]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
15ae422b | 2 | |
dccca82b | 3 | #include <errno.h> |
15ae422b | 4 | #include <stdlib.h> |
15ae422b | 5 | #include <unistd.h> |
15ae422b | 6 | |
15ae422b | 7 | #include "log.h" |
cf0fbc49 | 8 | #include "namespace.h" |
6d7c4033 | 9 | #include "tests.h" |
15ae422b LP |
10 | |
11 | int main(int argc, char *argv[]) { | |
12 | const char * const writable[] = { | |
13 | "/home", | |
d944dc95 | 14 | "-/home/lennart/projects/foobar", /* this should be masked automatically */ |
15ae422b LP |
15 | NULL |
16 | }; | |
17 | ||
ac0930c8 | 18 | const char * const readonly[] = { |
d944dc95 LP |
19 | /* "/", */ |
20 | /* "/usr", */ | |
5dcfe57b | 21 | "/boot", |
d944dc95 LP |
22 | "/lib", |
23 | "/usr/lib", | |
24 | "-/lib64", | |
25 | "-/usr/lib64", | |
15ae422b LP |
26 | NULL |
27 | }; | |
28 | ||
ee818b89 | 29 | const char *inaccessible[] = { |
15ae422b LP |
30 | "/home/lennart/projects", |
31 | NULL | |
32 | }; | |
c575770b | 33 | |
bb0ff3fb | 34 | static const NamespaceInfo ns_info = { |
c575770b DH |
35 | .private_dev = true, |
36 | .protect_control_groups = true, | |
37 | .protect_kernel_tunables = true, | |
38 | .protect_kernel_modules = true, | |
39 | }; | |
40 | ||
ee818b89 AC |
41 | char *root_directory; |
42 | char *projects_directory; | |
15ae422b | 43 | int r; |
c17ec25e MS |
44 | char tmp_dir[] = "/tmp/systemd-private-XXXXXX", |
45 | var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX"; | |
15ae422b | 46 | |
6d7c4033 | 47 | test_setup_logging(LOG_DEBUG); |
fe3c2583 | 48 | |
c17ec25e MS |
49 | assert_se(mkdtemp(tmp_dir)); |
50 | assert_se(mkdtemp(var_tmp_dir)); | |
51 | ||
ee818b89 AC |
52 | root_directory = getenv("TEST_NS_CHROOT"); |
53 | projects_directory = getenv("TEST_NS_PROJECTS"); | |
54 | ||
55 | if (projects_directory) | |
56 | inaccessible[0] = projects_directory; | |
57 | ||
58 | log_info("Inaccessible directory: '%s'", inaccessible[0]); | |
59 | if (root_directory) | |
60 | log_info("Chroot: '%s'", root_directory); | |
61 | else | |
62 | log_info("Not chrooted"); | |
63 | ||
64 | r = setup_namespace(root_directory, | |
915e6d16 | 65 | NULL, |
c575770b | 66 | &ns_info, |
ee818b89 | 67 | (char **) writable, |
c17ec25e MS |
68 | (char **) readonly, |
69 | (char **) inaccessible, | |
6c47cd7d | 70 | NULL, |
d2d6c096 | 71 | &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1, |
2abd4e38 | 72 | &(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1, |
c17ec25e MS |
73 | tmp_dir, |
74 | var_tmp_dir, | |
1b8689f9 LP |
75 | PROTECT_HOME_NO, |
76 | PROTECT_SYSTEM_NO, | |
915e6d16 | 77 | 0, |
c17ec25e | 78 | 0); |
ac0930c8 | 79 | if (r < 0) { |
da927ba9 | 80 | log_error_errno(r, "Failed to setup namespace: %m"); |
ee818b89 AC |
81 | |
82 | log_info("Usage:\n" | |
83 | " sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n" | |
84 | " sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns"); | |
85 | ||
15ae422b LP |
86 | return 1; |
87 | } | |
88 | ||
89 | execl("/bin/sh", "/bin/sh", NULL); | |
56f64d95 | 90 | log_error_errno(errno, "execl(): %m"); |
15ae422b LP |
91 | |
92 | return 1; | |
93 | } |