diff options
author | smitsohu <smitsohu@gmail.com> | 2023-03-02 17:34:07 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2023-03-02 17:34:07 +0100 |
commit | eb8dfc1284f29afa76697f1f3e87b6374d1706fa (patch) | |
tree | 7f0761dc76179d733c8fe2058e1ba16063c4d809 /test/filters/namespaces.c | |
parent | network testing; merges (diff) | |
download | firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.tar.gz firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.tar.zst firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.zip |
restrict-namespaces testing
Diffstat (limited to 'test/filters/namespaces.c')
-rw-r--r-- | test/filters/namespaces.c | 38 |
1 files changed, 33 insertions, 5 deletions
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index ecf0fdcd1..18ebc8faa 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c | |||
@@ -1,21 +1,29 @@ | |||
1 | #define _GNU_SOURCE | 1 | #define _GNU_SOURCE |
2 | #include <errno.h> | 2 | #include <errno.h> |
3 | #include <sched.h> | 3 | #include <linux/sched.h> |
4 | #include <signal.h> | 4 | #include <signal.h> |
5 | #include <stdio.h> | 5 | #include <stdio.h> |
6 | #include <stdlib.h> | 6 | #include <stdlib.h> |
7 | #include <string.h> | 7 | #include <string.h> |
8 | #include <sys/mman.h> | 8 | #include <sys/mman.h> |
9 | #include <sys/wait.h> | ||
9 | #include <unistd.h> | 10 | #include <unistd.h> |
10 | 11 | ||
12 | #include <sched.h> | ||
11 | #ifndef CLONE_NEWTIME | 13 | #ifndef CLONE_NEWTIME |
12 | #define CLONE_NEWTIME 0x00000080 | 14 | #define CLONE_NEWTIME 0x00000080 |
13 | #endif | 15 | #endif |
14 | 16 | ||
17 | #include <sys/syscall.h> | ||
18 | #ifndef __NR_clone3 | ||
19 | #define __NR_clone3 435 | ||
20 | #endif | ||
21 | |||
15 | #define STACK_SIZE 1024 * 1024 | 22 | #define STACK_SIZE 1024 * 1024 |
16 | 23 | ||
24 | |||
17 | static int usage() { | 25 | static int usage() { |
18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | 26 | fprintf(stderr, "Usage: namespaces <system call>[clone,clone3,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); |
19 | exit(1); | 27 | exit(1); |
20 | } | 28 | } |
21 | 29 | ||
@@ -71,8 +79,11 @@ int main (int argc, char **argv) { | |||
71 | usage(); | 79 | usage(); |
72 | 80 | ||
73 | int flags = ns_flags(argv[2]); | 81 | int flags = ns_flags(argv[2]); |
74 | if (getuid() != 0) | 82 | |
75 | flags |= CLONE_NEWUSER; | 83 | if (getuid() != 0 && (flags & CLONE_NEWUSER) != CLONE_NEWUSER) { |
84 | fprintf(stderr, "Error: add \"user\" to namespaces list\n"); | ||
85 | exit(1); | ||
86 | } | ||
76 | 87 | ||
77 | if (strcmp(argv[1], "clone") == 0) { | 88 | if (strcmp(argv[1], "clone") == 0) { |
78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | 89 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, |
@@ -80,8 +91,25 @@ int main (int argc, char **argv) { | |||
80 | if (stack == MAP_FAILED) | 91 | if (stack == MAP_FAILED) |
81 | die("mmap"); | 92 | die("mmap"); |
82 | 93 | ||
83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | 94 | pid_t pid = clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL); |
95 | if (pid < 0) | ||
84 | die("clone"); | 96 | die("clone"); |
97 | waitpid(pid, NULL, 0); | ||
98 | } | ||
99 | else if (strcmp(argv[1], "clone3") == 0) { | ||
100 | struct clone_args args = { | ||
101 | .flags = flags, | ||
102 | .exit_signal = SIGCHLD, | ||
103 | }; | ||
104 | |||
105 | pid_t pid = syscall(__NR_clone3, &args, sizeof(struct clone_args)); | ||
106 | if (pid < 0) | ||
107 | die("clone3"); | ||
108 | if (pid == 0) { | ||
109 | fprintf(stderr, "clone3 successful\n"); | ||
110 | exit(0); | ||
111 | } | ||
112 | waitpid(pid, NULL, 0); | ||
85 | } | 113 | } |
86 | else if (strcmp(argv[1], "unshare") == 0) { | 114 | else if (strcmp(argv[1], "unshare") == 0) { |
87 | if (unshare(flags)) | 115 | if (unshare(flags)) |