diff options
author | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:06:46 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:08:31 +0100 |
commit | 5116c1ceddf1966c852cbe2d81a2b2672dc3ba90 (patch) | |
tree | e906d805ab72e9de41328cfdd7089ee4c17c66a6 /test/filters/namespaces.c | |
parent | chroot: make search permission check explicit (diff) | |
download | firejail-5116c1ceddf1966c852cbe2d81a2b2672dc3ba90.tar.gz firejail-5116c1ceddf1966c852cbe2d81a2b2672dc3ba90.tar.zst firejail-5116c1ceddf1966c852cbe2d81a2b2672dc3ba90.zip |
testing
Diffstat (limited to 'test/filters/namespaces.c')
-rw-r--r-- | test/filters/namespaces.c | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c new file mode 100644 index 000000000..06dfa4edf --- /dev/null +++ b/test/filters/namespaces.c | |||
@@ -0,0 +1,96 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <errno.h> | ||
3 | #include <sched.h> | ||
4 | #include <signal.h> | ||
5 | #include <stdio.h> | ||
6 | #include <stdlib.h> | ||
7 | #include <string.h> | ||
8 | #include <sys/mman.h> | ||
9 | #include <unistd.h> | ||
10 | |||
11 | #ifndef CLONE_NEWTIME | ||
12 | #define CLONE_NEWTIME 0x00000080 | ||
13 | #endif | ||
14 | |||
15 | #define STACK_SIZE 1024 * 1024 | ||
16 | |||
17 | static int usage() { | ||
18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | ||
19 | exit(1); | ||
20 | } | ||
21 | |||
22 | static void die(const char *msg) { | ||
23 | fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); | ||
24 | exit(1); | ||
25 | } | ||
26 | |||
27 | static int ns_flags(const char *list) { | ||
28 | int flags = 0; | ||
29 | |||
30 | char *dup = strdup(list); | ||
31 | if (!dup) | ||
32 | die("cannot allocate memory"); | ||
33 | |||
34 | char *token = strtok(dup, ","); | ||
35 | while (token) { | ||
36 | if (strcmp(token, "cgroup") == 0) | ||
37 | flags |= CLONE_NEWCGROUP; | ||
38 | else if (strcmp(token, "ipc") == 0) | ||
39 | flags |= CLONE_NEWIPC; | ||
40 | else if (strcmp(token, "net") == 0) | ||
41 | flags |= CLONE_NEWNET; | ||
42 | else if (strcmp(token, "mnt") == 0) | ||
43 | flags |= CLONE_NEWNS; | ||
44 | else if (strcmp(token, "pid") == 0) | ||
45 | flags |= CLONE_NEWPID; | ||
46 | else if (strcmp(token, "time") == 0) | ||
47 | flags |= CLONE_NEWTIME; | ||
48 | else if (strcmp(token, "user") == 0) | ||
49 | flags |= CLONE_NEWUSER; | ||
50 | else if (strcmp(token, "uts") == 0) | ||
51 | flags |= CLONE_NEWUTS; | ||
52 | else | ||
53 | usage(); | ||
54 | |||
55 | token = strtok(NULL, ","); | ||
56 | } | ||
57 | |||
58 | free(dup); | ||
59 | return flags; | ||
60 | } | ||
61 | |||
62 | static int child(void *arg) { | ||
63 | (void) arg; | ||
64 | |||
65 | fprintf(stderr, "clone successful\n"); | ||
66 | return 0; | ||
67 | } | ||
68 | |||
69 | int main (int argc, char **argv) { | ||
70 | if (argc != 3) | ||
71 | usage(); | ||
72 | |||
73 | int flags = ns_flags(argv[2]); | ||
74 | if (getuid() != 0) | ||
75 | flags |= CLONE_NEWUSER; | ||
76 | |||
77 | if (strcmp(argv[1], "clone") == 0) { | ||
78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | ||
79 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | ||
80 | if (stack == MAP_FAILED) | ||
81 | die("mmap"); | ||
82 | |||
83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | ||
84 | die("clone"); | ||
85 | } | ||
86 | else if (strcmp(argv[1], "unshare") == 0) { | ||
87 | if (unshare(flags)) | ||
88 | die("unshare"); | ||
89 | |||
90 | fprintf(stderr, "unshare successful\n"); | ||
91 | } | ||
92 | else | ||
93 | usage(); | ||
94 | |||
95 | return 0; | ||
96 | } | ||