From e720cebf7cce7a6fe7d160ac968c2dc51a5c613a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= <iagol@microsoft.com>
Date: Wed, 20 Sep 2023 11:40:47 +0200
Subject: [PATCH] test-execute: add no_new_privs tests for SystemCallFilter

When starting a service with a non-root user and a SystemCallFilter and
other settings (like ProtectClock), the no_new_privs flag should not be set.

Also, test that CapabilityBoundingSet behaves correctly, since we need
to preserve some capabilities to do the seccomp filter and restore the
ones set by the service before executing.
---
 src/test/test-execute.c                              | 12 ++++++++++++
 ...ystemcallfilter-nonewprivileges-bounding1.service | 10 ++++++++++
 ...ystemcallfilter-nonewprivileges-bounding2.service | 10 ++++++++++
 ...emcallfilter-nonewprivileges-protectclock.service |  9 +++++++++
 .../exec-systemcallfilter-nonewprivileges.service    |  9 +++++++++
 5 files changed, 50 insertions(+)
 create mode 100644 test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service
 create mode 100644 test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service
 create mode 100644 test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service
 create mode 100644 test/test-execute/exec-systemcallfilter-nonewprivileges.service

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index ab0c4e905dd..64779d0cf2d 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -754,6 +754,18 @@ static void test_exec_systemcallfilter(Manager *m) {
         test(m, "exec-systemcallfilter-with-errno-in-allow-list.service", errno_from_name("EILSEQ"), CLD_EXITED);
         test(m, "exec-systemcallfilter-override-error-action.service", SIGSYS, CLD_KILLED);
         test(m, "exec-systemcallfilter-override-error-action2.service", errno_from_name("EILSEQ"), CLD_EXITED);
+
+        test(m, "exec-systemcallfilter-nonewprivileges.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
+        test(m, "exec-systemcallfilter-nonewprivileges-protectclock.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
+
+        r = find_executable("capsh", NULL);
+        if (r < 0) {
+                log_notice_errno(r, "Skipping %s, could not find capsh binary: %m", __func__);
+                return;
+        }
+
+        test(m, "exec-systemcallfilter-nonewprivileges-bounding1.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
+        test(m, "exec-systemcallfilter-nonewprivileges-bounding2.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_GROUP, CLD_EXITED);
 #endif
 }
 
diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service
new file mode 100644
index 00000000000..8f8192cc943
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding1.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test bounding set is right with SystemCallFilter and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_net_bind_service"'
+Type=oneshot
+User=1
+SystemCallFilter=@system-service
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service
new file mode 100644
index 00000000000..d78c3232bb4
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-bounding2.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test bounding set is right with SystemCallFilter and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(capsh --print | grep "Bounding set "); test "$$c" = "Bounding set =cap_setpcap,cap_net_bind_service,cap_sys_admin"'
+Type=oneshot
+User=1
+SystemCallFilter=@system-service
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETPCAP CAP_NET_BIND_SERVICE
diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service
new file mode 100644
index 00000000000..f33a2a05c4b
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges-protectclock.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test no_new_privs is unset for ProtectClock and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs:	"); test "$$c" = "NoNewPrivs:	0"'
+Type=oneshot
+User=1
+ProtectClock=yes
diff --git a/test/test-execute/exec-systemcallfilter-nonewprivileges.service b/test/test-execute/exec-systemcallfilter-nonewprivileges.service
new file mode 100644
index 00000000000..8bfd0a79d9a
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-nonewprivileges.service
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test no_new_privs is unset for SystemCallFilter and non-root user
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(cat /proc/self/status | grep "NoNewPrivs:	"); test "$$c" = "NoNewPrivs:	0"'
+Type=oneshot
+User=1
+SystemCallFilter=@system-service