-empty.service b/test/test-execute/exec-environment-empty.service
new file mode 100644
index 0000000..6c31186
--- /dev/null
+++ b/test/test-execute/exec-environment-empty.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Environment
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2-unset}" = "unset" && test "$${VAR3-unset}" = "unset"'
+Type=oneshot
+Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
+Environment=
diff --git a/test/test-execute/exec-environment-multiple.service b/test/test-execute/exec-environment-multiple.service
new file mode 100644
index 0000000..d9b8d22
--- /dev/null
+++ b/test/test-execute/exec-environment-multiple.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Environment
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = foobar'
+Type=oneshot
+Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
+Environment="VAR3=foobar"
diff --git a/test/test-execute/exec-environment-no-substitute.service b/test/test-execute/exec-environment-no-substitute.service
new file mode 100644
index 0000000..b5cb2a4
--- /dev/null
+++ b/test/test-execute/exec-environment-no-substitute.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for No Environment Variable Substitution
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2}" = "word3" && test "$${VAR3-unset}" = \'$word 5 6\''
+ExecStart=:/bin/sh -x -c 'test "$${VAR1-unset}" != "unset" && test "$${VAR2}" != "word3" && test "$${VAR3-unset}" != \'$word 5 6\''
+Type=oneshot
+Environment="VAR2=word3" "VAR3=$word 5 6"
diff --git a/test/test-execute/exec-environment.service b/test/test-execute/exec-environment.service
new file mode 100644
index 0000000..5655be0
--- /dev/null
+++ b/test/test-execute/exec-environment.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Environment
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6"'
+Type=oneshot
+Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
diff --git a/test/test-execute/exec-environmentfile.service b/test/test-execute/exec-environmentfile.service
new file mode 100644
index 0000000..4ad5a9b
--- /dev/null
+++ b/test/test-execute/exec-environmentfile.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for EnvironmentFile
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes'
+Type=oneshot
+EnvironmentFile=/tmp/test-exec_environmentfile.conf
diff --git a/test/test-execute/exec-execsearchpath-environment-path-set.service b/test/test-execute/exec-execsearchpath-environment-path-set.service
new file mode 100644
index 0000000..5969cc6
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-environment-path-set.service
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$PATH" = "/usr" && test "$$VAR1" = word3 && test "$$VAR2" = "\\$$word 5 6"'
+Type=oneshot
+ExecSearchPath=/tmp:/bin
+Environment="PATH=/usr" VAR1=word3 "VAR2=$word 5 6"
diff --git a/test/test-execute/exec-execsearchpath-environment.service b/test/test-execute/exec-execsearchpath-environment.service
new file mode 100644
index 0000000..b0fa6a3
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-environment.service
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$PATH" = "/tmp:/bin"'
+Type=oneshot
+ExecSearchPath=/tmp:/bin
+Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
diff --git a/test/test-execute/exec-execsearchpath-environmentfile-set.service b/test/test-execute/exec-execsearchpath-environmentfile-set.service
new file mode 100644
index 0000000..5f55a4b
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-environmentfile-set.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for ExecSearchPath with EnvironmentFile where EnvironmentFile sets PATH
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = /usr'
+Type=oneshot
+EnvironmentFile=/tmp/test-exec_execsearchpath_environmentfile-set.conf
+ExecSearchPath=/tmp:/bin
diff --git a/test/test-execute/exec-execsearchpath-environmentfile.service b/test/test-execute/exec-execsearchpath-environmentfile.service
new file mode 100644
index 0000000..b8335bc
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-environmentfile.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for ExecSearchPath with EnvironmentFile where EnvironmentFile does not set PATH
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = "/tmp:/bin"'
+Type=oneshot
+ExecSearchPath=/tmp:/bin
+EnvironmentFile=/tmp/test-exec_execsearchpath_environmentfile.conf
diff --git a/test/test-execute/exec-execsearchpath-passenvironment-set.service b/test/test-execute/exec-execsearchpath-passenvironment-set.service
new file mode 100644
index 0000000..a151161
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-passenvironment-set.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PassEnvironment with ExecSearchPath with PATH set by user
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = "/usr"'
+Type=oneshot
+PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5 PATH
+ExecSearchPath=/tmp:/bin
diff --git a/test/test-execute/exec-execsearchpath-passenvironment.service b/test/test-execute/exec-execsearchpath-passenvironment.service
new file mode 100644
index 0000000..d8a41c1
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-passenvironment.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PassEnvironment with ExecSearchPath with PATH not set by user
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes && test "$$PATH" = "/tmp:/bin"'
+Type=oneshot
+PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5
+ExecSearchPath=/tmp:/bin
diff --git a/test/test-execute/exec-execsearchpath-unit-specifier.service b/test/test-execute/exec-execsearchpath-unit-specifier.service
new file mode 100644
index 0000000..30d6b32
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath-unit-specifier.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for specifiers with exec search path
+
+[Service]
+Type=oneshot
+ExecSearchPath=/tmp:/bin:/usr/bin:%V
+ExecStart=/bin/sh -x -c 'test %V = /var/tmp && test "$$PATH" = "/tmp:/bin:/usr/bin:/var/tmp"'
diff --git a/test/test-execute/exec-execsearchpath.service b/test/test-execute/exec-execsearchpath.service
new file mode 100644
index 0000000..150afe2
--- /dev/null
+++ b/test/test-execute/exec-execsearchpath.service
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Service]
+ExecStart=ls_temp
+Type=oneshot
+ExecSearchPath=/tmp/test-exec_execsearchpath
diff --git a/test/test-execute/exec-group-nfsnobody.service b/test/test-execute/exec-group-nfsnobody.service
new file mode 100644
index 0000000..a1e59c5
--- /dev/null
+++ b/test/test-execute/exec-group-nfsnobody.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nfsnobody"'
+Type=oneshot
+Group=nfsnobody
diff --git a/test/test-execute/exec-group-nobody.service b/test/test-execute/exec-group-nobody.service
new file mode 100644
index 0000000..58dce1e
--- /dev/null
+++ b/test/test-execute/exec-group-nobody.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nobody"'
+Type=oneshot
+Group=nobody
diff --git a/test/test-execute/exec-group-nogroup.service b/test/test-execute/exec-group-nogroup.service
new file mode 100644
index 0000000..7f16729
--- /dev/null
+++ b/test/test-execute/exec-group-nogroup.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "nogroup"'
+Type=oneshot
+Group=nogroup
diff --git a/test/test-execute/exec-group.service b/test/test-execute/exec-group.service
new file mode 100644
index 0000000..9f21557
--- /dev/null
+++ b/test/test-execute/exec-group.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Group (daemon)
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"'
