tests/libpakfire/jail.c

   1 /*#############################################################################
   2 #                                                                             #
   3 # Pakfire - The IPFire package management system                              #
   4 # Copyright (C) 2022 Pakfire development team                                 #
   5 #                                                                             #
   6 # This program is free software: you can redistribute it and/or modify        #
   7 # it under the terms of the GNU General Public License as published by        #
   8 # the Free Software Foundation, either version 3 of the License, or           #
   9 # (at your option) any later version.                                         #
  10 #                                                                             #
  11 # This program is distributed in the hope that it will be useful,             #
  12 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
  13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
  14 # GNU General Public License for more details.                                #
  15 #                                                                             #
  16 # You should have received a copy of the GNU General Public License           #
  17 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
  18 #                                                                             #
  19 #############################################################################*/
  20
  21 #include <sys/mount.h>
  22
  23 #include <pakfire/cgroup.h>
  24 #include <pakfire/jail.h>
  25
  26 #include "../testsuite.h"
  27
  28 static const char* cmd_hello_world[] = {
  29         "/command", "echo", "Hello World!", NULL,
  30 };
  31
  32 static const char* cmd_exhaust_memory[] = {
  33         "/command", "exhaust-memory", NULL,
  34 };
  35
  36 static const char* cmd_fork_bomb[] = {
  37         "/command", "fork-bomb", NULL,
  38 };
  39
  40 static const char* cmd_stat_ownership[] = {
  41         "/command", "stat-ownership", NULL,
  42 };
  43
  44 static int test_create(const struct test* t) {
  45         struct pakfire_jail* jail = NULL;
  46
  47         // Create a new jail
  48         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
  49
  50         // Destroy it
  51         ASSERT_NULL(pakfire_jail_unref(jail));
  52
  53         return EXIT_SUCCESS;
  54
  55 FAIL:
  56         return EXIT_FAILURE;
  57 }
  58
  59 static int test_exit_code(const struct test* t) {
  60         struct pakfire_jail* jail = NULL;
  61         int r = EXIT_FAILURE;
  62
  63         const char* argv[] = {
  64                 "/command", "exit-with-code", "123", NULL,
  65         };
  66
  67         // Create a new jail
  68         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
  69
  70         // Check if we receive the correct exit code
  71         ASSERT(pakfire_jail_exec(jail, argv, NULL, NULL, NULL, 0) == 123);
  72
  73         // Success
  74         r = EXIT_SUCCESS;
  75
  76 FAIL:
  77         if (jail)
  78                 pakfire_jail_unref(jail);
  79
  80         return r;
  81 }
  82
  83 static int test_segv(const struct test* t) {
  84         struct pakfire_jail* jail = NULL;
  85         int r = EXIT_FAILURE;
  86
  87         const char* argv[] = {
  88                 "/command", "segv", NULL,
  89         };
  90
  91         // Create a new jail
  92         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
  93
  94         // Check if we receive the correct exit code
  95         ASSERT(pakfire_jail_exec(jail, argv, NULL, NULL, NULL, 0) == 139);
  96
  97         // Success
  98         r = EXIT_SUCCESS;
  99
 100 FAIL:
 101         if (jail)
 102                 pakfire_jail_unref(jail);
 103
 104         return r;
 105 }
 106
 107 static int test_env(const struct test* t) {
 108         struct pakfire_jail* jail = NULL;
 109
 110         // Create a new jail
 111         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 112
