diff options
author | Pierre Bourdon <delroth@gmail.com> | 2023-08-24 08:35:11 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-24 08:35:11 +0200 |
commit | 4428f3a79a9319925a4111f1ee20b3147761e2ec (patch) | |
tree | 95048e06e205a54c48392a9ac6ed359c8f635883 /nixos/tests/wrappers.nix | |
parent | 64d0bc674f61e3ca5601a9da9f8aa087ea702353 (diff) |
Revert "nixos/security/wrappers: simplifications and a fix for #98863"
Diffstat (limited to 'nixos/tests/wrappers.nix')
-rw-r--r-- | nixos/tests/wrappers.nix | 11 |
1 files changed, 0 insertions, 11 deletions
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index 1f5f43286384c..391e9b42b45bd 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -84,17 +84,6 @@ in test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0') test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0') - # Test that in nonewprivs environment the wrappers simply exec their target. - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -u', '${toString userUid}') - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}') - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}') - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}') - - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}') - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}') - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -g', '${toString usersGid}') - test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}') - # We are only testing the permitted set, because it's easiest to look at with capsh. machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN')) machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN')) |