core: Private*/Protect* options with RootDirectory

When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
author: Alban Crequy <alban@endocode.com> 2015-05-18 12:20:28 +0200
committer: Lennart Poettering <lennart@poettering.net> 2015-05-18 18:47:45 +0200
commit: ee818b89f4890b3a00e93772249fce810f60811e (patch)
tree: 0bda24d838ca13d87f40eba0dc3f582731bf9396 /src/test
parent: a363680faa063dbcb624a6dfc4798cff0a4ba9d5 (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index 76b131c284..3050be9e9d 100644
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -38,10 +38,12 @@ int main(int argc, char *argv[]) {
                 NULL
         };
 
-        const char * const inaccessible[] = {
+        const char *inaccessible[] = {
                 "/home/lennart/projects",
                 NULL
         };
+        char *root_directory;
+        char *projects_directory;
 
         int r;
         char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
@@ -50,7 +52,20 @@ int main(int argc, char *argv[]) {
         assert_se(mkdtemp(tmp_dir));
         assert_se(mkdtemp(var_tmp_dir));
 
-        r = setup_namespace((char **) writable,
+        root_directory = getenv("TEST_NS_CHROOT");
+        projects_directory = getenv("TEST_NS_PROJECTS");
+
+        if (projects_directory)
+                inaccessible[0] = projects_directory;
+
+        log_info("Inaccessible directory: '%s'", inaccessible[0]);
+        if (root_directory)
+                log_info("Chroot: '%s'", root_directory);
+        else
+                log_info("Not chrooted");
+
+        r = setup_namespace(root_directory,
+                            (char **) writable,
                             (char **) readonly,
                             (char **) inaccessible,
                             tmp_dir,
@@ -62,6 +77,11 @@ int main(int argc, char *argv[]) {
                             0);
         if (r < 0) {
                 log_error_errno(r, "Failed to setup namespace: %m");
+
+                log_info("Usage:\n"
+                         "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
+                         "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
+
                 return 1;
         }
author	Alban Crequy <alban@endocode.com>	2015-05-18 12:20:28 +0200
committer	Lennart Poettering <lennart@poettering.net>	2015-05-18 18:47:45 +0200
commit	ee818b89f4890b3a00e93772249fce810f60811e (patch)
tree	0bda24d838ca13d87f40eba0dc3f582731bf9396 /src/test
parent	a363680faa063dbcb624a6dfc4798cff0a4ba9d5 (diff)