[thirdparty/systemd.git] / src / test / test-ns.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <stdlib.h>
#include <unistd.h>

#include "log.h"
#include "namespace.h"
#include "tests.h"

int main(int argc, char *argv[]) {
        const char * const writable[] = {
                "/home",
                "-/home/lennart/projects/foobar", /* this should be masked automatically */
                NULL
        };

        const char * const readonly[] = {
                /* "/", */
                /* "/usr", */
                "/boot",
                "/lib",
                "/usr/lib",
                "-/lib64",
                "-/usr/lib64",
                NULL
        };

        const char * const exec[] = {
                "/lib",
                "/usr",
                "-/lib64",
                "-/usr/lib64",
                NULL
        };

        const char * const no_exec[] = {
                "/var",
                NULL
        };

        const char *inaccessible[] = {
                "/home/lennart/projects",
                NULL
        };

        static const NamespaceInfo ns_info = {
                .private_dev = true,
                .protect_control_groups = true,
                .protect_kernel_tunables = true,
                .protect_kernel_modules = true,
                .protect_proc = PROTECT_PROC_NOACCESS,
                .proc_subset = PROC_SUBSET_PID,
        };

        char *root_directory;
        char *projects_directory;
        int r;
        char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
             var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";

        test_setup_logging(LOG_DEBUG);

        assert_se(mkdtemp(tmp_dir));
        assert_se(mkdtemp(var_tmp_dir));

        root_directory = getenv("TEST_NS_CHROOT");
        projects_directory = getenv("TEST_NS_PROJECTS");

        if (projects_directory)
                inaccessible[0] = projects_directory;

        log_info("Inaccessible directory: '%s'", inaccessible[0]);
        if (root_directory)
                log_info("Chroot: '%s'", root_directory);
        else
                log_info("Not chrooted");

        r = setup_namespace(root_directory,
                            NULL,
                            NULL,
                            NULL,
                            &ns_info,
                            (char **) writable,
                            (char **) readonly,
                            (char **) inaccessible,
                            NULL,
                            (char **) exec,
                            (char **) no_exec,
                            NULL,
                            &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
                            &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
                            NULL,
                            0,
                            NULL,
                            tmp_dir,
                            var_tmp_dir,
                            NULL,
                            NULL,
                            0,
                            NULL,
                            0,
                            NULL,
                            NULL,
                            0,
                            NULL,
                            NULL,
                            NULL,
                            0,
                            NULL,
                            NULL,
                            NULL,
                            NULL,
                            NULL,
                            NULL,
                            NULL);
        if (r < 0) {
                log_error_errno(r, "Failed to set up namespace: %m");

                log_info("Usage:\n"
                         "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
                         "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");

                return 1;
        }

        execl("/bin/sh", "/bin/sh", NULL);
        log_error_errno(errno, "execl(): %m");

