[thirdparty/systemd.git] / src / test / test-ns.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <stdlib.h>
#include <unistd.h>

#include "log.h"
#include "namespace.h"

int main(int argc, char *argv[]) {
        const char * const writable[] = {
                "/home",
                "-/home/lennart/projects/foobar", /* this should be masked automatically */
                NULL
        };

        const char * const readonly[] = {
                /* "/", */
                /* "/usr", */
                "/boot",
                "/lib",
                "/usr/lib",
                "-/lib64",
                "-/usr/lib64",
                NULL
        };

        const char *inaccessible[] = {
                "/home/lennart/projects",
                NULL
        };

        static const NamespaceInfo ns_info = {
                .private_dev = true,
                .protect_control_groups = true,
                .protect_kernel_tunables = true,
                .protect_kernel_modules = true,
        };

        char *root_directory;
        char *projects_directory;
        int r;
        char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
             var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";

        log_set_max_level(LOG_DEBUG);

        assert_se(mkdtemp(tmp_dir));
        assert_se(mkdtemp(var_tmp_dir));

        root_directory = getenv("TEST_NS_CHROOT");
        projects_directory = getenv("TEST_NS_PROJECTS");

        if (projects_directory)
                inaccessible[0] = projects_directory;

        log_info("Inaccessible directory: '%s'", inaccessible[0]);
        if (root_directory)
                log_info("Chroot: '%s'", root_directory);
        else
                log_info("Not chrooted");

        r = setup_namespace(root_directory,
                            NULL,
                            &ns_info,
                            (char **) writable,
                            (char **) readonly,
                            (char **) inaccessible,
                            NULL,
                            &(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
                            tmp_dir,
                            var_tmp_dir,
                            PROTECT_HOME_NO,
                            PROTECT_SYSTEM_NO,
                            0,
                            0);
        if (r < 0) {
                log_error_errno(r, "Failed to setup namespace: %m");

                log_info("Usage:\n"
                         "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
                         "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");

                return 1;
        }

        execl("/bin/sh", "/bin/sh", NULL);
        log_error_errno(errno, "execl(): %m");

        return 1;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
15ae422b LP	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	8	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	9	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	15	Lesser General Public License for more details.
15ae422b	16
5430f7f2	17	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
	21	#include <stdlib.h>
15ae422b	22	#include <unistd.h>
15ae422b	23
15ae422b	24	#include "log.h"
cf0fbc49	25	#include "namespace.h"
15ae422b LP	26
	27	int main(int argc, char *argv[]) {
	28	const char * const writable[] = {
	29	"/home",
d944dc95	30	"-/home/lennart/projects/foobar", /* this should be masked automatically */
15ae422b LP	31	NULL
	32	};
	33
ac0930c8	34	const char * const readonly[] = {
d944dc95 LP	35	/* "/", */
d944dc95 LP	36	/* "/usr", */
5dcfe57b	37	"/boot",
d944dc95 LP	38	"/lib",
	39	"/usr/lib",
	40	"-/lib64",
	41	"-/usr/lib64",
15ae422b LP	42	NULL
	43	};
	44
ee818b89	45	const char *inaccessible[] = {
15ae422b LP	46	"/home/lennart/projects",
	47	NULL
	48	};
c575770b	49
bb0ff3fb	50	static const NamespaceInfo ns_info = {
c575770b DH	51	.private_dev = true,
	52	.protect_control_groups = true,
	53	.protect_kernel_tunables = true,
	54	.protect_kernel_modules = true,
	55	};
	56
ee818b89 AC	57	char *root_directory;
ee818b89 AC	58	char *projects_directory;
15ae422b	59	int r;
c17ec25e MS	60	char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
c17ec25e MS	61	var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
15ae422b	62
fe3c2583 LP	63	log_set_max_level(LOG_DEBUG);
fe3c2583 LP	64
c17ec25e MS	65	assert_se(mkdtemp(tmp_dir));
	66	assert_se(mkdtemp(var_tmp_dir));
	67
ee818b89 AC	68	root_directory = getenv("TEST_NS_CHROOT");
	69	projects_directory = getenv("TEST_NS_PROJECTS");
	70
	71	if (projects_directory)
	72	inaccessible[0] = projects_directory;
	73
	74	log_info("Inaccessible directory: '%s'", inaccessible[0]);
	75	if (root_directory)
	76	log_info("Chroot: '%s'", root_directory);
	77	else
	78	log_info("Not chrooted");
	79
	80	r = setup_namespace(root_directory,
915e6d16	81	NULL,
c575770b	82	&ns_info,
ee818b89	83	(char **) writable,
c17ec25e MS	84	(char **) readonly,
c17ec25e MS	85	(char **) inaccessible,
6c47cd7d	86	NULL,
d2d6c096	87	&(BindMount) { .source = (char) "/usr/bin", .destination = (char) "/etc/systemd", .read_only = true }, 1,
c17ec25e MS	88	tmp_dir,
c17ec25e MS	89	var_tmp_dir,
1b8689f9 LP	90	PROTECT_HOME_NO,
1b8689f9 LP	91	PROTECT_SYSTEM_NO,
915e6d16	92	0,
c17ec25e	93	0);
ac0930c8	94	if (r < 0) {
da927ba9	95	log_error_errno(r, "Failed to setup namespace: %m");
ee818b89 AC	96
	97	log_info("Usage:\n"
	98	" sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
	99	" sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
	100
15ae422b LP	101	return 1;
	102	}
	103
	104	execl("/bin/sh", "/bin/sh", NULL);
56f64d95	105	log_error_errno(errno, "execl(): %m");
15ae422b LP	106
	107	return 1;
	108	}