+Type=oneshot
+Group=daemon
diff --git a/test/test-execute/exec-ignoresigpipe-no.service b/test/test-execute/exec-ignoresigpipe-no.service
new file mode 100644
index 0000000..e972481
--- /dev/null
+++ b/test/test-execute/exec-ignoresigpipe-no.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for IgnoreSIGPIPE=no
+
+[Service]
+ExecStart=/bin/sh -x -c 'kill -PIPE 0'
+Type=oneshot
+IgnoreSIGPIPE=no
diff --git a/test/test-execute/exec-ignoresigpipe-yes.service b/test/test-execute/exec-ignoresigpipe-yes.service
new file mode 100644
index 0000000..ee3aa9a
--- /dev/null
+++ b/test/test-execute/exec-ignoresigpipe-yes.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for IgnoreSIGPIPE=yes
+
+[Service]
+ExecStart=/bin/sh -x -c 'kill -PIPE 0'
+Type=oneshot
+IgnoreSIGPIPE=yes
diff --git a/test/test-execute/exec-inaccessiblepaths-mount-propagation.service b/test/test-execute/exec-inaccessiblepaths-mount-propagation.service
new file mode 100644
index 0000000..520bc53
--- /dev/null
+++ b/test/test-execute/exec-inaccessiblepaths-mount-propagation.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test to make sure that InaccessiblePaths= disconnect mount propagation
+
+[Service]
+InaccessiblePaths=-/i-dont-exist
+ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-inaccessiblepaths-sys.service b/test/test-execute/exec-inaccessiblepaths-sys.service
new file mode 100644
index 0000000..0d64aa1
--- /dev/null
+++ b/test/test-execute/exec-inaccessiblepaths-sys.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test to make sure that mount namespace setup works properly with the 'InaccessiblePaths=/proc' option
+
+[Service]
+InaccessiblePaths=/sys
+ExecStart=/bin/sh -x -c 'test "$$(stat -c %%a /sys)" = "0"'
+Type=oneshot
diff --git a/test/test-execute/exec-ioschedulingclass-best-effort.service b/test/test-execute/exec-ioschedulingclass-best-effort.service
new file mode 100644
index 0000000..3b946b7
--- /dev/null
+++ b/test/test-execute/exec-ioschedulingclass-best-effort.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for IOSchedulingClass=best-effort
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "best-effort"'
+Type=oneshot
+IOSchedulingClass=best-effort
diff --git a/test/test-execute/exec-ioschedulingclass-idle.service b/test/test-execute/exec-ioschedulingclass-idle.service
new file mode 100644
index 0000000..b1e64bb
--- /dev/null
+++ b/test/test-execute/exec-ioschedulingclass-idle.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for IOSchedulingClass=idle
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "idle"'
+Type=oneshot
+IOSchedulingClass=idle
diff --git a/test/test-execute/exec-ioschedulingclass-none.service b/test/test-execute/exec-ioschedulingclass-none.service
new file mode 100644
index 0000000..0494d45
--- /dev/null
+++ b/test/test-execute/exec-ioschedulingclass-none.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for IOSchedulingClass=none
+
+[Service]
+# Old kernels might report "none" here, new kernels "best-effort".
+ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "none" -o "$${c%%:*}" = "best-effort"'
+Type=oneshot
+IOSchedulingClass=none
diff --git a/test/test-execute/exec-ioschedulingclass-realtime.service b/test/test-execute/exec-ioschedulingclass-realtime.service
new file mode 100644
index 0000000..ef8e2eb
--- /dev/null
+++ b/test/test-execute/exec-ioschedulingclass-realtime.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for IOSchedulingClass=realtime
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "realtime"'
+Type=oneshot
+IOSchedulingClass=realtime
diff --git a/test/test-execute/exec-mount-apivfs-no.service b/test/test-execute/exec-mount-apivfs-no.service
new file mode 100644
index 0000000..3fec1b7
--- /dev/null
+++ b/test/test-execute/exec-mount-apivfs-no.service
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for find_executable() with MountAPIVFS=no
+
+[Service]
+Type=oneshot
+
+MountAPIVFS=false
+PrivateDevices=false
+PrivateMounts=true
+PrivateTmp=false
+PrivateUsers=false
+ProtectControlGroups=false
+ProtectKernelModules=false
+ProtectKernelTunables=false
+RootDirectory=/tmp/test-exec-mount-apivfs-no/root
diff --git a/test/test-execute/exec-noexecpaths-simple.service b/test/test-execute/exec-noexecpaths-simple.service
new file mode 100644
index 0000000..5d954da
--- /dev/null
+++ b/test/test-execute/exec-noexecpaths-simple.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for NoExecPaths=
+
+[Service]
+Type=oneshot
+# This should work, as we explicitly disable the effect of NoExecPaths=
+ExecStart=+/bin/sh -c '/bin/cat /dev/null'
+# This should also work, as we do not disable the effect of NoExecPaths= but invert the exit code
+ExecStart=/bin/sh -x -c '! /bin/cat /dev/null'
+NoExecPaths=/bin/cat
diff --git a/test/test-execute/exec-oomscoreadjust-negative.service b/test/test-execute/exec-oomscoreadjust-negative.service
new file mode 100644
index 0000000..25b5f1f
--- /dev/null
+++ b/test/test-execute/exec-oomscoreadjust-negative.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for OOMScoreAdjust
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/oom_score_adj); test "$$c" -eq -100'
+Type=oneshot
+OOMScoreAdjust=-100
diff --git a/test/test-execute/exec-oomscoreadjust-positive.service b/test/test-execute/exec-oomscoreadjust-positive.service
new file mode 100644
index 0000000..ea6c23f
--- /dev/null
+++ b/test/test-execute/exec-oomscoreadjust-positive.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for OOMScoreAdjust
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/oom_score_adj); test "$$c" -eq 100'
+Type=oneshot
+OOMScoreAdjust=100
diff --git a/test/test-execute/exec-passenvironment-absent.service b/test/test-execute/exec-passenvironment-absent.service
new file mode 100644
index 0000000..6b19a12
--- /dev/null
+++ b/test/test-execute/exec-passenvironment-absent.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PassEnvironment with variables absent from the execution environment
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2-unset}" = "unset" && test "$${VAR3-unset}" = "unset" && test "$${VAR4-unset}" = "unset" && test "$${VAR5-unset}" = "unset"'
+Type=oneshot
+PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5
diff --git a/test/test-execute/exec-passenvironment-empty.service b/test/test-execute/exec-passenvironment-empty.service
new file mode 100644
index 0000000..6ffc5e7
--- /dev/null
+++ b/test/test-execute/exec-passenvironment-empty.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PassEnvironment and erasing the variable list
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2-unset}" = "unset" && test "$${VAR3-unset}" = "unset" && test "$${VAR4-unset}" = "unset" && test "$${VAR5-unset}" = "unset"'
+Type=oneshot
+PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5
+PassEnvironment=
diff --git a/test/test-execute/exec-passenvironment-repeated.service b/test/test-execute/exec-passenvironment-repeated.service
new file mode 100644
index 0000000..b8e904f
--- /dev/null
+++ b/test/test-execute/exec-passenvironment-repeated.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PassEnvironment with a variable name repeated
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes'
+Type=oneshot
+PassEnvironment=VAR1 VAR2
+PassEnvironment=VAR1 VAR3
+PassEnvironment=VAR1 VAR4
+PassEnvironment=VAR1 VAR5
diff --git a/test/test-execute/exec-passenvironment.service b/test/test-execute/exec-passenvironment.service
new file mode 100644