 113         // Check if the default variables are set
 114         ASSERT(pakfire_jail_get_env(jail, "LANG"));
 115         ASSERT(pakfire_jail_get_env(jail, "TERM"));
 116
 117         // Fetch a non-existing environment variable
 118         ASSERT_NULL(pakfire_jail_get_env(jail, "VARIABLE"));
 119
 120         // Set a variable
 121         ASSERT_SUCCESS(pakfire_jail_set_env(jail, "VARIABLE", "VALUE"));
 122
 123         // Read the value back
 124         ASSERT_STRING_EQUALS(pakfire_jail_get_env(jail, "VARIABLE"), "VALUE");
 125
 126         // Destroy it
 127         ASSERT_NULL(pakfire_jail_unref(jail));
 128
 129         return EXIT_SUCCESS;
 130
 131 FAIL:
 132         return EXIT_FAILURE;
 133 }
 134
 135 static int test_exec(const struct test* t) {
 136         struct pakfire_jail* jail = NULL;
 137
 138         // Create a new jail
 139         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 140
 141         // Try to execute something
 142         ASSERT_SUCCESS(pakfire_jail_exec(jail, cmd_hello_world, NULL, NULL, NULL, 0));
 143
 144         // Destroy it
 145         ASSERT_NULL(pakfire_jail_unref(jail));
 146
 147         return EXIT_SUCCESS;
 148
 149 FAIL:
 150         return EXIT_FAILURE;
 151 }
 152
 153 static int test_launch_into_cgroup(const struct test* t) {
 154         struct pakfire_cgroup* cgroup = NULL;
 155         struct pakfire_jail* jail = NULL;
 156         int r = EXIT_FAILURE;
 157
 158         // Create a new cgroup
 159         ASSERT_SUCCESS(pakfire_cgroup_open(&cgroup, t->pakfire, "pakfire-test", 0));
 160
 161         // Create a new jail
 162         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 163
 164         // Connect jail to the cgroup
 165         ASSERT_SUCCESS(pakfire_jail_set_cgroup(jail, cgroup));
 166
 167         // Run command
 168         ASSERT(pakfire_jail_exec(jail, cmd_hello_world, NULL, NULL, NULL, 0) == 0);
 169
 170         r = EXIT_SUCCESS;
 171
 172 FAIL:
 173         if (cgroup) {
 174                 pakfire_cgroup_destroy(cgroup);
 175                 pakfire_cgroup_unref(cgroup);
 176         }
 177         if (jail)
 178                 pakfire_jail_unref(jail);
 179
 180         return r;
 181 }
 182
 183 static int test_nice(const struct test* t) {
 184         struct pakfire_jail* jail = NULL;
 185         char* output = NULL;
 186         int r = EXIT_FAILURE;
 187
 188         const char* argv[] = {
 189                 "/command", "print-nice", NULL,
 190         };
 191
 192         // Create a new jail
 193         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 194
 195         // Set invalid nice levels
 196         ASSERT_ERRNO(pakfire_jail_nice(jail,  100), EINVAL);
 197         ASSERT_ERRNO(pakfire_jail_nice(jail, -100), EINVAL);
 198
 199         // Set something sane
 200         ASSERT_SUCCESS(pakfire_jail_nice(jail, 5));
 201
 202         // Check if the nice level has been set
 203         ASSERT_SUCCESS(pakfire_jail_exec(jail, argv,
 204                 NULL, pakfire_jail_capture_stdout, &output, 0));
 205         ASSERT_STRING_EQUALS(output, "5\n");
 206
 207         // Success
 208         r = EXIT_SUCCESS;
 209
 210 FAIL:
 211         if (jail)
 212                 pakfire_jail_unref(jail);
 213         if (output)
 214                 free(output);
 215
 216         return r;
 217 }
 218
 219 static int test_memory_limit(const struct test* t) {
 220         struct pakfire_cgroup* cgroup = NULL;
 221         struct pakfire_jail* jail = NULL;
 222         int r = EXIT_FAILURE;
 223
 224
 225         // Create cgroup
 226         ASSERT_SUCCESS(pakfire_cgroup_open(&cgroup, t->pakfire, "pakfire-test", 0));
 227
 228         // Create jail
 229         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 230
 231         // Connect jail to the cgroup
 232         ASSERT_SUCCESS(pakfire_jail_set_cgroup(jail, cgroup));
 233
 234         // Set a memory limit of 100 MiB
 235         ASSERT_SUCCESS(pakfire_cgroup_set_memory_limit(cgroup, 100 * 1024 * 1024));
 236
 237         // Try to exhaust all memory
 238         ASSERT_FAILURE(pakfire_jail_exec(jail, cmd_exhaust_memory, NULL, NULL, NULL, 0));
