2021-10-17 16:07:22 +00:00
|
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
2017-12-05 15:36:55 +00:00
|
|
|
[Unit]
|
|
|
|
Description=Test for ReadOnlyPaths=
|
|
|
|
|
core: skip ReadOnlyPaths= and other permission-related mounts on PermissionsStartOnly= (#5309)
ReadOnlyPaths=, ProtectHome=, InaccessiblePaths= and ProtectSystem= are
about restricting access and little more, hence they should be disabled
if PermissionsStartOnly= is used or ExecStart= lines are prefixed with a
"+". Do that.
(Note that we will still create namespaces and stuff, since that's about
a lot more than just permissions. We'll simply disable the effect of
the four options mentioned above, but nothing else mount related.)
This also adds a test for this, to ensure this works as intended.
No documentation updates, as the documentation are already vague enough
to support the new behaviour ("If true, the permission-related execution
options…"). We could clarify this further, but I think we might want to
extend the switches' behaviour a bit more in future, hence leave it at
this for now.
Fixes: #5308
2017-02-12 05:44:46 +00:00
|
|
|
[Service]
|
|
|
|
Type=oneshot
|
|
|
|
# This should work, as we explicitly disable the effect of ReadOnlyPaths=
|
2017-10-12 04:26:39 +00:00
|
|
|
ExecStart=+/bin/sh -c 'touch /tmp/thisisasimpletest'
|
core: skip ReadOnlyPaths= and other permission-related mounts on PermissionsStartOnly= (#5309)
ReadOnlyPaths=, ProtectHome=, InaccessiblePaths= and ProtectSystem= are
about restricting access and little more, hence they should be disabled
if PermissionsStartOnly= is used or ExecStart= lines are prefixed with a
"+". Do that.
(Note that we will still create namespaces and stuff, since that's about
a lot more than just permissions. We'll simply disable the effect of
the four options mentioned above, but nothing else mount related.)
This also adds a test for this, to ensure this works as intended.
No documentation updates, as the documentation are already vague enough
to support the new behaviour ("If true, the permission-related execution
options…"). We could clarify this further, but I think we might want to
extend the switches' behaviour a bit more in future, hence leave it at
this for now.
Fixes: #5308
2017-02-12 05:44:46 +00:00
|
|
|
# This should also work, as we do not disable the effect of ReadOnlyPaths= but invert the exit code
|
2024-01-04 14:24:52 +00:00
|
|
|
ExecStart=sh -x -c '! touch /tmp/thisisasimpletest'
|
2017-10-12 04:26:39 +00:00
|
|
|
ExecStart=+/bin/sh -c 'rm /tmp/thisisasimpletest'
|
core: skip ReadOnlyPaths= and other permission-related mounts on PermissionsStartOnly= (#5309)
ReadOnlyPaths=, ProtectHome=, InaccessiblePaths= and ProtectSystem= are
about restricting access and little more, hence they should be disabled
if PermissionsStartOnly= is used or ExecStart= lines are prefixed with a
"+". Do that.
(Note that we will still create namespaces and stuff, since that's about
a lot more than just permissions. We'll simply disable the effect of
the four options mentioned above, but nothing else mount related.)
This also adds a test for this, to ensure this works as intended.
No documentation updates, as the documentation are already vague enough
to support the new behaviour ("If true, the permission-related execution
options…"). We could clarify this further, but I think we might want to
extend the switches' behaviour a bit more in future, hence leave it at
this for now.
Fixes: #5308
2017-02-12 05:44:46 +00:00
|
|
|
ReadOnlyPaths=/tmp
|