Mirrors/junest
1
0
Fork 0
mirror of https://github.com/fsquillace/junest.git synced 2026-01-23 02:34:30 +00:00
Code Issues Projects Releases Wiki Activity

Use proper proc,dev,sys binds for ns mode

Browse source
This commit is contained in:
Filippo Squillace 2021-01-10 13:12:11 +01:00
parent 8d4217492a
commit 6548e19eb5
3 changed files with 18 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -144,6 +144,9 @@ first:
```sh
pacman -Sy --ignore sudo base-devel
:: sudo is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
...
...
```
JuNest uses a modified version of `sudo`. That's why the original `sudo`

5
lib/core/namespace.sh
View file

@ -10,6 +10,7 @@
#
# vim: ft=sh
COMMON_BWRAP_OPTION="--bind "$JUNEST_HOME" / --bind "$HOME" "$HOME" --bind /tmp /tmp --bind /sys /sys --bind /proc /proc --dev-bind-try /dev /dev --unshare-user-try"
CONFIG_PROC_FILE="/proc/config.gz"
CONFIG_BOOT_FILE="/boot/config-$($UNAME -r)"
PROC_USERNS_CLONE_FILE="/proc/sys/kernel/unprivileged_userns_clone"
@ -94,7 +95,7 @@ function run_env_as_bwrap_fakeroot(){
local args=()
[[ "$1" != "" ]] && args=("-c" "$(insert_quotes_on_spaces "${@}")")
JUNEST_ENV=1 "$backend_command" --bind "$JUNEST_HOME" / --bind "$HOME" "$HOME" --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 $backend_args sudo "${DEFAULT_SH[@]}" "${args[@]}"
JUNEST_ENV=1 "$backend_command" $COMMON_BWRAP_OPTION --uid 0 --gid 0 $backend_args sudo "${DEFAULT_SH[@]}" "${args[@]}"
}
@ -141,7 +142,7 @@ function run_env_as_bwrap_user() {
local args=()
[[ "$1" != "" ]] && args=("-c" "$(insert_quotes_on_spaces "${@}")")
JUNEST_ENV=1 "$backend_command" --bind "$JUNEST_HOME" / --bind "$HOME" "$HOME" --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try $backend_args "${DEFAULT_SH[@]}" "${args[@]}"
JUNEST_ENV=1 "$backend_command" $COMMON_BWRAP_OPTION $backend_args "${DEFAULT_SH[@]}" "${args[@]}"
}

24
tests/unit-tests/test-namespace.sh
View file

@ -104,21 +104,21 @@ function test_is_user_namespace_enabled_with_userns_clone_file_enabled(){
function test_run_env_as_bwrap_fakeroot() {
assertCommandSuccess run_env_as_bwrap_fakeroot "" "" "false"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 sudo /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --uid 0 --gid 0 sudo /bin/sh --login" "$(cat $STDOUTF)"
_test_copy_common_files
}
function test_run_env_as_bwrap_fakeroot_with_backend_command() {
assertCommandSuccess run_env_as_bwrap_fakeroot "mybwrap" "" "false"
assertEquals "mybwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 sudo /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "mybwrap $COMMON_BWRAP_OPTION --uid 0 --gid 0 sudo /bin/sh --login" "$(cat $STDOUTF)"
_test_copy_common_files
}
function test_run_env_as_bwrap_user() {
assertCommandSuccess run_env_as_bwrap_user "" "" "false"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION /bin/sh --login" "$(cat $STDOUTF)"
_test_copy_common_files
_test_copy_remaining_files
@ -126,7 +126,7 @@ function test_run_env_as_bwrap_user() {
function test_run_env_as_bwrap_user_with_backend_command() {
assertCommandSuccess run_env_as_bwrap_user "mybwrap" "" "false"
assertEquals "mybwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "mybwrap $COMMON_BWRAP_OPTION /bin/sh --login" "$(cat $STDOUTF)"
_test_copy_common_files
_test_copy_remaining_files
@ -134,7 +134,7 @@ function test_run_env_as_bwrap_user_with_backend_command() {
function test_run_env_as_bwrap_fakeroot_no_copy() {
assertCommandSuccess run_env_as_bwrap_fakeroot "" "" "true" ""
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 sudo /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --uid 0 --gid 0 sudo /bin/sh --login" "$(cat $STDOUTF)"
[[ ! -e ${JUNEST_HOME}/etc/hosts ]]
assertEquals 0 $?
@ -160,7 +160,7 @@ function test_run_env_as_bwrap_fakeroot_no_copy() {
function test_run_env_as_bwrap_user_no_copy() {
assertCommandSuccess run_env_as_bwrap_user "" "" "true" ""
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION /bin/sh --login" "$(cat $STDOUTF)"
[[ ! -e ${JUNEST_HOME}/etc/hosts ]]
assertEquals 0 $?
@ -186,14 +186,14 @@ function test_run_env_as_bwrap_user_no_copy() {
function test_run_env_as_bwrap_fakeroot_with_backend_args() {
assertCommandSuccess run_env_as_bwrap_fakeroot "" "--bind /usr /usr" "false"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 --bind /usr /usr sudo /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --uid 0 --gid 0 --bind /usr /usr sudo /bin/sh --login" "$(cat $STDOUTF)"
_test_copy_common_files
}
function test_run_env_as_bwrap_user_with_backend_args() {
assertCommandSuccess run_env_as_bwrap_user "" "--bind /usr /usr" "false"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --bind /usr /usr /bin/sh --login" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --bind /usr /usr /bin/sh --login" "$(cat $STDOUTF)"
_test_copy_common_files
_test_copy_remaining_files
@ -201,14 +201,14 @@ function test_run_env_as_bwrap_user_with_backend_args() {
function test_run_env_as_bwrap_fakeroot_with_command() {
assertCommandSuccess run_env_as_bwrap_fakeroot "" "" "false" "ls -la"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 sudo /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --uid 0 --gid 0 sudo /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
_test_copy_common_files
}
function test_run_env_as_bwrap_user_with_command() {
assertCommandSuccess run_env_as_bwrap_user "" "" "false" "ls -la"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
_test_copy_common_files
_test_copy_remaining_files
@ -216,14 +216,14 @@ function test_run_env_as_bwrap_user_with_command() {
function test_run_env_as_bwrap_fakeroot_with_backend_args_and_command() {
assertCommandSuccess run_env_as_bwrap_fakeroot "" "--bind /usr /usr" "false" "ls -la"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --uid 0 --gid 0 --bind /usr /usr sudo /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --uid 0 --gid 0 --bind /usr /usr sudo /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
_test_copy_common_files
}
function test_run_env_as_bwrap_user_with_backend_args_and_command() {
assertCommandSuccess run_env_as_bwrap_user "" "--bind /usr /usr" "false" "ls -la"
assertEquals "bwrap --bind $JUNEST_HOME / --bind $HOME $HOME --bind /tmp /tmp --proc /proc --dev /dev --unshare-user-try --bind /usr /usr /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
assertEquals "bwrap $COMMON_BWRAP_OPTION --bind /usr /usr /bin/sh --login -c \"ls -la\"" "$(cat $STDOUTF)"
_test_copy_common_files
_test_copy_remaining_files