#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
+#include "missing_magic.h"
#include "missing_mount.h"
#include "mkdir.h"
#include "mount-util.h"
#include "namespace-util.h"
#include "path-util.h"
#include "process-util.h"
+#include "random-util.h"
#include "rm-rf.h"
+#include "stat-util.h"
#include "string-util.h"
#include "strv.h"
#include "tests.h"
#include "tmpfile-util.h"
+TEST(remount_and_move_sub_mounts) {
+ int r;
+
+ if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0)
+ return (void) log_tests_skipped("not running privileged");
+
+ r = safe_fork("(remount-and-move-sub-mounts)",
+ FORK_RESET_SIGNALS |
+ FORK_CLOSE_ALL_FDS |
+ FORK_DEATHSIG |
+ FORK_WAIT |
+ FORK_REOPEN_LOG |
+ FORK_LOG |
+ FORK_NEW_MOUNTNS |
+ FORK_MOUNTNS_SLAVE,
+ NULL);
+ assert_se(r >= 0);
+ if (r == 0) {
+ _cleanup_free_ char *d = NULL, *fn = NULL;
+
+ assert_se(mkdtemp_malloc(NULL, &d) >= 0);
+
+ assert_se(mount_nofollow_verbose(LOG_DEBUG, "tmpfs", d, "tmpfs", MS_NOSUID|MS_NODEV, NULL) >= 0);
+
+ assert_se(fn = path_join(d, "memo"));
+ assert_se(write_string_file(fn, d, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0);
+ assert_se(access(fn, F_OK) >= 0);
+
+ /* Create fs tree */
+ FOREACH_STRING(p, "sub1", "sub1/hoge", "sub1/foo", "sub2", "sub2/aaa", "sub2/bbb") {
+ _cleanup_free_ char *where = NULL, *filename = NULL;
+
+ assert_se(where = path_join(d, p));
+ assert_se(mkdir_p(where, 0755) >= 0);
+ assert_se(mount_nofollow_verbose(LOG_DEBUG, "tmpfs", where, "tmpfs", MS_NOSUID|MS_NODEV, NULL) >= 0);
+
+ assert_se(filename = path_join(where, "memo"));
+ assert_se(write_string_file(filename, where, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0);
+ assert_se(access(filename, F_OK) >= 0);
+ }
+
+ /* Hide sub1. */
+ FOREACH_STRING(p, "sub1", "sub1/hogehoge", "sub1/foofoo") {
+ _cleanup_free_ char *where = NULL, *filename = NULL;
+
+ assert_se(where = path_join(d, p));
+ assert_se(mkdir_p(where, 0755) >= 0);
+ assert_se(mount_nofollow_verbose(LOG_DEBUG, "tmpfs", where, "tmpfs", MS_NOSUID|MS_NODEV, NULL) >= 0);
+
+ assert_se(filename = path_join(where, "memo"));
+ assert_se(write_string_file(filename, where, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0);
+ assert_se(access(filename, F_OK) >= 0);
+ }
+
+ /* Remount the main fs. */
+ r = remount_and_move_sub_mounts("tmpfs", d, "tmpfs", MS_NOSUID|MS_NODEV, NULL);
+ if (r == -EINVAL || (r < 0 && ERRNO_IS_NOT_SUPPORTED(r))) {
+ log_tests_skipped_errno(r, "The kernel seems too old: %m");
+ _exit(EXIT_SUCCESS);
+ }
+
+ /* Check the file in the main fs does not exist. */
+ assert_se(access(fn, F_OK) < 0 && errno == ENOENT);
+
+ /* Check the files in sub-mounts are kept. */
+ FOREACH_STRING(p, "sub1", "sub1/hogehoge", "sub1/foofoo", "sub2", "sub2/aaa", "sub2/bbb") {
+ _cleanup_free_ char *where = NULL, *filename = NULL, *content = NULL;
+
+ assert_se(where = path_join(d, p));
+ assert_se(filename = path_join(where, "memo"));
+ assert_se(read_full_file(filename, &content, NULL) >= 0);
+ assert_se(streq(content, where));
+ }
+
+ /* umount sub1, and check if the previously hidden sub-mounts are dropped. */
+ FOREACH_STRING(p, "sub1/hoge", "sub1/foo") {
