systemd/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service

# SPDX-License-Identifier: LGPL-2.1-or-later
[Unit]
Description=Test no_new_privs is unset for ProtectClock and non-root user

[Service]
ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs:	"); test "$$c" = "NoNewPrivs:	0"'
Type=oneshot
User=1
ProtectClock=yes
test-execute: add no_new_privs tests for SystemCallFilter When starting a service with a non-root user and a SystemCallFilter and other settings (like ProtectClock), the no_new_privs flag should not be set. Also, test that CapabilityBoundingSet behaves correctly, since we need to preserve some capabilities to do the seccomp filter and restore the ones set by the service before executing. 2023-09-20 09:40:47 +00:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
			`[Unit]`
			`Description=Test no_new_privs is unset for ProtectClock and non-root user`

			`[Service]`
			`ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status \| grep "NoNewPrivs: "); test "$$c" = "NoNewPrivs: 0"'`
			`Type=oneshot`
			`User=1`
			`ProtectClock=yes`