 239
 240         // A fork bomb should also exhaust all memory
 241         ASSERT_FAILURE(pakfire_jail_exec(jail, cmd_fork_bomb, NULL, NULL, NULL, 0));
 242
 243         // Success
 244         r = EXIT_SUCCESS;
 245
 246 FAIL:
 247         if (jail)
 248                 pakfire_jail_unref(jail);
 249         if (cgroup) {
 250                 pakfire_cgroup_destroy(cgroup);
 251                 pakfire_cgroup_unref(cgroup);
 252         }
 253
 254         return r;
 255 }
 256
 257 static int test_pid_limit(const struct test* t) {
 258         struct pakfire_cgroup* cgroup = NULL;
 259         struct pakfire_jail* jail = NULL;
 260         int r = EXIT_FAILURE;
 261
 262         // Create cgroup
 263         ASSERT_SUCCESS(pakfire_cgroup_open(&cgroup, t->pakfire, "pakfire-test", 0));
 264
 265         // Create jail
 266         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 267
 268         // Connect jail to the cgroup
 269         ASSERT_SUCCESS(pakfire_jail_set_cgroup(jail, cgroup));
 270
 271         // Set a PID limit of 100 processes
 272         ASSERT_SUCCESS(pakfire_cgroup_set_pid_limit(cgroup, 100));
 273
 274         // Try to fork as many processes as possible
 275         ASSERT_FAILURE(pakfire_jail_exec(jail, cmd_fork_bomb, NULL, NULL, NULL, 0));
 276
 277         // Success
 278         r = EXIT_SUCCESS;
 279
 280 FAIL:
 281         if (jail)
 282                 pakfire_jail_unref(jail);
 283         if (cgroup) {
 284                 pakfire_cgroup_destroy(cgroup);
 285                 pakfire_cgroup_unref(cgroup);
 286         }
 287
 288         return r;
 289 }
 290
 291 static int test_file_ownership(const struct test* t) {
 292         int r = EXIT_FAILURE;
 293         char* output = NULL;
 294
 295         // Execute a simple command
 296         ASSERT_SUCCESS(pakfire_jail_run(t->pakfire, cmd_stat_ownership, 0, &output));
 297
 298         // Check if the file has been mapped to root/root
 299         ASSERT_STRING_EQUALS(output, "uid=0 gid=0\n");
 300
 301         // Success
 302         r = EXIT_SUCCESS;
 303
 304 FAIL:
 305         if (output)
 306                 free(output);
 307
 308         return r;
 309 }
 310
 311 static int test_bind(const struct test* t) {
 312         struct pakfire_jail* jail = NULL;
 313         char* output = NULL;
 314         int r = EXIT_FAILURE;
 315
 316         const char* source = "/";
 317         const char* target = "/oldroot";
 318
 319         const char* argv[] = {
 320                 "/command", "check-mountpoint", target, NULL,
 321         };
 322
 323         // Create a new jail
 324         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 325
 326         // Bind-mount nonsense
 327         ASSERT_ERRNO(pakfire_jail_bind(jail, NULL, target, 0), EINVAL);
 328         ASSERT_ERRNO(pakfire_jail_bind(jail, source, NULL, 0), EINVAL);
 329
 330         // Bind-mount something
 331         ASSERT_SUCCESS(pakfire_jail_bind(jail, source, target, MS_RDONLY));
 332
 333         // Check if the mount actually works
 334         ASSERT_SUCCESS(pakfire_jail_exec(jail, argv, NULL, NULL, NULL, 0));
 335
 336         // Success
 337         r = EXIT_SUCCESS;
 338
 339 FAIL:
 340         if (jail)
 341                 pakfire_jail_unref(jail);
 342
 343         return r;
 344 }
 345
 346 static int callback_stdin(struct pakfire* pakfire, void* data, int fd) {
 347         int* lines = (int*)data;
 348         int r;
 349
 350         while (*lines > 0) {
 351                 r = dprintf(fd, "LINE %d\n", *lines);
 352                 if (r < 0) {
 353                         LOG_ERROR("Could not write line (%u) to stdin: %m\n", *lines);
 354
 355                         return 1;
 356                 }
 357
 358                 // Decrement the lines counter
 359                 (*lines)--;
 360         }
 361
 362         return EOF;
 363 }
 364
 365 static int test_communicate(const struct test* t) {
 366         struct pakfire_jail* jail = NULL;
 367         int r = EXIT_FAILURE;
 368
 369         // How many lines to send?