index 0000000..b69592a
--- /dev/null
+++ b/test/test-execute/exec-passenvironment.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PassEnvironment
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$VAR1" = "word1 word2" && test "$$VAR2" = word3 && test "$$VAR3" = "\\$$word 5 6" && test "$$VAR4" = "new\nline" && test "$$VAR5" = passwordwithbackslashes'
+Type=oneshot
+PassEnvironment=VAR1 VAR2 VAR3 VAR4 VAR5
diff --git a/test/test-execute/exec-personality-aarch64.service b/test/test-execute/exec-personality-aarch64.service
new file mode 100644
index 0000000..0783a87
--- /dev/null
+++ b/test/test-execute/exec-personality-aarch64.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Personality=aarch64
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "aarch64")'
+Type=oneshot
+Personality=aarch64
diff --git a/test/test-execute/exec-personality-loongarch64.service b/test/test-execute/exec-personality-loongarch64.service
new file mode 100644
index 0000000..0531ad1
--- /dev/null
+++ b/test/test-execute/exec-personality-loongarch64.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Test for Personality=loongarch64
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "loongarch64")'
+Type=oneshot
+Personality=loongarch64
diff --git a/test/test-execute/exec-personality-ppc64.service b/test/test-execute/exec-personality-ppc64.service
new file mode 100644
index 0000000..72f063a
--- /dev/null
+++ b/test/test-execute/exec-personality-ppc64.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Personality=ppc64
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "ppc64")'
+Type=oneshot
+Personality=ppc64
diff --git a/test/test-execute/exec-personality-ppc64le.service b/test/test-execute/exec-personality-ppc64le.service
new file mode 100644
index 0000000..5e38029
--- /dev/null
+++ b/test/test-execute/exec-personality-ppc64le.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Personality=ppc64le
+
+[Service]
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "ppc64le")'
+Type=oneshot
+Personality=ppc64le
diff --git a/test/test-execute/exec-personality-s390.service b/test/test-execute/exec-personality-s390.service
new file mode 100644
index 0000000..439dc5f
--- /dev/null
+++ b/test/test-execute/exec-personality-s390.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Personality=s390
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(uname -m); test "$$c" = "s390"'
+Type=oneshot
+Personality=s390
diff --git a/test/test-execute/exec-personality-x86-64.service b/test/test-execute/exec-personality-x86-64.service
new file mode 100644
index 0000000..c6a0a40
--- /dev/null
+++ b/test/test-execute/exec-personality-x86-64.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Personality=x86-64
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(uname -m); test "$$c" = "x86_64"'
+Type=oneshot
+Personality=x86-64
diff --git a/test/test-execute/exec-personality-x86.service b/test/test-execute/exec-personality-x86.service
new file mode 100644
index 0000000..8b820b3
--- /dev/null
+++ b/test/test-execute/exec-personality-x86.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Personality=x86
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(uname -m); test "$$c" = "i686" -o "$$c" = "x86_64"'
+Type=oneshot
+Personality=x86
diff --git a/test/test-execute/exec-privatedevices-disabled-by-prefix.service b/test/test-execute/exec-privatedevices-disabled-by-prefix.service
new file mode 100644
index 0000000..021cadf
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-disabled-by-prefix.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateDevices=yes with prefix
+
+[Service]
+ExecStart=/bin/sh -x -c '! test -c /dev/kmsg'
+ExecStart=+/bin/sh -x -c 'test -c /dev/kmsg'
+Type=oneshot
+PrivateDevices=yes
diff --git a/test/test-execute/exec-privatedevices-no-capability-mknod.service b/test/test-execute/exec-privatedevices-no-capability-mknod.service
new file mode 100644
index 0000000..a07e822
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-no-capability-mknod.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_MKNOD capability for PrivateDevices=no
+
+[Service]
+PrivateDevices=no
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
new file mode 100644
index 0000000..b0ce2d4
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-no-capability-sys-rawio.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
+
+[Service]
+PrivateDevices=no
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-no.service b/test/test-execute/exec-privatedevices-no.service
new file mode 100644
index 0000000..31a5e3c
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-no.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateDevices=no
+
+[Service]
+ExecStart=/bin/sh -x -c 'test -c /dev/kmsg'
+Type=oneshot
+PrivateDevices=no
diff --git a/test/test-execute/exec-privatedevices-yes-capability-mknod.service b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
new file mode 100644
index 0000000..f798f31
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes-capability-mknod.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_MKNOD capability for PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
new file mode 100644
index 0000000..d902c23
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
+Type=oneshot
diff --git a/test/test-execute/exec-privatedevices-yes-with-group.service b/test/test-execute/exec-privatedevices-yes-with-group.service
new file mode 100644
index 0000000..a39ae0f
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes-with-group.service
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test Group=group is applied after PrivateDevices=yes
+
+[Service]
+PrivateDevices=yes
+Group=daemon
+Type=oneshot
+
+# Check the group applied
+ExecStart=/bin/sh -x -c 'test "$$(id -n -g)" = "daemon"'
+
+# Check that the namespace applied
+ExecStart=/bin/sh -c 'test ! -c /dev/kmsg'
+
+# Check that the owning group of a node is not daemon (should be the host root)
+ExecStart=/bin/sh -x -c 'test ! "$$(stat -c %%G /dev/stderr)" = "daemon"'
diff --git a/test/test-execute/exec-privatedevices-yes.service b/test/test-execute/exec-privatedevices-yes.service
new file mode 100644
index 0000000..564e958
--- /dev/null
+++ b/test/test-execute/exec-privatedevices-yes.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateDevices=yes
+
+[Service]
+ExecStart=/bin/sh -c 'test ! -c /dev/kmsg'
+Type=oneshot
+PrivateDevices=yes
diff --git a/test/test-execute/exec-privatenetwork-yes.service b/test/test-execute/exec-privatenetwork-yes.service
new file mode 100644
index 0000000..0fff048
--- /dev/null
+++ b/test/test-execute/exec-privatenetwork-yes.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateNetwork
+
+[Service]
+ExecStart=/bin/sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
+Type=oneshot
+PrivateNetwork=yes
diff --git a/test/test-execute/exec-privatetmp-disabled-by-prefix.service b/test/test-execute/exec-privatetmp-disabled-by-prefix.service
new file mode 100644
index 0000000..f67afee
--- /dev/null
+++ b/test/test-execute/exec-privatetmp-disabled-by-prefix.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateTmp=yes with prefix
+
+[Service]
+ExecStart=/bin/sh -x -c 'test ! -f /tmp/test-exec_privatetmp'
+ExecStart=+/bin/sh -x -c 'test -f /tmp/test-exec_privatetmp'
+Type=oneshot
+PrivateTmp=yes
diff --git a/test/test-execute/exec-privatetmp-no.service b/test/test-execute/exec-privatetmp-no.service
new file mode 100644
index 0000000..6a8a3fc
--- /dev/null
