| | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| | 2 | |
| | 3 | #include <stdlib.h> |
| | 4 | #include <unistd.h> |
| | 5 | |
| | 6 | #include "log.h" |
| | 7 | #include "namespace.h" |
| | 8 | #include "tests.h" |
| | 9 | |
| | 10 | int main(int argc, char *argv[]) { |
| | 11 | const char * const writable[] = { |
| | 12 | "/home", |
| | 13 | "-/home/lennart/projects/foobar", /* this should be masked automatically */ |
| | 14 | NULL |
| | 15 | }; |
| | 16 | |
| | 17 | const char * const readonly[] = { |
| | 18 | /* "/", */ |
| | 19 | /* "/usr", */ |
| | 20 | "/boot", |
| | 21 | "/lib", |
| | 22 | "/usr/lib", |
| | 23 | "-/lib64", |
| | 24 | "-/usr/lib64", |
| | 25 | NULL |
| | 26 | }; |
| | 27 | |
| | 28 | const char * const exec[] = { |
| | 29 | "/lib", |
| | 30 | "/usr", |
| | 31 | "-/lib64", |
| | 32 | "-/usr/lib64", |
| | 33 | NULL |
| | 34 | }; |
| | 35 | |
| | 36 | const char * const no_exec[] = { |
| | 37 | "/var", |
| | 38 | NULL |
| | 39 | }; |
| | 40 | |
| | 41 | const char *inaccessible[] = { |
| | 42 | "/home/lennart/projects", |
| | 43 | NULL |
| | 44 | }; |
| | 45 | |
| | 46 | static const BindMount bind_mount = { |
| | 47 | .source = (char*) "/usr/bin", |
| | 48 | .destination = (char*) "/etc/systemd", |
| | 49 | .read_only = true, |
| | 50 | }; |
| | 51 | |
| | 52 | static const TemporaryFileSystem tmpfs = { |
| | 53 | .path = (char*) "/var", |
| | 54 | .options = (char*) "ro", |
| | 55 | }; |
| | 56 | |
| | 57 | char *root_directory; |
| | 58 | char *projects_directory; |
| | 59 | int r; |
| | 60 | char tmp_dir[] = "/tmp/systemd-private-XXXXXX", |
| | 61 | var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX"; |
| | 62 | |
| | 63 | test_setup_logging(LOG_DEBUG); |
| | 64 | |
| | 65 | assert_se(mkdtemp(tmp_dir)); |
| | 66 | assert_se(mkdtemp(var_tmp_dir)); |
| | 67 | |
| | 68 | root_directory = getenv("TEST_NS_CHROOT"); |
| | 69 | projects_directory = getenv("TEST_NS_PROJECTS"); |
| | 70 | |
| | 71 | if (projects_directory) |
| | 72 | inaccessible[0] = projects_directory; |
| | 73 | |
| | 74 | log_info("Inaccessible directory: '%s'", inaccessible[0]); |
| | 75 | if (root_directory) |
| | 76 | log_info("Chroot: '%s'", root_directory); |
| | 77 | else |
| | 78 | log_info("Not chrooted"); |
| | 79 | |
| | 80 | NamespaceParameters p = { |
| | 81 | .runtime_scope = RUNTIME_SCOPE_SYSTEM, |
| | 82 | |
| | 83 | .root_directory = root_directory, |
| | 84 | |
| | 85 | .read_write_paths = (char**) writable, |
| | 86 | .read_only_paths = (char**) readonly, |
| | 87 | .inaccessible_paths = (char**) inaccessible, |
| | 88 | |
| | 89 | .exec_paths = (char**) exec, |
| | 90 | .no_exec_paths = (char**) no_exec, |
| | 91 | |
| | 92 | .tmp_dir = tmp_dir, |
| | 93 | .var_tmp_dir = var_tmp_dir, |
| | 94 | |
| | 95 | .bind_mounts = &bind_mount, |
| | 96 | .n_bind_mounts = 1, |
| | 97 | |
| | 98 | .temporary_filesystems = &tmpfs, |
| | 99 | .n_temporary_filesystems = 1, |
| | 100 | |
| | 101 | .private_dev = true, |
| | 102 | .protect_control_groups = true, |
| | 103 | .protect_kernel_tunables = true, |
| | 104 | .protect_kernel_modules = true, |
| | 105 | .protect_proc = PROTECT_PROC_NOACCESS, |
| | 106 | .proc_subset = PROC_SUBSET_PID, |
| | 107 | }; |
| | 108 | |
| | 109 | r = setup_namespace(&p, NULL); |
| | 110 | if (r < 0) { |
| | 111 | log_error_errno(r, "Failed to set up namespace: %m"); |
| | 112 | |
| | 113 | log_info("Usage:\n" |
| | 114 | " sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n" |
| | 115 | " sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns"); |
| | 116 | |
| | 117 | return 1; |
| | 118 | } |
| | 119 | |
| | 120 | execl("/bin/sh", "/bin/sh", NULL); |
| | 121 | log_error_errno(errno, "execl(): %m"); |
| | 122 | |
| | 123 | return 1; |
| | 124 | } |
projects / thirdparty / systemd.git / blame_incremental