 370         int lines = 65535;
 371
 372         const char* argv[] = {
 373                 "/command", "pipe", NULL,
 374         };
 375
 376         // Create a new jail
 377         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 378
 379         // Check if the mount actually works
 380         ASSERT_SUCCESS(pakfire_jail_exec(jail, argv, callback_stdin, NULL, &lines, 0));
 381
 382         // Success
 383         r = EXIT_SUCCESS;
 384
 385 FAIL:
 386         if (jail)
 387                 pakfire_jail_unref(jail);
 388
 389         return r;
 390 }
 391
 392 static int test_send_one_signal(const struct test* t,
 393                 struct pakfire_jail* jail, const char* signal) {
 394         const char* argv[] = {
 395                 "/command", "send-signal", signal, NULL,
 396         };
 397
 398         // Perform the command
 399         return pakfire_jail_exec(jail, argv, NULL, NULL, NULL, 0);
 400 }
 401
 402 static int test_send_signal(const struct test* t) {
 403         struct pakfire_jail* jail = NULL;
 404         int r = EXIT_FAILURE;
 405
 406         // Create a new jail
 407         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 408
 409         // Sending SIGTERM to ourselves
 410         ASSERT(test_send_one_signal(t, jail, "15") == 0);
 411
 412         // Sending SIGKILL to ourselves
 413         ASSERT(test_send_one_signal(t, jail, "9") == 0);
 414
 415         // Sending SIGSTOP to ourselves (this should be ignored by the jail)
 416         ASSERT(test_send_one_signal(t, jail, "23") == 0);
 417
 418         // Success
 419         r = EXIT_SUCCESS;
 420
 421 FAIL:
 422         if (jail)
 423                 pakfire_jail_unref(jail);
 424
 425         return r;
 426 }
 427
 428 static int test_timeout(const struct test* t) {
 429         struct pakfire_jail* jail = NULL;
 430         int r = EXIT_FAILURE;
 431
 432         const char* argv[] = {
 433                 "/command", "sleep", "5", NULL,
 434         };
 435
 436         // Create a new jail
 437         ASSERT_SUCCESS(pakfire_jail_create(&jail, t->pakfire));
 438
 439         // Set a timeout of one second
 440         ASSERT_SUCCESS(pakfire_jail_set_timeout(jail, 1));
 441
 442         // Check if we receive the correct exit code
 443         ASSERT(pakfire_jail_exec(jail, argv, NULL, NULL, NULL, 0) == 139);
 444
 445         // Success
 446         r = EXIT_SUCCESS;
 447
 448 FAIL:
 449         if (jail)
 450                 pakfire_jail_unref(jail);
 451
 452         return r;
 453 }
 454
 455 int main(int argc, const char* argv[]) {
 456         testsuite_add_test(test_create, TEST_WANTS_PAKFIRE);
 457         testsuite_add_test(test_exit_code, TEST_WANTS_PAKFIRE);
 458         testsuite_add_test(test_segv, TEST_WANTS_PAKFIRE);
 459         testsuite_add_test(test_env, TEST_WANTS_PAKFIRE);
 460         testsuite_add_test(test_exec, TEST_WANTS_PAKFIRE);
 461         testsuite_add_test(test_launch_into_cgroup, TEST_WANTS_PAKFIRE);
 462         testsuite_add_test(test_nice, TEST_WANTS_PAKFIRE);
 463         testsuite_add_test(test_memory_limit, TEST_WANTS_PAKFIRE);
 464         testsuite_add_test(test_pid_limit, TEST_WANTS_PAKFIRE);
 465         testsuite_add_test(test_file_ownership, TEST_WANTS_PAKFIRE);
 466         testsuite_add_test(test_bind, TEST_WANTS_PAKFIRE);
 467         testsuite_add_test(test_communicate, TEST_WANTS_PAKFIRE);
 468         testsuite_add_test(test_send_signal, TEST_WANTS_PAKFIRE);
 469         testsuite_add_test(test_timeout, TEST_WANTS_PAKFIRE);
 470
 471         return testsuite_run(argc, argv);
 472 }