+++ b/test/test-execute/exec-privatetmp-no.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateTmp=no
+
+[Service]
+ExecStart=/bin/sh -x -c 'test -f /tmp/test-exec_privatetmp'
+Type=oneshot
+PrivateTmp=no
diff --git a/test/test-execute/exec-privatetmp-yes.service b/test/test-execute/exec-privatetmp-yes.service
new file mode 100644
index 0000000..6395be0
--- /dev/null
+++ b/test/test-execute/exec-privatetmp-yes.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for PrivateTmp=yes
+
+[Service]
+ExecStart=/bin/sh -x -c 'test ! -f /tmp/test-exec_privatetmp'
+Type=oneshot
+PrivateTmp=yes
diff --git a/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service b/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service
new file mode 100644
index 0000000..f84e6b6
--- /dev/null
+++ b/test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test ProtectHome=tmpfs vs ProtectSystem=strict
+# Test for #11276
+
+[Service]
+ProtectHome=tmpfs
+ProtectSystem=strict
+Type=oneshot
+ExecStart=/bin/sh -x -c 'test "$$(stat -fc %%T /home)" = "tmpfs"'
diff --git a/test/test-execute/exec-protectkernellogs-no-capabilities.service b/test/test-execute/exec-protectkernellogs-no-capabilities.service
new file mode 100644
index 0000000..5478962
--- /dev/null
+++ b/test/test-execute/exec-protectkernellogs-no-capabilities.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_SYSLOG for ProtectKernelLogs=no
+
+[Service]
+ProtectKernelLogs=no
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernellogs-yes-capabilities.service b/test/test-execute/exec-protectkernellogs-yes-capabilities.service
new file mode 100644
index 0000000..6fe1241
--- /dev/null
+++ b/test/test-execute/exec-protectkernellogs-yes-capabilities.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
+
+[Service]
+ProtectKernelLogs=yes
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernelmodules-no-capabilities.service b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
new file mode 100644
index 0000000..7236af2
--- /dev/null
+++ b/test/test-execute/exec-protectkernelmodules-no-capabilities.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_SYS_MODULE ProtectKernelModules=no
+
+[Service]
+ProtectKernelModules=no
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernelmodules-yes-capabilities.service b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
new file mode 100644
index 0000000..e40160d
--- /dev/null
+++ b/test/test-execute/exec-protectkernelmodules-yes-capabilities.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
+
+[Service]
+ProtectKernelModules=yes
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
+Type=oneshot
diff --git a/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service b/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service
new file mode 100644
index 0000000..0ecf1a2
--- /dev/null
+++ b/test/test-execute/exec-protectkernelmodules-yes-mount-propagation.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test to make sure that passing ProtectKernelModules=yes disconnect mount propagation
+
+[Service]
+ProtectKernelModules=yes
+ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-readonlypaths-mount-propagation.service b/test/test-execute/exec-readonlypaths-mount-propagation.service
new file mode 100644
index 0000000..abc180b
--- /dev/null
+++ b/test/test-execute/exec-readonlypaths-mount-propagation.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test to make sure that passing ReadOnlyPaths= disconnect mount propagation
+
+[Service]
+ReadOnlyPaths=-/i-dont-exist
+ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-readonlypaths-simple.service b/test/test-execute/exec-readonlypaths-simple.service
new file mode 100644
index 0000000..5587e8d
--- /dev/null
+++ b/test/test-execute/exec-readonlypaths-simple.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for ReadOnlyPaths=
+
+[Service]
+Type=oneshot
+# This should work, as we explicitly disable the effect of ReadOnlyPaths=
+ExecStart=+/bin/sh -c 'touch /tmp/thisisasimpletest'
+# This should also work, as we do not disable the effect of ReadOnlyPaths= but invert the exit code
+ExecStart=/bin/sh -x -c '! touch /tmp/thisisasimpletest'
+ExecStart=+/bin/sh -c 'rm /tmp/thisisasimpletest'
+ReadOnlyPaths=/tmp
diff --git a/test/test-execute/exec-readonlypaths-with-bindpaths.service b/test/test-execute/exec-readonlypaths-with-bindpaths.service
new file mode 100644
index 0000000..71c7e7b
--- /dev/null
+++ b/test/test-execute/exec-readonlypaths-with-bindpaths.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for ReadOnlyPaths=
+
+[Service]
+ReadOnlyPaths=/etc -/i-dont-exist /usr
+BindPaths=/etc:/tmp/etc2
+ExecStart=/bin/sh -x -c 'test ! -w /etc && test ! -w /usr && test ! -e /i-dont-exist && test -w /var'
+Type=oneshot
diff --git a/test/test-execute/exec-readonlypaths.service b/test/test-execute/exec-readonlypaths.service
new file mode 100644
index 0000000..21814c2
--- /dev/null
+++ b/test/test-execute/exec-readonlypaths.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for ReadOnlyPaths=
+
+[Service]
+ReadOnlyPaths=/usr /etc /sys /dev -/i-dont-exist
+PrivateDevices=yes
+ExecStart=/bin/sh -x -c 'test ! -w /usr && test ! -w /etc && test ! -w /sys && test ! -w /sys/fs/cgroup'
+ExecStart=/bin/sh -x -c 'test ! -w /dev && test ! -w /dev/shm && test ! -e /i-dont-exist && test -w /var'
+Type=oneshot
diff --git a/test/test-execute/exec-readwritepaths-mount-propagation.service b/test/test-execute/exec-readwritepaths-mount-propagation.service
new file mode 100644
index 0000000..35e736f
--- /dev/null
+++ b/test/test-execute/exec-readwritepaths-mount-propagation.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test to make sure that passing ReadWritePaths= disconnect mount propagation
+
+[Service]
+ReadWritePaths=-/i-dont-exist
+ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); trap "umount \'$$d\' && rmdir \'$$d\'" EXIT; mount -t tmpfs tmpfs "$$d"; grep "$$d" /proc/self/mountinfo && ! grep "$$d" /proc/$${PPID}/mountinfo && ! grep "$$d" /proc/1/mountinfo'
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-merge-all.service b/test/test-execute/exec-restrictnamespaces-merge-all.service
new file mode 100644
index 0000000..1270b60
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-merge-all.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test merging RestrictNamespaces= with all flags
+
+[Service]
+RestrictNamespaces=mnt pid cgroup net uts ipc user
+RestrictNamespaces=net
+ExecStart=unshare -m -u -i -n -p -f
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-merge-and.service b/test/test-execute/exec-restrictnamespaces-merge-and.service
new file mode 100644
index 0000000..fdeb3f1
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-merge-and.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test merging RestrictNamespaces= with AND
+
+[Service]
+RestrictNamespaces=mnt pid
+RestrictNamespaces=~mnt usr
+ExecStart=unshare -p -f
+ExecStart=sh -c '! unshare -m -u -i -n'
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-merge-or.service b/test/test-execute/exec-restrictnamespaces-merge-or.service
new file mode 100644
index 0000000..fca3718
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-merge-or.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test merging RestrictNamespaces= with OR
+
+[Service]
+RestrictNamespaces=mnt pid
+RestrictNamespaces=mnt uts
+ExecStart=unshare -m -u -p -f
+ExecStart=sh -c '! unshare -u -i -n'
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-mnt-deny-list.service b/test/test-execute/exec-restrictnamespaces-mnt-deny-list.service
