[mirror_lxc.git] / src / tests / mount_injection.c

/* mount_injection
 *
 * Copyright © 2018 Elizaveta Tretiakova <elizabet.tretyakova@gmail.com>.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2, as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#include "config.h"

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <lxc/lxccontainer.h>
#include <lxc/list.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include "config.h"
#include "lxctest.h"
#include "utils.h"

#define NAME "mount_injection_test-"
#define TEMPLATE P_tmpdir"/mount_injection_XXXXXX"

struct mountinfo_data {
	const char *mount_root;
	const char *mount_point;
	const char *fstype;
	const char *mount_source;
	const char *message;
	bool should_be_present;
};

static int comp_field(char *line, const char *str, int nfields)
{
	char *p, *p2;
	int i, ret;

	if(!line)
		return -1;

	if (!str)
		return 0;

	for (p = line, i = 0; p && i < nfields; i++)
		p = strchr(p + 1, ' ');
	if (!p)
		return -1;
	p2 = strchr(p + 1, ' ');
	if (p2)
		*p2 = '\0';
	ret = strcmp(p + 1, str);
	if (p2)
		*p2 = ' ';
	return ret;
}

static int find_in_proc_mounts(void *data)
{
	char buf[LXC_LINELEN];
	FILE *f;
	struct mountinfo_data *mdata = (struct mountinfo_data *)data;

	fprintf(stderr, "%s", mdata->message);

	f = fopen("/proc/self/mountinfo", "r");
	if (!f)
		return 0;

	while (fgets(buf, LXC_LINELEN, f)) {
		char *buf2;

		/* checking mount_root is tricky since it will be prefixed with
		 * whatever path was the source of the mount in the original
		 * mount namespace. So only verify it when we know that root is
		 * in fact "/".
		 */
		if (mdata->mount_root && comp_field(buf, mdata->mount_root, 3) != 0)
			continue;

		if (comp_field(buf, mdata->mount_point, 4) != 0)
			continue;

		if (!mdata->fstype || !mdata->mount_source)
			goto on_success;

		buf2 = strchr(buf, '-');
		if (comp_field(buf2, mdata->fstype, 1) != 0 ||
		    comp_field(buf2, mdata->mount_source, 2) != 0)
			continue;

	on_success:
		fclose(f);
		fprintf(stderr, "PRESENT\n");
		if (mdata->should_be_present)
			_exit(EXIT_SUCCESS);

		_exit(EXIT_FAILURE);
	}

	fclose(f);
	fprintf(stderr, "MISSING\n");
	if (!mdata->should_be_present)
		_exit(EXIT_SUCCESS);

	_exit(EXIT_FAILURE);
}

static int check_containers_mountinfo(struct lxc_container *c, struct mountinfo_data *d)
{
	pid_t pid;
	int ret = -1;
	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;

	ret = c->attach(c, find_in_proc_mounts, d, &attach_options, &pid);
	if (ret < 0) {
		fprintf(stderr, "Check of the container's mountinfo failed\n");
		return ret;
	}

	ret = wait_for_pid(pid);
	if (ret < 0)
		fprintf(stderr, "Attached function failed\n");

