]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/test/test-ns.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core,journald: use quoted commandlines
[thirdparty/systemd.git] / src / test / test-ns.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4 #include <stdlib.h>
5 #include <unistd.h>
6
7 #include "log.h"
8 #include "namespace.h"
9 #include "tests.h"
10
11 int main(int argc, char *argv[]) {
12 const char * const writable[] = {
13 "/home",
14 "-/home/lennart/projects/foobar", /* this should be masked automatically */
15 NULL
16 };
17
18 const char * const readonly[] = {
19 /* "/", */
20 /* "/usr", */
21 "/boot",
22 "/lib",
23 "/usr/lib",
24 "-/lib64",
25 "-/usr/lib64",
26 NULL
27 };
28
29 const char * const exec[] = {
30 "/lib",
31 "/usr",
32 "-/lib64",
33 "-/usr/lib64",
34 NULL
35 };
36
37 const char * const no_exec[] = {
38 "/var",
39 NULL
40 };
41
42 const char *inaccessible[] = {
43 "/home/lennart/projects",
44 NULL
45 };
46
47 static const NamespaceInfo ns_info = {
48 .private_dev = true,
49 .protect_control_groups = true,
50 .protect_kernel_tunables = true,
51 .protect_kernel_modules = true,
52 .protect_proc = PROTECT_PROC_NOACCESS,
53 .proc_subset = PROC_SUBSET_PID,
54 };
55
56 char *root_directory;
57 char *projects_directory;
58 int r;
59 char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
60 var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
61
62 test_setup_logging(LOG_DEBUG);
63
64 assert_se(mkdtemp(tmp_dir));
65 assert_se(mkdtemp(var_tmp_dir));
66
67 root_directory = getenv("TEST_NS_CHROOT");
68 projects_directory = getenv("TEST_NS_PROJECTS");
69
70 if (projects_directory)
71 inaccessible[0] = projects_directory;
72
73 log_info("Inaccessible directory: '%s'", inaccessible[0]);
74 if (root_directory)
75 log_info("Chroot: '%s'", root_directory);
76 else
77 log_info("Not chrooted");
78
79 r = setup_namespace(root_directory,
80 NULL,
81 NULL,
82 &ns_info,
83 (char **) writable,
84 (char **) readonly,
85 (char **) inaccessible,
86 (char **) exec,
87 (char **) no_exec,
88 NULL,
89 &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
90 &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
91 NULL,
92 0,
93 tmp_dir,
94 var_tmp_dir,
95 NULL,
96 NULL,
97 0,
98 NULL,
99 0,
100 NULL,
101 NULL,
102 0,
103 NULL,
104 NULL,
105 NULL,
106 0,
107 NULL,
108 NULL,
109 NULL,
110 0,
111 NULL);
112 if (r < 0) {
113 log_error_errno(r, "Failed to set up namespace: %m");
114
115 log_info("Usage:\n"
116 " sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
117 " sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
118
119 return 1;
120 }
121
122 execl("/bin/sh", "/bin/sh", NULL);
123 log_error_errno(errno, "execl(): %m");
124
125 return 1;
126 }
Unnamed repository; edit this file 'description' to name the repository.