new file mode 100644
index 0000000..b257afb
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-mnt-deny-list.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test RestrictNamespaces=~mnt
+
+[Service]
+RestrictNamespaces=~mnt
+ExecStart=unshare -m
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-mnt.service b/test/test-execute/exec-restrictnamespaces-mnt.service
new file mode 100644
index 0000000..cb28c0c
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-mnt.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test RestrictNamespaces=mnt
+
+[Service]
+RestrictNamespaces=mnt
+ExecStart=unshare -m
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-no.service b/test/test-execute/exec-restrictnamespaces-no.service
new file mode 100644
index 0000000..035c8b5
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-no.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test RestrictNamespaces=no
+
+[Service]
+RestrictNamespaces=no
+ExecStart=unshare -m -u -i -n -p -f
+Type=oneshot
diff --git a/test/test-execute/exec-restrictnamespaces-yes.service b/test/test-execute/exec-restrictnamespaces-yes.service
new file mode 100644
index 0000000..f9436d2
--- /dev/null
+++ b/test/test-execute/exec-restrictnamespaces-yes.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test RestrictNamespaces=yes
+
+[Service]
+RestrictNamespaces=yes
+ExecStart=unshare -m
+Type=oneshot
diff --git a/test/test-execute/exec-runtimedirectory-mode.service b/test/test-execute/exec-runtimedirectory-mode.service
new file mode 100644
index 0000000..580bac9
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-mode.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectoryMode
+
+[Service]
+ExecStart=/bin/sh -x -c 'mode=$$(stat -c %%a %t/test-exec_runtimedirectory-mode); test "$$mode" = "750"'
+ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectory-mode"'
+Type=oneshot
+RuntimeDirectory=test-exec_runtimedirectory-mode
+RuntimeDirectoryMode=0750
diff --git a/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service
new file mode 100644
index 0000000..79bebc4
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-owner-nfsnobody.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nfsnobody"'
+Type=oneshot
+Group=nfsnobody
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner
diff --git a/test/test-execute/exec-runtimedirectory-owner-nobody.service b/test/test-execute/exec-runtimedirectory-owner-nobody.service
new file mode 100644
index 0000000..3b42a9f
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-owner-nobody.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nobody"'
+Type=oneshot
+Group=nobody
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner
diff --git a/test/test-execute/exec-runtimedirectory-owner-nogroup.service b/test/test-execute/exec-runtimedirectory-owner-nogroup.service
new file mode 100644
index 0000000..804048e
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-owner-nogroup.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner); test "$$group" = "nogroup"'
+Type=oneshot
+Group=nogroup
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner
diff --git a/test/test-execute/exec-runtimedirectory-owner.service b/test/test-execute/exec-runtimedirectory-owner.service
new file mode 100644
index 0000000..e2c0890
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory-owner.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -x -c 'group=$$(stat -c %%G %t/test-exec_runtimedirectory-owner-daemon); test "$$group" = "daemon"'
+Type=oneshot
+Group=daemon
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner-daemon
diff --git a/test/test-execute/exec-runtimedirectory.service b/test/test-execute/exec-runtimedirectory.service
new file mode 100644
index 0000000..1928c57
--- /dev/null
+++ b/test/test-execute/exec-runtimedirectory.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for RuntimeDirectory
+
+[Service]
+ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectory'
+ExecStart=/bin/sh -x -c 'test -d %t/test-exec_runtimedirectory2/hogehoge'
+ExecStart=/bin/sh -x -c 'test "$$RUNTIME_DIRECTORY" = "%t/test-exec_runtimedirectory:%t/test-exec_runtimedirectory2/hogehoge"'
+Type=oneshot
+RuntimeDirectory=test-exec_runtimedirectory
+RuntimeDirectory=./test-exec_runtimedirectory2///./hogehoge/.
diff --git a/test/test-execute/exec-specifier-credentials-dir.service b/test/test-execute/exec-specifier-credentials-dir.service
new file mode 100644
index 0000000..818619a
--- /dev/null
+++ b/test/test-execute/exec-specifier-credentials-dir.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for specifiers
+
+[Service]
+Type=oneshot
+Environment=TOP_SECRET=%d/very_top_secret
+# Test if the specifier is resolved correctly both before and after LoadCredential=
+ExecStart=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret"
+LoadCredential=very_top_secret
+ExecStart=test %d/very_top_secret = "${CREDENTIALS_DIRECTORY}/very_top_secret"
+ExecStart=sh -c 'test %d/very_top_secret = "$TOP_SECRET"'
diff --git a/test/test-execute/exec-specifier-interpolation.service b/test/test-execute/exec-specifier-interpolation.service
new file mode 100644
index 0000000..4cb1b06
--- /dev/null
+++ b/test/test-execute/exec-specifier-interpolation.service
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=https://github.com/systemd/systemd/issues/2637
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -x -c "! test -x perl || perl -e 'exit(!(qq{%%U} eq qq{\\x25U}))'"
diff --git a/test/test-execute/exec-specifier.service b/test/test-execute/exec-specifier.service
new file mode 100644
index 0000000..2b487ba
--- /dev/null
+++ b/test/test-execute/exec-specifier.service
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for specifiers
+
+[Service]
+Type=oneshot
+ExecStart=test %n = exec-specifier.service
+ExecStart=test %N = exec-specifier
+ExecStart=test %p = exec-specifier
+ExecStart=test %P = exec/specifier
+ExecStart=test %i = ""
+ExecStart=test %I = ""
+ExecStart=test %j = specifier
+ExecStart=test %J = specifier
+ExecStart=test %f = /exec/specifier
+ExecStart=test %t = /run
+ExecStart=test %S = /var/lib
+ExecStart=test %C = /var/cache
+ExecStart=test %L = /var/log
+ExecStart=test %E = /etc
+ExecStart=test %T = /tmp
+ExecStart=test %V = /var/tmp
+ExecStart=test %d = %t/credentials/%n
+ExecStart=sh -c 'test %u = $$(id -un)'
+ExecStart=sh -c 'test %U = $$(id -u)'
+ExecStart=sh -c 'test %g = $$(id -gn)'
+ExecStart=sh -c 'test %G = $$(id -g)'
+ExecStart=test %h = /root
+ExecStart=sh -c 'test -x %s'
+ExecStart=sh -c 'test %b = $$(cat /proc/sys/kernel/random/boot_id | sed -e 's/-//g')'
+ExecStart=sh -c 'test %H = $$(uname -n)'
+ExecStart=sh -c 'test %v = $$(uname -r)'
diff --git a/test/test-execute/exec-specifier@.service b/test/test-execute/exec-specifier@.service
new file mode 100644
index 0000000..69e969f
--- /dev/null
+++ b/test/test-execute/exec-specifier@.service
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for specifiers (template unit)
+
+[Service]
+Type=oneshot
+ExecStart=test %n = exec-specifier@foo-bar.service
+ExecStart=test %N = exec-specifier@foo-bar
+ExecStart=test %p = exec-specifier
+ExecStart=test %P = exec/specifier
+ExecStart=test %i = foo-bar
+ExecStart=test %I = foo/bar
+ExecStart=test %j = specifier
+ExecStart=test %J = specifier
+ExecStart=test %f = /foo/bar
+ExecStart=test %t = /run
+ExecStart=test %S = /var/lib
+ExecStart=test %C = /var/cache
+ExecStart=test %L = /var/log
+ExecStart=test %E = /etc