	return ret;
}

/* config_items: NULL-terminated array of config pairs */
static int perform_container_test(const char *name, const char *config_items[])
{
	int i;
	char *sret;
	char template_log[sizeof(TEMPLATE)], template_dir[sizeof(TEMPLATE)],
			device_message[4096],
			dir_message[4096],
			fs_message[4096];
	struct lxc_container *c;
	struct lxc_mount mnt;
	struct lxc_log log;
	int ret = -1, dev_msg_size = sizeof("Check urandom device injected into "" - ") - 1 + strlen(name) + 1,
			dir_msg_size = sizeof("Check dir "" injected into "" - ") - 1 + sizeof(TEMPLATE) - 1 + strlen(name) + 1,
			fs_msg_size = sizeof("Check devtmpfs injected into "" - ") - 1 + strlen(name) + 1;
	struct mountinfo_data device = {
		.mount_root = "/urandom",
		.mount_point = "/mnt/mount_injection_test_urandom",
		.fstype = NULL,
		.mount_source = "/dev/urandom",
		.message = "",
		.should_be_present = true
	}, dir = {
		.mount_root = NULL,
		.mount_point = template_dir,
		.fstype = NULL,
		.mount_source = NULL,
		.message = "",
		.should_be_present = true
	}, fs = {
		.mount_root = "/",
		.mount_point = "/mnt/mount_injection_test_devtmpfs",
		.fstype = "devtmpfs",
		.mount_source = NULL,
		.message = "",
		.should_be_present = true
	};

	/* Temp paths and messages setup */
	strcpy(template_dir, TEMPLATE);
	sret = mkdtemp(template_dir);
	if (!sret) {
		lxc_error("Failed to create temporary src file for container %s\n", name);
		exit(EXIT_FAILURE);
	}

	ret = snprintf(device_message, dev_msg_size, "Check urandom device injected into %s - ", name);
	if (ret < 0 || ret >= dev_msg_size) {
		fprintf(stderr, "Failed to create message for dev\n");
		exit(EXIT_FAILURE);
	}
	device.message = &device_message[0];

	ret = snprintf(dir_message, dir_msg_size, "Check dir %s injected into %s - ", template_dir, name);
	if (ret < 0 || ret >= dir_msg_size) {
		fprintf(stderr, "Failed to create message for dir\n");
		exit(EXIT_FAILURE);
	}
	dir.message = &dir_message[0];

	ret = snprintf(fs_message, fs_msg_size, "Check devtmpfs injected into %s - ", name);
	if (ret < 0 || ret >= fs_msg_size) {
		fprintf(stderr, "Failed to create message for fs\n");
		exit(EXIT_FAILURE);
	}
	fs.message = &fs_message[0];

	/* Setup logging*/
	strcpy(template_log, TEMPLATE);
	i = lxc_make_tmpfile(template_log, false);
	if (i < 0) {
		lxc_error("Failed to create temporary log file for container %s\n", name);
		exit(EXIT_FAILURE);
	} else {
		lxc_debug("Using \"%s\" as temporary log file for container %s\n", template_log, name);
		close(i);
	}

	log.name = name;
	log.file = template_log;
	log.level = "TRACE";
	log.prefix = "mount-injection";
	log.quiet = false;
	log.lxcpath = NULL;
	if (lxc_log_init(&log))
		exit(EXIT_FAILURE);

	/* Container setup */
	c = lxc_container_new(name, NULL);
	if (!c) {
		fprintf(stderr, "Unable to instantiate container (%s)...\n", name);
		goto out;
	}

	if (c->is_defined(c)) {
		fprintf(stderr, "Container (%s) already exists\n", name);
		goto out;
	}

	for (i = 0; config_items[i]; i += 2) {
		if (!c->set_config_item(c, config_items[i], config_items[i + 1])) {
			fprintf(stderr, "Failed to set \"%s\" config option to \"%s\"\n", config_items[i], config_items[i + 1]);
			goto out;
		}
	}

	if (!c->create(c, "busybox", NULL, NULL, 1, NULL)) {
		fprintf(stderr, "Creating the container (%s) failed...\n", name);
		goto out;
	}

	c->want_daemonize(c, true);

	if (!c->start(c, false, NULL)) {
		fprintf(stderr, "Starting the container (%s) failed...\n", name);
		goto out;
	}

	mnt.version = LXC_MOUNT_API_V1;

	/* Check device mounted */
	ret = c->mount(c, "/dev/urandom", "/mnt/mount_injection_test_urandom", NULL, MS_BIND, NULL, &mnt);
	if (ret < 0) {
		fprintf(stderr, "Failed to mount \"/dev/urandom\"\n");
		goto out;
	}

	ret = check_containers_mountinfo(c, &device);
	if (ret < 0)
		goto out;