        return 1;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
15ae422b	2
dccca82b	3	#include <errno.h>
15ae422b	4	#include <stdlib.h>
15ae422b	5	#include <unistd.h>
15ae422b	6
15ae422b	7	#include "log.h"
cf0fbc49	8	#include "namespace.h"
6d7c4033	9	#include "tests.h"
15ae422b LP	10
	11	int main(int argc, char *argv[]) {
	12	const char * const writable[] = {
	13	"/home",
d944dc95	14	"-/home/lennart/projects/foobar", /* this should be masked automatically */
15ae422b LP	15	NULL
	16	};
	17
ac0930c8	18	const char * const readonly[] = {
d944dc95 LP	19	/* "/", */
d944dc95 LP	20	/* "/usr", */
5dcfe57b	21	"/boot",
d944dc95 LP	22	"/lib",
	23	"/usr/lib",
	24	"-/lib64",
	25	"-/usr/lib64",
15ae422b LP	26	NULL
	27	};
	28
ddc155b2 TM	29	const char * const exec[] = {
	30	"/lib",
	31	"/usr",
	32	"-/lib64",
	33	"-/usr/lib64",
	34	NULL
	35	};
	36
	37	const char * const no_exec[] = {
	38	"/var",
	39	NULL
	40	};
	41
ee818b89	42	const char *inaccessible[] = {
15ae422b LP	43	"/home/lennart/projects",
	44	NULL
	45	};
c575770b	46
bb0ff3fb	47	static const NamespaceInfo ns_info = {
c575770b DH	48	.private_dev = true,
	49	.protect_control_groups = true,
	50	.protect_kernel_tunables = true,
	51	.protect_kernel_modules = true,
4e399953 LP	52	.protect_proc = PROTECT_PROC_NOACCESS,
4e399953 LP	53	.proc_subset = PROC_SUBSET_PID,
c575770b DH	54	};
c575770b DH	55
ee818b89 AC	56	char *root_directory;
ee818b89 AC	57	char *projects_directory;
15ae422b	58	int r;
c17ec25e MS	59	char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
c17ec25e MS	60	var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
15ae422b	61
6d7c4033	62	test_setup_logging(LOG_DEBUG);
fe3c2583	63
c17ec25e MS	64	assert_se(mkdtemp(tmp_dir));
	65	assert_se(mkdtemp(var_tmp_dir));
	66
ee818b89 AC	67	root_directory = getenv("TEST_NS_CHROOT");
	68	projects_directory = getenv("TEST_NS_PROJECTS");
	69
	70	if (projects_directory)
	71	inaccessible[0] = projects_directory;
	72
	73	log_info("Inaccessible directory: '%s'", inaccessible[0]);
	74	if (root_directory)
	75	log_info("Chroot: '%s'", root_directory);
	76	else
	77	log_info("Not chrooted");
	78
	79	r = setup_namespace(root_directory,
84be0c71	80	NULL,
18d73705	81	NULL,
915e6d16	82	NULL,
c575770b	83	&ns_info,
ee818b89	84	(char **) writable,
c17ec25e MS	85	(char **) readonly,
c17ec25e MS	86	(char **) inaccessible,
df61e79a	87	NULL,
ddc155b2 TM	88	(char **) exec,
ddc155b2 TM	89	(char **) no_exec,
6c47cd7d	90	NULL,
d2d6c096	91	&(BindMount) { .source = (char) "/usr/bin", .destination = (char) "/etc/systemd", .read_only = true }, 1,
2abd4e38	92	&(TemporaryFileSystem) { .path = (char) "/var", .options = (char) "ro" }, 1,
b3d13314 LB	93	NULL,
b3d13314 LB	94	0,
84be0c71	95	NULL,
c17ec25e MS	96	tmp_dir,
c17ec25e MS	97	var_tmp_dir,
91dd5f7c	98	NULL,
bbb4e7f3	99	NULL,
915e6d16	100	0,
0389f4fa LB	101	NULL,
	102	0,
	103	NULL,
	104	NULL,
7cc5ef5f	105	0,
d4d55b0d LB	106	NULL,
d4d55b0d LB	107	NULL,
5e8deb94	108	NULL,
93f59701 LB	109	0,
93f59701 LB	110	NULL,
5e8deb94	111	NULL,
3bdc25a4	112	NULL,
a07b9926	113	NULL,
24759d8f	114	NULL,
84be0c71	115	NULL,
7cc5ef5f	116	NULL);
ac0930c8	117	if (r < 0) {
105a1a36	118	log_error_errno(r, "Failed to set up namespace: %m");
ee818b89 AC	119
	120	log_info("Usage:\n"
	121	" sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
	122	" sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
	123
15ae422b LP	124	return 1;
	125	}
	126
	127	execl("/bin/sh", "/bin/sh", NULL);
56f64d95	128	log_error_errno(errno, "execl(): %m");
15ae422b LP	129
	130	return 1;
	131	}