+ExecStart=sh -c 'test %u = $$(id -un)'
+ExecStart=sh -c 'test %U = $$(id -u)'
+ExecStart=sh -c 'test %g = $$(id -gn)'
+ExecStart=sh -c 'test %G = $$(id -g)'
+ExecStart=test %h = /root
+ExecStart=sh -c 'test -x %s'
+ExecStart=sh -c 'test %b = $$(cat /proc/sys/kernel/random/boot_id | sed -e 's/-//g')'
+ExecStart=sh -c 'test %H = $$(uname -n)'
+ExecStart=sh -c 'test %v = $$(uname -r)'
diff --git a/test/test-execute/exec-standardinput-data.service b/test/test-execute/exec-standardinput-data.service
new file mode 100644
index 0000000..83db609
--- /dev/null
+++ b/test/test-execute/exec-standardinput-data.service
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for StandardInputText= and StandardInputData=
+
+[Service]
+ExecStart=/bin/sh -x -c 'd=$$(mktemp -d -p /tmp); echo -e "this is a test\nand this is more\nsomething encoded!\nsomething in multiple lines\nand some more\nand a more bas64 data\nsomething with strange\nembedded\tcharacters\nand something with a exec-stdin-data.service specifier" > $d/text ; cmp $d/text ; rm -rf $d'
+Type=oneshot
+StandardInput=data
+StandardInputText=this is a test
+StandardInputText=and this is more
+StandardInputData=c29tZXRoaW5nIGVuY29kZWQhCg==
+StandardInputText=something \
+ in multiple lines
+StandardInputText=\
+and some more
+StandardInputData=YW5kIGEgbW9y \
+ ZSBiYXM2NCBk\
+YXRhCg==
+StandardInputText=something with strange\nembedded\tcharacters
+StandardInputText=and something with a %n specifier
diff --git a/test/test-execute/exec-standardinput-file-cat.service b/test/test-execute/exec-standardinput-file-cat.service
new file mode 100644
index 0000000..b115a6d
--- /dev/null
+++ b/test/test-execute/exec-standardinput-file-cat.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for StandardInput=file:
+
+[Service]
+ExecStart=cat
+Type=oneshot
+StandardInput=file:/etc/os-release
+# We leave StandardOutput= unset here, to verify https://github.com/systemd/systemd/issues/14560 works
+# The "cat" tool is going to write to stdout, which fails if we dup() stdin to stdout
diff --git a/test/test-execute/exec-standardinput-file.service b/test/test-execute/exec-standardinput-file.service
new file mode 100644
index 0000000..618ae7d
--- /dev/null
+++ b/test/test-execute/exec-standardinput-file.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for StandardInput=file:
+
+[Service]
+ExecStart=/usr/bin/cmp /usr/bin/cmp
+Type=oneshot
+StandardInput=file:/usr/bin/cmp
diff --git a/test/test-execute/exec-standardoutput-append.service b/test/test-execute/exec-standardoutput-append.service
new file mode 100644
index 0000000..45d29ec
--- /dev/null
+++ b/test/test-execute/exec-standardoutput-append.service
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for StandardOutput=append:
+
+[Service]
+ExecStartPre=sh -c 'printf "hello\n" >/tmp/test-exec-standardoutput-output'
+ExecStartPre=sh -c 'printf "hello\nhello\n" >/tmp/test-exec-standardoutput-expected'
+StandardInput=data
+StandardInputText=hello
+StandardOutput=append:/tmp/test-exec-standardoutput-output
+StandardError=null
+ExecStart=cat
+ExecStart=cmp /tmp/test-exec-standardoutput-output /tmp/test-exec-standardoutput-expected
+Type=oneshot
diff --git a/test/test-execute/exec-standardoutput-file.service b/test/test-execute/exec-standardoutput-file.service
new file mode 100644
index 0000000..8b689a2
--- /dev/null
+++ b/test/test-execute/exec-standardoutput-file.service
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for StandardOutput=file:
+
+[Service]
+ExecStartPre=sh -c 'printf "nooo\nhello\n" >/tmp/test-exec-standardoutput-output'
+ExecStartPre=sh -c 'printf "hello\nello\n" >/tmp/test-exec-standardoutput-expected'
+StandardInput=data
+StandardInputText=hello
+StandardOutput=file:/tmp/test-exec-standardoutput-output
+StandardError=null
+ExecStart=cat
+ExecStart=cmp /tmp/test-exec-standardoutput-expected /tmp/test-exec-standardoutput-output
+Type=oneshot
diff --git a/test/test-execute/exec-standardoutput-truncate.service b/test/test-execute/exec-standardoutput-truncate.service
new file mode 100644
index 0000000..1a86d92
--- /dev/null
+++ b/test/test-execute/exec-standardoutput-truncate.service
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for StandardOutput=truncate:
+
+[Service]
+ExecStartPre=sh -c 'printf "hello\n" >/tmp/test-exec-standardoutput-output'
+ExecStartPre=sh -c 'printf "hi\n" >/tmp/test-exec-standardoutput-expected'
+StandardInput=data
+StandardInputText=hi
+StandardOutput=truncate:/tmp/test-exec-standardoutput-output
+StandardError=null
+ExecStart=sh -c 'cat && cmp /tmp/test-exec-standardoutput-output /tmp/test-exec-standardoutput-expected'
+Type=oneshot
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
new file mode 100644
index 0000000..0ecc344
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Supplementary Group with multiple groups without Group and User
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"'
+Type=oneshot
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
new file mode 100644
index 0000000..cd1021b
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Supplementary Group with multiple groups and Group=1
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"'
+Type=oneshot
+Group=1
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
new file mode 100644
index 0000000..7913a2c
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Supplementary Group with multiple groups and Uid=1
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1'
+Type=oneshot
+User=1
+SupplementaryGroups=1 2
diff --git a/test/test-execute/exec-supplementarygroups-single-group-user.service b/test/test-execute/exec-supplementarygroups-single-group-user.service
new file mode 100644
index 0000000..ee4017e
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-single-group-user.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Supplementary Group with only one group and uid 1
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"'
+Type=oneshot
+User=1
+Group=1
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-supplementarygroups-single-group.service b/test/test-execute/exec-supplementarygroups-single-group.service
new file mode 100644
index 0000000..6227520
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups-single-group.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Supplementary Group with only one group
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "0"'
+Type=oneshot
+Group=1
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-supplementarygroups.service b/test/test-execute/exec-supplementarygroups.service
new file mode 100644
index 0000000..03406c3
--- /dev/null
+++ b/test/test-execute/exec-supplementarygroups.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for Supplementary Group
+
+[Service]
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1'
+ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1'
+Type=oneshot
+SupplementaryGroups=1
diff --git a/test/test-execute/exec-systemcallerrornumber-name.service b/test/test-execute/exec-systemcallerrornumber-name.service
new file mode 100644
index 0000000..f2be600
--- /dev/null
+++ b/test/test-execute/exec-systemcallerrornumber-name.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallErrorNumber
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname
+SystemCallErrorNumber=EACCES
diff --git a/test/test-execute/exec-systemcallerrornumber-number.service b/test/test-execute/exec-systemcallerrornumber-number.service
new file mode 100644
index 0000000..5d99a97