+ _cleanup_free_ char *where = NULL;
+
+ assert_se(where = path_join(d, p));
+ assert_se(access(where, F_OK) < 0 && errno == ENOENT);
+ }
+
+ _exit(EXIT_SUCCESS);
+ }
+}
+
+TEST(remount_sysfs) {
+ int r;
+
+ if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0)
+ return (void) log_tests_skipped("not running privileged");
+
+ if (path_is_fs_type("/sys", SYSFS_MAGIC) <= 0)
+ return (void) log_tests_skipped("sysfs is not mounted on /sys");
+
+ if (access("/sys/class/net/dummy-test-mnt", F_OK) < 0)
+ return (void) log_tests_skipped_errno(errno, "The network interface dummy-test-mnt does not exit");
+
+ r = safe_fork("(remount-sysfs)",
+ FORK_RESET_SIGNALS |
+ FORK_CLOSE_ALL_FDS |
+ FORK_DEATHSIG |
+ FORK_WAIT |
+ FORK_REOPEN_LOG |
+ FORK_LOG |
+ FORK_NEW_MOUNTNS |
+ FORK_MOUNTNS_SLAVE,
+ NULL);
+ assert_se(r >= 0);
+ if (r == 0) {
+ assert_se(unshare(CLONE_NEWNET) >= 0);
+
+ /* Even unshare()ed, the interfaces in the main namespace can be accessed through sysfs. */
+ assert_se(access("/sys/class/net/lo", F_OK) >= 0);
+ assert_se(access("/sys/class/net/dummy-test-mnt", F_OK) >= 0);
+
+ r = remount_sysfs("/sys");
+ if (r == -EINVAL || (r < 0 && ERRNO_IS_NOT_SUPPORTED(r))) {
+ log_tests_skipped_errno(r, "The kernel seems too old: %m");
+ _exit(EXIT_SUCCESS);
+ }
+
+ /* After remounting sysfs, the interfaces in the main namespace cannot be accessed. */
+ assert_se(access("/sys/class/net/lo", F_OK) >= 0);
+ assert_se(access("/sys/class/net/dummy-test-mnt", F_OK) < 0 && errno == ENOENT);
+
+ _exit(EXIT_SUCCESS);
+ }
+}
+
TEST(mount_option_mangle) {
char *opts = NULL;
unsigned long f;
assert_se(!(S_IXOTH & st.st_mode));
}
-DEFINE_TEST_MAIN(LOG_DEBUG);
+TEST(make_mount_switch_root) {
+ _cleanup_(rm_rf_physical_and_freep) char *t = NULL;
+ _cleanup_free_ char *s = NULL;
+ int r;
+
+ if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) {
+ (void) log_tests_skipped("not running privileged");
+ return;
+ }
+
+ assert_se(mkdtemp_malloc(NULL, &t) >= 0);
+
+ assert_se(asprintf(&s, "%s/somerandomname%" PRIu64, t, random_u64()) >= 0);
+ assert_se(s);
+ assert_se(touch(s) >= 0);
+
+ for (int force_ms_move = 0; force_ms_move < 2; force_ms_move++) {
+ r = safe_fork("(switch-root",
+ FORK_RESET_SIGNALS |
+ FORK_CLOSE_ALL_FDS |
+ FORK_DEATHSIG |
+ FORK_WAIT |
+ FORK_REOPEN_LOG |
+ FORK_LOG |
+ FORK_NEW_MOUNTNS |
+ FORK_MOUNTNS_SLAVE,
+ NULL);
+ assert_se(r >= 0);
+
+ if (r == 0) {
+ assert_se(make_mount_point(t) >= 0);
+ assert_se(mount_switch_root_full(t, /* mount_propagation_flag= */ 0, force_ms_move) >= 0);
+
+ assert_se(access(ASSERT_PTR(strrchr(s, '/')), F_OK) >= 0); /* absolute */
+ assert_se(access(ASSERT_PTR(strrchr(s, '/')) + 1, F_OK) >= 0); /* relative */
+ assert_se(access(s, F_OK) < 0 && errno == ENOENT); /* doesn't exist in our new environment */
+
+ _exit(EXIT_SUCCESS);
+ }
+ }
+}
+
+static int intro(void) {
+ /* Create a dummy network interface for testing remount_sysfs(). */
+ (void) system("ip link add dummy-test-mnt type dummy");
+
+ return 0;
+}
+
+static int outro(void) {
+ (void) system("ip link del dummy-test-mnt");
+
+ return 0;
+}
+
+DEFINE_TEST_MAIN_FULL(LOG_DEBUG, intro, outro);