	/* Check device unmounted */
	/* TODO: what about other umount flags? */
	ret = c->umount(c, "/mnt/mount_injection_test_urandom", MNT_DETACH, &mnt);
	if (ret < 0) {
		fprintf(stderr, "Failed to umount2 \"/dev/urandom\"\n");
		goto out;
	}

	device.message = "Unmounted \"/mnt/mount_injection_test_urandom\" -- should be missing now: ";
	device.should_be_present = false;
	ret = check_containers_mountinfo(c, &device);
	if (ret < 0)
		goto out;

	/* Check dir mounted */
	ret = c->mount(c, template_dir, template_dir, NULL, MS_BIND, NULL, &mnt);
	if (ret < 0) {
		fprintf(stderr, "Failed to mount \"%s\"\n", template_dir);
		goto out;
	}

	ret = check_containers_mountinfo(c, &dir);
	if (ret < 0)
		goto out;

	/* Check dir unmounted */
	/* TODO: what about other umount flags? */
	ret = c->umount(c, template_dir, MNT_DETACH, &mnt);
	if (ret < 0) {
		fprintf(stderr, "Failed to umount2 \"%s\"\n", template_dir);
		goto out;
	}

	dir.message = "Unmounted dir -- should be missing now: ";
	dir.should_be_present = false;
	ret = check_containers_mountinfo(c, &dir);
	if (ret < 0)
		goto out;

	/* Check fs mounted */
	ret = c->mount(c, NULL, "/mnt/mount_injection_test_devtmpfs", "devtmpfs", 0, NULL, &mnt);
	if (ret < 0) {
		fprintf(stderr, "Failed to mount devtmpfs\n");
		goto out;
	}

	ret = check_containers_mountinfo(c, &fs);
	if (ret < 0)
		goto out;

	/* Check fs unmounted */
	/* TODO: what about other umount flags? */
	ret = c->umount(c, "/mnt/mount_injection_test_devtmpfs", MNT_DETACH, &mnt);
	if (ret < 0) {
		fprintf(stderr, "Failed to umount2 devtmpfs\n");
		goto out;
	}

	fs.message = "Unmounted \"/mnt/mount_injection_test_devtmpfs\" -- should be missing now: ";
	fs.should_be_present = false;
	ret = check_containers_mountinfo(c, &fs);
	if (ret < 0)
		goto out;

	/* Finalize the container */
	if (!c->stop(c)) {
		fprintf(stderr, "Stopping the container (%s) failed...\n", name);
		goto out;
	}

	if (!c->destroy(c)) {
		fprintf(stderr, "Destroying the container (%s) failed...\n", name);
		goto out;
	}

	ret = 0;
out:
	lxc_container_put(c);

	if (ret != 0) {
		int fd;

		fd = open(template_log, O_RDONLY);
		if (fd >= 0) {
			char buf[4096];
			ssize_t buflen;
			while ((buflen = read(fd, buf, 1024)) > 0) {
				buflen = write(STDERR_FILENO, buf, buflen);
				if (buflen <= 0)
					break;
			}
			close(fd);
		}
	}

	unlink(template_log);
	unlink(template_dir);

	return ret;
}

static int do_priv_container_test(void)
{
	const char *config_items[] = {"lxc.mount.auto", "shmounts:/tmp/mount_injection_test", NULL};
	return perform_container_test(NAME"privileged", config_items);
}

static int do_unpriv_container_test(void)
{
	const char *config_items[] = {
		"lxc.mount.auto", "shmounts:/tmp/mount_injection_test",
		NULL
	};
	return perform_container_test(NAME"unprivileged", config_items);
}

static bool lxc_setup_shmount(const char *shmount_path)
{
	int ret;

	ret = mkdir_p(shmount_path, 0711);
	if (ret < 0 && errno != EEXIST) {
		fprintf(stderr, "Failed to create directory \"%s\"\n", shmount_path);
		return false;
	}

