diff options
author | Lennart Poettering <lennart@poettering.net> | 2023-02-22 18:05:18 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2023-02-28 21:42:29 +0100 |
commit | d7fce219aedfea378dcbc04c68b41d22d31ffae5 (patch) | |
tree | 92e0241bdcd94e9d5bb6abf0cc407a7ffcd0fabd | |
parent | bf1b9ae487b65b1cb1639b222724fab95e508cf5 (diff) | |
download | systemd-d7fce219aedfea378dcbc04c68b41d22d31ffae5.tar.gz |
test: test setting ambient caps via pam_systemd.so
-rwxr-xr-x | test/units/testsuite-35.sh | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/test/units/testsuite-35.sh b/test/units/testsuite-35.sh index 85925f2471..02f22cf2a2 100755 --- a/test/units/testsuite-35.sh +++ b/test/units/testsuite-35.sh @@ -573,6 +573,58 @@ EOF assert_eq "$(loginctl --no-legend | grep -c "logind-test-user")" 0 } +test_ambient_caps() { + local PAMSERVICE TRANSIENTUNIT SCRIPT + + # Verify that pam_systemd works and assigns ambient caps as it should + + if ! grep -q 'CapAmb:' /proc/self/status ; then + echo "ambient caps not available, skipping test." >&2 + return + fi + + typeset -i BND MASK + + # Get PID 1's bounding set + BND="0x$(grep 'CapBnd:' /proc/1/status | cut -d: -f2 | tr -d '[:space:]')" + + # CAP_CHOWN | CAP_KILL + MASK=$(((1 << 0) | (1 << 5))) + + if [ $(("$BND" & "$MASK")) -ne "$MASK" ] ; then + echo "CAP_CHOWN or CAP_KILL not available in bounding set, skipping test." >&2 + return + fi + + PAMSERVICE="pamserv$RANDOM" + TRANSIENTUNIT="capwakealarm$RANDOM.service" + SCRIPT="/tmp/capwakealarm$RANDOM.sh" + + cat > /etc/pam.d/"$PAMSERVICE" <<EOF +auth sufficient pam_unix.so +auth required pam_deny.so +account sufficient pam_unix.so +account required pam_permit.so +session optional pam_systemd.so default-capability-ambient-set=CAP_CHOWN,CAP_KILL debug +session required pam_unix.so +EOF + + cat > "$SCRIPT" <<'EOF' +#!/bin/bash +set -ex +typeset -i AMB MASK +AMB="0x$(grep 'CapAmb:' /proc/self/status | cut -d: -f2 | tr -d '[:space:]')" +MASK=$(((1 << 0) | (1 << 5))) +test "$AMB" -eq "$MASK" +EOF + + chmod +x "$SCRIPT" + + systemd-run -u "$TRANSIENTUNIT" -p PAMName="$PAMSERVICE" -p Type=oneshot -p User=logind-test-user -p StandardError=tty "$SCRIPT" + + rm -f "$SCRIPT" "$PAMSERVICE" +} + : >/failed setup_test_user @@ -587,6 +639,7 @@ test_lock_idle_action test_session_properties test_list_users test_stop_idle_session +test_ambient_caps touch /testok rm /failed |