]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/test/test-ns.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: hook up image dissection policy logic everywhere
[thirdparty/systemd.git] / src / test / test-ns.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4 #include <stdlib.h>
5 #include <unistd.h>
6
7 #include "log.h"
8 #include "namespace.h"
9 #include "tests.h"
10
11 int main(int argc, char *argv[]) {
12 const char * const writable[] = {
13 "/home",
14 "-/home/lennart/projects/foobar", /* this should be masked automatically */
15 NULL
16 };
17
18 const char * const readonly[] = {
19 /* "/", */
20 /* "/usr", */
21 "/boot",
22 "/lib",
23 "/usr/lib",
24 "-/lib64",
25 "-/usr/lib64",
26 NULL
27 };
28
29 const char * const exec[] = {
30 "/lib",
31 "/usr",
32 "-/lib64",
33 "-/usr/lib64",
34 NULL
35 };
36
37 const char * const no_exec[] = {
38 "/var",
39 NULL
40 };
41
42 const char *inaccessible[] = {
43 "/home/lennart/projects",
44 NULL
45 };
46
47 static const NamespaceInfo ns_info = {
48 .private_dev = true,
49 .protect_control_groups = true,
50 .protect_kernel_tunables = true,
51 .protect_kernel_modules = true,
52 .protect_proc = PROTECT_PROC_NOACCESS,
53 .proc_subset = PROC_SUBSET_PID,
54 };
55
56 char *root_directory;
57 char *projects_directory;
58 int r;
59 char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
60 var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
61
62 test_setup_logging(LOG_DEBUG);
63
64 assert_se(mkdtemp(tmp_dir));
65 assert_se(mkdtemp(var_tmp_dir));
66
67 root_directory = getenv("TEST_NS_CHROOT");
68 projects_directory = getenv("TEST_NS_PROJECTS");
69
70 if (projects_directory)
71 inaccessible[0] = projects_directory;
72
73 log_info("Inaccessible directory: '%s'", inaccessible[0]);
74 if (root_directory)
75 log_info("Chroot: '%s'", root_directory);
76 else
77 log_info("Not chrooted");
78
79 r = setup_namespace(root_directory,
80 NULL,
81 NULL,
82 NULL,
83 &ns_info,
84 (char **) writable,
85 (char **) readonly,
86 (char **) inaccessible,
87 NULL,
88 (char **) exec,
89 (char **) no_exec,
90 NULL,
91 &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
92 &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
93 NULL,
94 0,
95 NULL,
96 tmp_dir,
97 var_tmp_dir,
98 NULL,
99 NULL,
100 0,
101 NULL,
102 0,
103 NULL,
104 NULL,
105 0,
106 NULL,
107 NULL,
108 NULL,
109 0,
110 NULL,
111 NULL,
112 NULL,
113 NULL,
114 NULL,
115 NULL,
116 NULL);
117 if (r < 0) {
118 log_error_errno(r, "Failed to set up namespace: %m");
119
120 log_info("Usage:\n"
121 " sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
122 " sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
123
124 return 1;
125 }
126
127 execl("/bin/sh", "/bin/sh", NULL);
128 log_error_errno(errno, "execl(): %m");
129
130 return 1;
131 }
Unnamed repository; edit this file 'description' to name the repository.