--- /dev/null
+++ b/test/test-execute/exec-systemcallerrornumber-number.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallErrorNumber
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname
+SystemCallErrorNumber=255
diff --git a/test/test-execute/exec-systemcallfilter-failing.service b/test/test-execute/exec-systemcallfilter-failing.service
new file mode 100644
index 0000000..3aad372
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-failing.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter
+
+[Service]
+ExecStart=/bin/sh -c '/bin/echo "This should not be seen"'
+Type=oneshot
+LimitCORE=0
+SystemCallFilter=ioperm
+SystemCallFilter=~ioperm
+SystemCallFilter=ioperm
diff --git a/test/test-execute/exec-systemcallfilter-failing2.service b/test/test-execute/exec-systemcallfilter-failing2.service
new file mode 100644
index 0000000..8cdb8de
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-failing2.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter
+
+[Service]
+ExecStart=/bin/sh -c '/bin/echo "This should not be seen"'
+Type=oneshot
+LimitCORE=0
+SystemCallFilter=~write open execve fexecve execveat exit_group close mmap munmap fstat DONOTEXIST
diff --git a/test/test-execute/exec-systemcallfilter-failing3.service b/test/test-execute/exec-systemcallfilter-failing3.service
new file mode 100644
index 0000000..98c88fd
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-failing3.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter
+
+[Service]
+ExecStart=/bin/sh -c '/bin/echo "This should not be seen"'
+Type=oneshot
+LimitCORE=0
+SystemCallArchitectures=native
+SystemCallFilter=~write open execve fexecve execveat exit_group close mmap munmap fstat DONOTEXIST
diff --git a/test/test-execute/exec-systemcallfilter-not-failing.service b/test/test-execute/exec-systemcallfilter-not-failing.service
new file mode 100644
index 0000000..c7eddea
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-not-failing.service
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter
+
+[Service]
+ExecStart=/bin/sh -c 'echo "Foo bar"'
+Type=oneshot
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-systemcallfilter-not-failing2.service b/test/test-execute/exec-systemcallfilter-not-failing2.service
new file mode 100644
index 0000000..96eaf16
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-not-failing2.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter
+
+[Service]
+ExecStart=/bin/sh -c 'echo "Foo bar"'
+Type=oneshot
+SystemCallFilter=
diff --git a/test/test-execute/exec-systemcallfilter-not-failing3.service b/test/test-execute/exec-systemcallfilter-not-failing3.service
new file mode 100644
index 0000000..f8f4092
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-not-failing3.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter
+
+[Service]
+ExecStart=/bin/sh -c 'echo "Foo bar"'
+Type=oneshot
+SystemCallArchitectures=native
+SystemCallFilter=
diff --git a/test/test-execute/exec-systemcallfilter-override-error-action.service b/test/test-execute/exec-systemcallfilter-override-error-action.service
new file mode 100644
index 0000000..de2c6ad
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-override-error-action.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter with specific kill action overriding default errno action
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:kill
+SystemCallErrorNumber=EILSEQ
diff --git a/test/test-execute/exec-systemcallfilter-override-error-action2.service b/test/test-execute/exec-systemcallfilter-override-error-action2.service
new file mode 100644
index 0000000..ffa35e6
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-override-error-action2.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter with specific errno action overriding default kill action
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:EILSEQ
+SystemCallErrorNumber=kill
diff --git a/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service
new file mode 100644
index 0000000..deba154
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-system-user-nfsnobody.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter in system mode with User set
+
+[Service]
+ExecStart=/bin/sh -c 'echo "Foo bar"'
+Type=oneshot
+User=nfsnobody
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-systemcallfilter-system-user-nobody.service b/test/test-execute/exec-systemcallfilter-system-user-nobody.service
new file mode 100644
index 0000000..43fb9c3
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-system-user-nobody.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter in system mode with User set
+
+[Service]
+ExecStart=/bin/sh -c 'echo "Foo bar"'
+Type=oneshot
+User=nobody
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-systemcallfilter-system-user.service b/test/test-execute/exec-systemcallfilter-system-user.service
new file mode 100644
index 0000000..005c4ac
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-system-user.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter in system mode with User set (daemon)
+
+[Service]
+ExecStart=/bin/sh -c 'echo "Foo bar"'
+Type=oneshot
+User=daemon
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service b/test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service
new file mode 100644
index 0000000..c7a4c4a
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-with-errno-in-allow-list.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter with errno name (for issue #18916)
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=@system-service
+SystemCallFilter=~uname:EILSEQ
+SystemCallErrorNumber=EACCES
diff --git a/test/test-execute/exec-systemcallfilter-with-errno-multi.service b/test/test-execute/exec-systemcallfilter-with-errno-multi.service
new file mode 100644
index 0000000..2678323
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-with-errno-multi.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter updating errno
+# test for issue #9939 which is fixed by a5404992cc7724ebf7572a0aa89d9fdb26ce0b62 (#9942)
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:ENOENT uname:EILSEQ
+SystemCallErrorNumber=EACCES
diff --git a/test/test-execute/exec-systemcallfilter-with-errno-name.service b/test/test-execute/exec-systemcallfilter-with-errno-name.service
new file mode 100644
index 0000000..a902331
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-with-errno-name.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter with errno name
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:EILSEQ
+SystemCallErrorNumber=EACCES
diff --git a/test/test-execute/exec-systemcallfilter-with-errno-number.service b/test/test-execute/exec-systemcallfilter-with-errno-number.service
new file mode 100644
index 0000000..ffbc84a
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-with-errno-number.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for SystemCallFilter with errno number
+
+[Service]
+ExecStart=/usr/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:255
+SystemCallErrorNumber=EACCES
diff --git a/test/test-execute/exec-temporaryfilesystem-options.service b/test/test-execute/exec-temporaryfilesystem-options.service
new file mode 100644
index 0000000..1610c63
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-options.service
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for TemporaryFileSystem with mount options
+
+[Service]
+Type=oneshot
+
+# The mount options default to "mode=0755,nodev,strictatime".
+# Let's override some of them, and test "ro".
