]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
15ae422b LP |
2 | /*** |
3 | This file is part of systemd. | |
4 | ||
5 | Copyright 2010 Lennart Poettering | |
6 | ||
7 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
8 | under the terms of the GNU Lesser General Public License as published by |
9 | the Free Software Foundation; either version 2.1 of the License, or | |
15ae422b LP |
10 | (at your option) any later version. |
11 | ||
12 | systemd is distributed in the hope that it will be useful, but | |
13 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 15 | Lesser General Public License for more details. |
15ae422b | 16 | |
5430f7f2 | 17 | You should have received a copy of the GNU Lesser General Public License |
15ae422b LP |
18 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
19 | ***/ | |
20 | ||
21 | #include <stdlib.h> | |
15ae422b | 22 | #include <unistd.h> |
15ae422b | 23 | |
15ae422b | 24 | #include "log.h" |
cf0fbc49 | 25 | #include "namespace.h" |
15ae422b LP |
26 | |
27 | int main(int argc, char *argv[]) { | |
28 | const char * const writable[] = { | |
29 | "/home", | |
d944dc95 | 30 | "-/home/lennart/projects/foobar", /* this should be masked automatically */ |
15ae422b LP |
31 | NULL |
32 | }; | |
33 | ||
ac0930c8 | 34 | const char * const readonly[] = { |
d944dc95 LP |
35 | /* "/", */ |
36 | /* "/usr", */ | |
5dcfe57b | 37 | "/boot", |
d944dc95 LP |
38 | "/lib", |
39 | "/usr/lib", | |
40 | "-/lib64", | |
41 | "-/usr/lib64", | |
15ae422b LP |
42 | NULL |
43 | }; | |
44 | ||
ee818b89 | 45 | const char *inaccessible[] = { |
15ae422b LP |
46 | "/home/lennart/projects", |
47 | NULL | |
48 | }; | |
c575770b | 49 | |
bb0ff3fb | 50 | static const NamespaceInfo ns_info = { |
c575770b DH |
51 | .private_dev = true, |
52 | .protect_control_groups = true, | |
53 | .protect_kernel_tunables = true, | |
54 | .protect_kernel_modules = true, | |
55 | }; | |
56 | ||
ee818b89 AC |
57 | char *root_directory; |
58 | char *projects_directory; | |
15ae422b | 59 | int r; |
c17ec25e MS |
60 | char tmp_dir[] = "/tmp/systemd-private-XXXXXX", |
61 | var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX"; | |
15ae422b | 62 | |
fe3c2583 LP |
63 | log_set_max_level(LOG_DEBUG); |
64 | ||
c17ec25e MS |
65 | assert_se(mkdtemp(tmp_dir)); |
66 | assert_se(mkdtemp(var_tmp_dir)); | |
67 | ||
ee818b89 AC |
68 | root_directory = getenv("TEST_NS_CHROOT"); |
69 | projects_directory = getenv("TEST_NS_PROJECTS"); | |
70 | ||
71 | if (projects_directory) | |
72 | inaccessible[0] = projects_directory; | |
73 | ||
74 | log_info("Inaccessible directory: '%s'", inaccessible[0]); | |
75 | if (root_directory) | |
76 | log_info("Chroot: '%s'", root_directory); | |
77 | else | |
78 | log_info("Not chrooted"); | |
79 | ||
80 | r = setup_namespace(root_directory, | |
915e6d16 | 81 | NULL, |
c575770b | 82 | &ns_info, |
ee818b89 | 83 | (char **) writable, |
c17ec25e MS |
84 | (char **) readonly, |
85 | (char **) inaccessible, | |
6c47cd7d | 86 | NULL, |
d2d6c096 | 87 | &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1, |
c17ec25e MS |
88 | tmp_dir, |
89 | var_tmp_dir, | |
1b8689f9 LP |
90 | PROTECT_HOME_NO, |
91 | PROTECT_SYSTEM_NO, | |
915e6d16 | 92 | 0, |
c17ec25e | 93 | 0); |
ac0930c8 | 94 | if (r < 0) { |
da927ba9 | 95 | log_error_errno(r, "Failed to setup namespace: %m"); |
ee818b89 AC |
96 | |
97 | log_info("Usage:\n" | |
98 | " sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n" | |
99 | " sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns"); | |
100 | ||
15ae422b LP |
101 | return 1; |
102 | } | |
103 | ||
104 | execl("/bin/sh", "/bin/sh", NULL); | |
56f64d95 | 105 | log_error_errno(errno, "execl(): %m"); |
15ae422b LP |
106 | |
107 | return 1; | |
108 | } |