From ee818b89f4890b3a00e93772249fce810f60811e Mon Sep 17 00:00:00 2001
From: Alban Crequy <alban@endocode.com>
Date: Mon, 18 May 2015 12:20:28 +0200
Subject: core: Private*/Protect* options with RootDirectory

When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.

The test-ns tool can test setup_namespace() with and without chroot:
 $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns
 $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
---
 src/test/test-ns.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

(limited to 'src/test')

diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index 76b131c284..3050be9e9d 100644
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -38,10 +38,12 @@ int main(int argc, char *argv[]) {
                 NULL
         };
 
-        const char * const inaccessible[] = {
+        const char *inaccessible[] = {
                 "/home/lennart/projects",
                 NULL
         };
+        char *root_directory;
+        char *projects_directory;
 
         int r;
         char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
@@ -50,7 +52,20 @@ int main(int argc, char *argv[]) {
         assert_se(mkdtemp(tmp_dir));
         assert_se(mkdtemp(var_tmp_dir));
 
-        r = setup_namespace((char **) writable,
+        root_directory = getenv("TEST_NS_CHROOT");
+        projects_directory = getenv("TEST_NS_PROJECTS");
+
+        if (projects_directory)
+                inaccessible[0] = projects_directory;
+
+        log_info("Inaccessible directory: '%s'", inaccessible[0]);
+        if (root_directory)
+                log_info("Chroot: '%s'", root_directory);
+        else
+                log_info("Not chrooted");
+
+        r = setup_namespace(root_directory,
+                            (char **) writable,
                             (char **) readonly,
                             (char **) inaccessible,
                             tmp_dir,
@@ -62,6 +77,11 @@ int main(int argc, char *argv[]) {
                             0);
         if (r < 0) {
                 log_error_errno(r, "Failed to setup namespace: %m");
+
+                log_info("Usage:\n"
+                         "  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
+                         "  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
+
                 return 1;
         }
 
-- 
cgit v1.2.3-54-g00ecf