+TemporaryFileSystem=/var:ro,mode=0700,nostrictatime
+
+# Check /proc/self/mountinfo
+ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$11 !~ /(^|,)mode=700(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""'
+
+ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$6 !~ /(^|,)ro(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""'
+ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$6 !~ /(^|,)nodev(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""'
+ExecStart=/bin/sh -x -c 'test "$$(awk \'$$5 == "/var" && $$6 ~ /(^|,)strictatime(,|$$)/ { print $$6 }\' /proc/self/mountinfo)" = ""'
diff --git a/test/test-execute/exec-temporaryfilesystem-ro.service b/test/test-execute/exec-temporaryfilesystem-ro.service
new file mode 100644
index 0000000..2ee5c26
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-ro.service
@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for TemporaryFileSystem with read-only mode
+
+[Service]
+Type=oneshot
+
+# Check directories exist
+ExecStart=/bin/sh -c 'test -d /var/test-exec-temporaryfilesystem/rw && test -d /var/test-exec-temporaryfilesystem/ro'
+
+# Check TemporaryFileSystem= are empty
+ExecStart=/bin/sh -c 'for i in $$(ls -A /var); do test $$i = test-exec-temporaryfilesystem || false; done'
+
+# Check default mode
+ExecStart=sh -x -c 'test "$$(stat -c %%a /var)" = "755"'
+
+# Cannot create a file in /var
+ExecStart=/bin/sh -c '! touch /var/hoge'
+
+# Create a file in /var/test-exec-temporaryfilesystem/rw
+ExecStart=/bin/sh -c 'touch /var/test-exec-temporaryfilesystem/rw/thisisasimpletest-temporaryfilesystem'
+
+# Then, the file can be access through /tmp
+ExecStart=/bin/sh -c 'test -f /tmp/thisisasimpletest-temporaryfilesystem'
+
+# Also, through /var/test-exec-temporaryfilesystem/ro
+ExecStart=/bin/sh -c 'test -f /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# The file cannot modify through /var/test-exec-temporaryfilesystem/ro
+ExecStart=/bin/sh -c '! touch /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# Cleanup
+ExecStart=/bin/sh -c 'rm /tmp/thisisasimpletest-temporaryfilesystem'
+
+TemporaryFileSystem=/var:ro
+BindPaths=/tmp:/var/test-exec-temporaryfilesystem/rw
+BindReadOnlyPaths=/tmp:/var/test-exec-temporaryfilesystem/ro
diff --git a/test/test-execute/exec-temporaryfilesystem-rw.service b/test/test-execute/exec-temporaryfilesystem-rw.service
new file mode 100644
index 0000000..ff0aa04
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-rw.service
@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for TemporaryFileSystem
+
+[Service]
+Type=oneshot
+
+# Check directories exist
+ExecStart=test -d /var/test-exec-temporaryfilesystem/rw -a -d /var/test-exec-temporaryfilesystem/ro
+
+# Check TemporaryFileSystem= are empty
+ExecStart=sh -c 'for i in $$(ls -A /var); do test $$i = test-exec-temporaryfilesystem || false; done'
+
+# Check default mode
+ExecStart=sh -x -c 'test "$$(stat -c %%a /var)" = "755"'
+
+# Create a file in /var
+ExecStart=touch /var/hoge
+
+# Create a file in /var/test-exec-temporaryfilesystem/rw
+ExecStart=touch /var/test-exec-temporaryfilesystem/rw/thisisasimpletest-temporaryfilesystem
+
+# Then, the file can be access through /tmp
+ExecStart=test -f /tmp/thisisasimpletest-temporaryfilesystem
+
+# Also, through /var/test-exec-temporaryfilesystem/ro
+ExecStart=test -f /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem
+
+# The file cannot modify through /var/test-exec-temporaryfilesystem/ro
+ExecStart=sh -c '! touch /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# Cleanup
+ExecStart=rm /tmp/thisisasimpletest-temporaryfilesystem
+
+TemporaryFileSystem=/var
+BindPaths=/tmp:/var/test-exec-temporaryfilesystem/rw
+BindReadOnlyPaths=/tmp:/var/test-exec-temporaryfilesystem/ro
diff --git a/test/test-execute/exec-temporaryfilesystem-usr.service b/test/test-execute/exec-temporaryfilesystem-usr.service
new file mode 100644
index 0000000..f62ce1a
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-usr.service
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for TemporaryFileSystem on /usr
+
+[Service]
+Type=oneshot
+
+# Check TemporaryFileSystem= are empty
+ExecStart=/bin/sh -c 'for i in $$(ls -A /usr); do test $$i = lib -o $$i = lib64 -o $$i = bin -o $$i = sbin || false; done'
+
+# Cannot create files under /usr
+ExecStart=/bin/sh -c '! touch /usr/hoge'
+ExecStart=/bin/sh -c '! touch /usr/bin/hoge'
+
+TemporaryFileSystem=/usr:ro
+BindReadOnlyPaths=-/usr/lib -/usr/lib64 /usr/bin /usr/sbin
diff --git a/test/test-execute/exec-umask-0177.service b/test/test-execute/exec-umask-0177.service
new file mode 100644
index 0000000..380cb82
--- /dev/null
+++ b/test/test-execute/exec-umask-0177.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for UMask
+
+[Service]
+ExecStart=/bin/sh -x -c 'rm /tmp/test-exec-umask; touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "600"'
+Type=oneshot
+UMask=0177
+PrivateTmp=yes
diff --git a/test/test-execute/exec-umask-default.service b/test/test-execute/exec-umask-default.service
new file mode 100644
index 0000000..b28023d
--- /dev/null
+++ b/test/test-execute/exec-umask-default.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for UMask default
+
+[Service]
+ExecStart=/bin/sh -x -c 'rm /tmp/test-exec-umask; touch /tmp/test-exec-umask; mode=$$(stat -c %%a /tmp/test-exec-umask); test "$$mode" = "644"'
+Type=oneshot
+PrivateTmp=yes
diff --git a/test/test-execute/exec-umask-namespace.service b/test/test-execute/exec-umask-namespace.service
new file mode 100644
index 0000000..8419c86
--- /dev/null
+++ b/test/test-execute/exec-umask-namespace.service
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for UMask= + namespacing
+
+[Service]
+ExecStart=/bin/ls -lahd /tmp/subdir
+Type=oneshot
+User=65534
+Group=65534
+TemporaryFileSystem=/tmp:ro
+BindPaths=/etc:/tmp/subdir/subsub
+UMask=0007
diff --git a/test/test-execute/exec-unsetenvironment.service b/test/test-execute/exec-unsetenvironment.service
new file mode 100644
index 0000000..b79e3d4
--- /dev/null
+++ b/test/test-execute/exec-unsetenvironment.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for UnsetEnvironment
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$FOO" = "bar" && test "$${QUUX-X}" = "X" && test "$$VAR3" = "value3" && test "$${VAR4-X}" = "X" && test "$$VAR5" = "value5" && test "$${X%b-X}" = "X"'
+Type=oneshot
+Environment=FOO=bar QUUX=waldo VAR3=value3 VAR4=value4 VAR5=value5 X%b=%U
+UnsetEnvironment=QUUX=waldo VAR3=somethingelse VAR4 X%b=%U
diff --git a/test/test-execute/exec-user-nfsnobody.service b/test/test-execute/exec-user-nfsnobody.service
new file mode 100644
index 0000000..8f0943c
--- /dev/null
+++ b/test/test-execute/exec-user-nfsnobody.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for User
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$USER" = "nfsnobody"'
+Type=oneshot
+User=nfsnobody
diff --git a/test/test-execute/exec-user-nobody.service b/test/test-execute/exec-user-nobody.service
new file mode 100644
index 0000000..834d11a
--- /dev/null
+++ b/test/test-execute/exec-user-nobody.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for User
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$USER" = "nobody"'
+Type=oneshot
+User=nobody
diff --git a/test/test-execute/exec-user.service b/test/test-execute/exec-user.service
new file mode 100644
index 0000000..b9863d2
--- /dev/null
+++ b/test/test-execute/exec-user.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for User (daemon)
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$USER" = "daemon"'
+Type=oneshot
+User=daemon
diff --git a/test/test-execute/exec-workingdirectory-trailing-dot.service b/test/test-execute/exec-workingdirectory-trailing-dot.service
new file mode 100644
index 0000000..130d9d5
--- /dev/null
+++ b/test/test-execute/exec-workingdirectory-trailing-dot.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for WorkingDirectory with trailing dot
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$PWD" = "/tmp/test-exec_workingdirectory"'
+Type=oneshot
+WorkingDirectory=/tmp///./test-exec_workingdirectory/.
diff --git a/test/test-execute/exec-workingdirectory.service b/test/test-execute/exec-workingdirectory.service
new file mode 100644
index 0000000..b53bf60
--- /dev/null
+++ b/test/test-execute/exec-workingdirectory.service
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for WorkingDirectory
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$$PWD" = "/tmp/test-exec_workingdirectory"'
+Type=oneshot
+WorkingDirectory=/tmp/test-exec_workingdirectory