[thirdparty/systemd.git] / src / test / test-ns.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <stdlib.h>
#include <unistd.h>

#include "log.h"
#include "namespace.h"
#include "tests.h"

int main(int argc, char *argv[]) {
        const char * const writable[] = {
                "/home",
                "-/home/lennart/projects/foobar", /* this should be masked automatically */
                NULL
        };

        const char * const readonly[] = {
                /* "/", */
                /* "/usr", */
                "/boot",
                "/lib",
                "/usr/lib",
                "-/lib64",
                "-/usr/lib64",
                NULL
        };

        const char *inaccessible[] = {
                "/home/lennart/projects",
                NULL
        };

        static const NamespaceInfo ns_info = {
                .private_dev = true,
                .protect_control_groups = true,
                .protect_kernel_tunables = true,
                .protect_kernel_modules = true,
                .protect_proc = PROTECT_PROC_NOACCESS,
                .proc_subset = PROC_SUBSET_PID,
        };

        char *root_directory;
        char *projects_directory;
        int r;
        char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
             var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";

        test_setup_logging(LOG_DEBUG);

        assert_se(mkdtemp(tmp_dir));
        assert_se(mkdtemp(var_tmp_dir));

        root_directory = getenv("TEST_NS_CHROOT");
        projects_directory = getenv("TEST_NS_PROJECTS");

        if (projects_directory)
                inaccessible[0] = projects_directory;

        log_info("Inaccessible directory: '%s'", inaccessible[0]);
        if (root_directory)
                log_info("Chroot: '%s'", root_directory);
        else
                log_info("Not chrooted");

        r = setup_namespace(root_directory,
                            NULL,
                            NULL,
                            &ns_info,
                            (char **) writable,
                            (char **) readonly,
                            (char **) inaccessible,
                            NULL,
                            &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
                            &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
                            NULL,
                            0,
                            tmp_dir,
                            var_tmp_dir,
                            NULL,
                            NULL,
                            0,
                            NULL,
                            0,
                            NULL,
                            NULL,
                            0,
                            NULL,
                            NULL,
                            0,
                            NULL);
        if (r < 0) {
                log_error_errno(r, "Failed to set up namespace: %m");

                log_info("Usage:\n"
                         "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
                         "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");

                return 1;
        }

        execl("/bin/sh", "/bin/sh", NULL);
        log_error_errno(errno, "execl(): %m");

        return 1;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
15ae422b	2
dccca82b	3	#include <errno.h>
15ae422b	4	#include <stdlib.h>
15ae422b	5	#include <unistd.h>
15ae422b	6
15ae422b	7	#include "log.h"
cf0fbc49	8	#include "namespace.h"
6d7c4033	9	#include "tests.h"
15ae422b LP	10
	11	int main(int argc, char *argv[]) {
	12	const char * const writable[] = {
	13	"/home",
d944dc95	14	"-/home/lennart/projects/foobar", /* this should be masked automatically */
15ae422b LP	15	NULL
	16	};
	17
ac0930c8	18	const char * const readonly[] = {
d944dc95 LP	19	/* "/", */
d944dc95 LP	20	/* "/usr", */
5dcfe57b	21	"/boot",
d944dc95 LP	22	"/lib",
	23	"/usr/lib",
	24	"-/lib64",
	25	"-/usr/lib64",
15ae422b LP	26	NULL
	27	};
	28
ee818b89	29	const char *inaccessible[] = {
15ae422b LP	30	"/home/lennart/projects",
	31	NULL
	32	};
c575770b	33
bb0ff3fb	34	static const NamespaceInfo ns_info = {
c575770b DH	35	.private_dev = true,
	36	.protect_control_groups = true,
	37	.protect_kernel_tunables = true,
	38	.protect_kernel_modules = true,
4e399953 LP	39	.protect_proc = PROTECT_PROC_NOACCESS,
4e399953 LP	40	.proc_subset = PROC_SUBSET_PID,
c575770b DH	41	};
c575770b DH	42
ee818b89 AC	43	char *root_directory;
ee818b89 AC	44	char *projects_directory;
15ae422b	45	int r;
c17ec25e MS	46	char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
c17ec25e MS	47	var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
15ae422b	48
6d7c4033	49	test_setup_logging(LOG_DEBUG);
fe3c2583	50
c17ec25e MS	51	assert_se(mkdtemp(tmp_dir));
	52	assert_se(mkdtemp(var_tmp_dir));
	53
ee818b89 AC	54	root_directory = getenv("TEST_NS_CHROOT");
	55	projects_directory = getenv("TEST_NS_PROJECTS");
	56
	57	if (projects_directory)
	58	inaccessible[0] = projects_directory;
	59
	60	log_info("Inaccessible directory: '%s'", inaccessible[0]);
	61	if (root_directory)
	62	log_info("Chroot: '%s'", root_directory);
	63	else
	64	log_info("Not chrooted");
	65
	66	r = setup_namespace(root_directory,
18d73705	67	NULL,
915e6d16	68	NULL,
c575770b	69	&ns_info,
ee818b89	70	(char **) writable,
c17ec25e MS	71	(char **) readonly,
c17ec25e MS	72	(char **) inaccessible,
6c47cd7d	73	NULL,
d2d6c096	74	&(BindMount) { .source = (char) "/usr/bin", .destination = (char) "/etc/systemd", .read_only = true }, 1,
2abd4e38	75	&(TemporaryFileSystem) { .path = (char) "/var", .options = (char) "ro" }, 1,
b3d13314 LB	76	NULL,
b3d13314 LB	77	0,
c17ec25e MS	78	tmp_dir,
c17ec25e MS	79	var_tmp_dir,
91dd5f7c	80	NULL,
bbb4e7f3	81	NULL,
915e6d16	82	0,
0389f4fa LB	83	NULL,
	84	0,
	85	NULL,
	86	NULL,
7cc5ef5f	87	0,
d4d55b0d LB	88	NULL,
	89	NULL,
	90	0,
7cc5ef5f	91	NULL);
ac0930c8	92	if (r < 0) {
105a1a36	93	log_error_errno(r, "Failed to set up namespace: %m");
ee818b89 AC	94
	95	log_info("Usage:\n"
	96	" sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
	97	" sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
	98
15ae422b LP	99	return 1;
	100	}
	101
	102	execl("/bin/sh", "/bin/sh", NULL);
56f64d95	103	log_error_errno(errno, "execl(): %m");
15ae422b LP	104
	105	return 1;
	106	}