src/test/test-ns.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   Copyright 2010 Lennart Poettering
   4 ***/
   5
   6 #include <errno.h>
   7 #include <stdlib.h>
   8 #include <unistd.h>
   9
  10 #include "log.h"
  11 #include "namespace.h"
  12
  13 int main(int argc, char *argv[]) {
  14         const char * const writable[] = {
  15                 "/home",
  16                 "-/home/lennart/projects/foobar", /* this should be masked automatically */
  17                 NULL
  18         };
  19
  20         const char * const readonly[] = {
  21                 /* "/", */
  22                 /* "/usr", */
  23                 "/boot",
  24                 "/lib",
  25                 "/usr/lib",
  26                 "-/lib64",
  27                 "-/usr/lib64",
  28                 NULL
  29         };
  30
  31         const char *inaccessible[] = {
  32                 "/home/lennart/projects",
  33                 NULL
  34         };
  35
  36         static const NamespaceInfo ns_info = {
  37                 .private_dev = true,
  38                 .protect_control_groups = true,
  39                 .protect_kernel_tunables = true,
  40                 .protect_kernel_modules = true,
  41         };
  42
  43         char *root_directory;
  44         char *projects_directory;
  45         int r;
  46         char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
  47              var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
  48
  49         log_set_max_level(LOG_DEBUG);
  50
  51         assert_se(mkdtemp(tmp_dir));
  52         assert_se(mkdtemp(var_tmp_dir));
  53
  54         root_directory = getenv("TEST_NS_CHROOT");
  55         projects_directory = getenv("TEST_NS_PROJECTS");
  56
  57         if (projects_directory)
  58                 inaccessible[0] = projects_directory;
  59
  60         log_info("Inaccessible directory: '%s'", inaccessible[0]);
  61         if (root_directory)
  62                 log_info("Chroot: '%s'", root_directory);
  63         else
  64                 log_info("Not chrooted");
  65
  66         r = setup_namespace(root_directory,
  67                             NULL,
  68                             &ns_info,
  69                             (char **) writable,
  70                             (char **) readonly,
  71                             (char **) inaccessible,
  72                             NULL,
  73                             &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
  74                             &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
  75                             tmp_dir,
  76                             var_tmp_dir,
  77                             PROTECT_HOME_NO,
  78                             PROTECT_SYSTEM_NO,
  79                             0,
  80                             0);
  81         if (r < 0) {
  82                 log_error_errno(r, "Failed to setup namespace: %m");
  83
  84                 log_info("Usage:\n"
  85                          "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
  86                          "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
  87
  88                 return 1;
  89         }
  90
  91         execl("/bin/sh", "/bin/sh", NULL);
  92         log_error_errno(errno, "execl(): %m");
  93
  94         return 1;
  95 }