src/test/test-ns.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   This file is part of systemd.
   4
   5   Copyright 2010 Lennart Poettering
   6 ***/
   7
   8 #include <errno.h>
   9 #include <stdlib.h>
  10 #include <unistd.h>
  11
  12 #include "log.h"
  13 #include "namespace.h"
  14
  15 int main(int argc, char *argv[]) {
  16         const char * const writable[] = {
  17                 "/home",
  18                 "-/home/lennart/projects/foobar", /* this should be masked automatically */
  19                 NULL
  20         };
  21
  22         const char * const readonly[] = {
  23                 /* "/", */
  24                 /* "/usr", */
  25                 "/boot",
  26                 "/lib",
  27                 "/usr/lib",
  28                 "-/lib64",
  29                 "-/usr/lib64",
  30                 NULL
  31         };
  32
  33         const char *inaccessible[] = {
  34                 "/home/lennart/projects",
  35                 NULL
  36         };
  37
  38         static const NamespaceInfo ns_info = {
  39                 .private_dev = true,
  40                 .protect_control_groups = true,
  41                 .protect_kernel_tunables = true,
  42                 .protect_kernel_modules = true,
  43         };
  44
  45         char *root_directory;
  46         char *projects_directory;
  47         int r;
  48         char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
  49              var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
  50
  51         log_set_max_level(LOG_DEBUG);
  52
  53         assert_se(mkdtemp(tmp_dir));
  54         assert_se(mkdtemp(var_tmp_dir));
  55
  56         root_directory = getenv("TEST_NS_CHROOT");
  57         projects_directory = getenv("TEST_NS_PROJECTS");
  58
  59         if (projects_directory)
  60                 inaccessible[0] = projects_directory;
  61
  62         log_info("Inaccessible directory: '%s'", inaccessible[0]);
  63         if (root_directory)
  64                 log_info("Chroot: '%s'", root_directory);
  65         else
  66                 log_info("Not chrooted");
  67
  68         r = setup_namespace(root_directory,
  69                             NULL,
  70                             &ns_info,
  71                             (char **) writable,
  72                             (char **) readonly,
  73                             (char **) inaccessible,
  74                             NULL,
  75                             &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
  76                             &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
  77                             tmp_dir,
  78                             var_tmp_dir,
  79                             PROTECT_HOME_NO,
  80                             PROTECT_SYSTEM_NO,
  81                             0,
  82                             0);
  83         if (r < 0) {
  84                 log_error_errno(r, "Failed to setup namespace: %m");
  85
  86                 log_info("Usage:\n"
  87                          "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
  88                          "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
  89
  90                 return 1;
  91         }
  92
  93         execl("/bin/sh", "/bin/sh", NULL);
  94         log_error_errno(errno, "execl(): %m");
  95
  96         return 1;
  97 }