0c69794138
These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
93 lines
2.9 KiB
C
93 lines
2.9 KiB
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
|
|
#include <errno.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#include "log.h"
|
|
#include "namespace.h"
|
|
|
|
int main(int argc, char *argv[]) {
|
|
const char * const writable[] = {
|
|
"/home",
|
|
"-/home/lennart/projects/foobar", /* this should be masked automatically */
|
|
NULL
|
|
};
|
|
|
|
const char * const readonly[] = {
|
|
/* "/", */
|
|
/* "/usr", */
|
|
"/boot",
|
|
"/lib",
|
|
"/usr/lib",
|
|
"-/lib64",
|
|
"-/usr/lib64",
|
|
NULL
|
|
};
|
|
|
|
const char *inaccessible[] = {
|
|
"/home/lennart/projects",
|
|
NULL
|
|
};
|
|
|
|
static const NamespaceInfo ns_info = {
|
|
.private_dev = true,
|
|
.protect_control_groups = true,
|
|
.protect_kernel_tunables = true,
|
|
.protect_kernel_modules = true,
|
|
};
|
|
|
|
char *root_directory;
|
|
char *projects_directory;
|
|
int r;
|
|
char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
|
|
var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
|
|
|
|
log_set_max_level(LOG_DEBUG);
|
|
|
|
assert_se(mkdtemp(tmp_dir));
|
|
assert_se(mkdtemp(var_tmp_dir));
|
|
|
|
root_directory = getenv("TEST_NS_CHROOT");
|
|
projects_directory = getenv("TEST_NS_PROJECTS");
|
|
|
|
if (projects_directory)
|
|
inaccessible[0] = projects_directory;
|
|
|
|
log_info("Inaccessible directory: '%s'", inaccessible[0]);
|
|
if (root_directory)
|
|
log_info("Chroot: '%s'", root_directory);
|
|
else
|
|
log_info("Not chrooted");
|
|
|
|
r = setup_namespace(root_directory,
|
|
NULL,
|
|
&ns_info,
|
|
(char **) writable,
|
|
(char **) readonly,
|
|
(char **) inaccessible,
|
|
NULL,
|
|
&(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
|
|
&(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
|
|
tmp_dir,
|
|
var_tmp_dir,
|
|
PROTECT_HOME_NO,
|
|
PROTECT_SYSTEM_NO,
|
|
0,
|
|
0);
|
|
if (r < 0) {
|
|
log_error_errno(r, "Failed to setup namespace: %m");
|
|
|
|
log_info("Usage:\n"
|
|
" sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
|
|
" sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
|
|
|
|
return 1;
|
|
}
|
|
|
|
execl("/bin/sh", "/bin/sh", NULL);
|
|
log_error_errno(errno, "execl(): %m");
|
|
|
|
return 1;
|
|
}
|