[thirdparty/systemd.git] / src / test / test-ns.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <stdlib.h>
#include <unistd.h>

#include "log.h"
#include "namespace.h"
#include "tests.h"

int main(int argc, char *argv[]) {
        const char * const writable[] = {
                "/home",
                "-/home/lennart/projects/foobar", /* this should be masked automatically */
                NULL
        };

        const char * const readonly[] = {
                /* "/", */
                /* "/usr", */
                "/boot",
                "/lib",
                "/usr/lib",
                "-/lib64",
                "-/usr/lib64",
                NULL
        };

        const char * const exec[] = {
                "/lib",
                "/usr",
                "-/lib64",
                "-/usr/lib64",
                NULL
        };

        const char * const no_exec[] = {
                "/var",
                NULL
        };

        const char *inaccessible[] = {
                "/home/lennart/projects",
                NULL
        };

        static const BindMount bind_mount = {
                .source = (char*) "/usr/bin",
                .destination = (char*) "/etc/systemd",
                .read_only = true,
        };

        static const TemporaryFileSystem tmpfs = {
                .path = (char*) "/var",
                .options = (char*) "ro",
        };

        char *root_directory;
        char *projects_directory;
        int r;
        char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
             var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";

        test_setup_logging(LOG_DEBUG);

        assert_se(mkdtemp(tmp_dir));
        assert_se(mkdtemp(var_tmp_dir));

        root_directory = getenv("TEST_NS_CHROOT");
        projects_directory = getenv("TEST_NS_PROJECTS");

        if (projects_directory)
                inaccessible[0] = projects_directory;

        log_info("Inaccessible directory: '%s'", inaccessible[0]);
        if (root_directory)
                log_info("Chroot: '%s'", root_directory);
        else
                log_info("Not chrooted");

        NamespaceParameters p = {
                .runtime_scope = RUNTIME_SCOPE_SYSTEM,

                .root_directory = root_directory,

                .read_write_paths = (char**) writable,
                .read_only_paths = (char**) readonly,
                .inaccessible_paths = (char**) inaccessible,

                .exec_paths = (char**) exec,
                .no_exec_paths = (char**) no_exec,

                .tmp_dir = tmp_dir,
                .var_tmp_dir = var_tmp_dir,

                .bind_mounts = &bind_mount,
                .n_bind_mounts = 1,

                .temporary_filesystems = &tmpfs,
                .n_temporary_filesystems = 1,

                .private_dev = true,
                .protect_control_groups = true,
                .protect_kernel_tunables = true,
                .protect_kernel_modules = true,
                .protect_proc = PROTECT_PROC_NOACCESS,
                .proc_subset = PROC_SUBSET_PID,
        };

        r = setup_namespace(&p, NULL);
        if (r < 0) {
                log_error_errno(r, "Failed to set up namespace: %m");

                log_info("Usage:\n"
                         "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
                         "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");

                return 1;
        }

        execl("/bin/sh", "/bin/sh", NULL);
        log_error_errno(errno, "execl(): %m");

        return 1;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
15ae422b LP	2
15ae422b LP	3	#include <stdlib.h>
15ae422b	4	#include <unistd.h>
15ae422b	5
15ae422b	6	#include "log.h"
cf0fbc49	7	#include "namespace.h"
6d7c4033	8	#include "tests.h"
15ae422b LP	9
	10	int main(int argc, char *argv[]) {
	11	const char * const writable[] = {
	12	"/home",
d944dc95	13	"-/home/lennart/projects/foobar", /* this should be masked automatically */
15ae422b LP	14	NULL
	15	};
	16
ac0930c8	17	const char * const readonly[] = {
d944dc95 LP	18	/* "/", */
d944dc95 LP	19	/* "/usr", */
5dcfe57b	20	"/boot",
d944dc95 LP	21	"/lib",
	22	"/usr/lib",
	23	"-/lib64",
	24	"-/usr/lib64",
15ae422b LP	25	NULL
	26	};
	27
ddc155b2 TM	28	const char * const exec[] = {
	29	"/lib",
	30	"/usr",
	31	"-/lib64",
	32	"-/usr/lib64",
	33	NULL
	34	};
	35
	36	const char * const no_exec[] = {
	37	"/var",
	38	NULL
	39	};
	40
ee818b89	41	const char *inaccessible[] = {
15ae422b LP	42	"/home/lennart/projects",
	43	NULL
	44	};
c575770b	45
79d956db LP	46	static const BindMount bind_mount = {
	47	.source = (char*) "/usr/bin",
	48	.destination = (char*) "/etc/systemd",
	49	.read_only = true,
	50	};
	51
	52	static const TemporaryFileSystem tmpfs = {
	53	.path = (char*) "/var",
	54	.options = (char*) "ro",
c575770b DH	55	};
c575770b DH	56
ee818b89 AC	57	char *root_directory;
ee818b89 AC	58	char *projects_directory;
15ae422b	59	int r;
c17ec25e MS	60	char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
c17ec25e MS	61	var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
15ae422b	62
6d7c4033	63	test_setup_logging(LOG_DEBUG);
fe3c2583	64
c17ec25e MS	65	assert_se(mkdtemp(tmp_dir));
	66	assert_se(mkdtemp(var_tmp_dir));
	67
ee818b89 AC	68	root_directory = getenv("TEST_NS_CHROOT");
	69	projects_directory = getenv("TEST_NS_PROJECTS");
	70
	71	if (projects_directory)
	72	inaccessible[0] = projects_directory;
	73
	74	log_info("Inaccessible directory: '%s'", inaccessible[0]);
	75	if (root_directory)
	76	log_info("Chroot: '%s'", root_directory);
	77	else
	78	log_info("Not chrooted");
	79
79d956db LP	80	NamespaceParameters p = {
	81	.runtime_scope = RUNTIME_SCOPE_SYSTEM,
	82
	83	.root_directory = root_directory,
	84
	85	.read_write_paths = (char**) writable,
	86	.read_only_paths = (char**) readonly,
	87	.inaccessible_paths = (char**) inaccessible,
	88
	89	.exec_paths = (char**) exec,
	90	.no_exec_paths = (char**) no_exec,
	91
	92	.tmp_dir = tmp_dir,
	93	.var_tmp_dir = var_tmp_dir,
	94
	95	.bind_mounts = &bind_mount,
	96	.n_bind_mounts = 1,
	97
	98	.temporary_filesystems = &tmpfs,
	99	.n_temporary_filesystems = 1,
	100
	101	.private_dev = true,
	102	.protect_control_groups = true,
	103	.protect_kernel_tunables = true,
	104	.protect_kernel_modules = true,
	105	.protect_proc = PROTECT_PROC_NOACCESS,
	106	.proc_subset = PROC_SUBSET_PID,
	107	};
	108
	109	r = setup_namespace(&p, NULL);
ac0930c8	110	if (r < 0) {
105a1a36	111	log_error_errno(r, "Failed to set up namespace: %m");
ee818b89 AC	112
	113	log_info("Usage:\n"
	114	" sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
	115	" sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
	116
15ae422b LP	117	return 1;
	118	}
	119
	120	execl("/bin/sh", "/bin/sh", NULL);
56f64d95	121	log_error_errno(errno, "execl(): %m");
15ae422b LP	122
	123	return 1;
	124	}