	/* Prepare host mountpoint */
	ret = mount("tmpfs", shmount_path, "tmpfs", 0, "size=100k,mode=0711");
	if (ret < 0) {
		fprintf(stderr, "Failed to mount \"%s\"\n", shmount_path);
		return false;
	}

	ret = mount(shmount_path, shmount_path, "none", MS_REC | MS_SHARED, "");
	if (ret < 0) {
		fprintf(stderr, "Failed to make shared \"%s\"\n", shmount_path);
		return false;
	}

	return true;
}

static void lxc_teardown_shmount(char *shmount_path)
{
	(void)umount2(shmount_path, MNT_DETACH);
	(void)lxc_rm_rf(shmount_path);
}

int main(int argc, char *argv[])
{
	if (!lxc_setup_shmount("/tmp/mount_injection_test"))
		exit(EXIT_FAILURE);

	if (do_priv_container_test()) {
		fprintf(stderr, "Privileged mount injection test failed\n");
		exit(EXIT_FAILURE);
	}

	if (do_unpriv_container_test()) {
		fprintf(stderr, "Unprivileged mount injection test failed\n");
		exit(EXIT_FAILURE);
	}

	lxc_teardown_shmount("/tmp/mount_injection_test");

	exit(EXIT_SUCCESS);
}
Commit	Line	Data
d81423f2 LT	1	/* mount_injection
	2	*
	3	* Copyright © 2018 Elizaveta Tretiakova <elizabet.tretyakova@gmail.com>.
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2, as
	7	* published by the Free Software Foundation.
	8	*
	9	* This program is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	* GNU General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License along
	15	* with this program; if not, write to the Free Software Foundation, Inc.,
	16	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	17	*/
	18
e49c56d6	19	#include "config.h"
d81423f2	20
d81423f2 LT	21	#include <fcntl.h>
	22	#include <stdio.h>
	23	#include <stdlib.h>
	24	#include <string.h>
	25	#include <lxc/lxccontainer.h>
	26	#include <lxc/list.h>
	27	#include <string.h>
	28	#include <sys/mount.h>
	29	#include <sys/stat.h>
	30	#include <sys/types.h>
	31	#include <unistd.h>
	32
f994bc87	33	#include "config.h"
d81423f2 LT	34	#include "lxctest.h"
	35	#include "utils.h"
	36
	37	#define NAME "mount_injection_test-"
	38	#define TEMPLATE P_tmpdir"/mount_injection_XXXXXX"
	39
c8c568c8	40	struct mountinfo_data {
d81423f2 LT	41	const char *mount_root;
	42	const char *mount_point;
	43	const char *fstype;
	44	const char *mount_source;
	45	const char *message;
c8c568c8	46	bool should_be_present;
d81423f2 LT	47	};
	48
	49	static int comp_field(char line, const char str, int nfields)
	50	{
	51	char p, p2;
	52	int i, ret;
	53
	54	if(!line)
	55	return -1;
	56
	57	if (!str)
	58	return 0;
	59
	60	for (p = line, i = 0; p && i < nfields; i++)
	61	p = strchr(p + 1, ' ');
	62	if (!p)
	63	return -1;
	64	p2 = strchr(p + 1, ' ');
	65	if (p2)
	66	*p2 = '\0';
	67	ret = strcmp(p + 1, str);
	68	if (p2)
	69	*p2 = ' ';
	70	return ret;
	71	}
	72
	73	static int find_in_proc_mounts(void *data)
	74	{
	75	char buf[LXC_LINELEN];
	76	FILE *f;
643bcac9	77	struct mountinfo_data mdata = (struct mountinfo_data )data;
d81423f2	78
c8c568c8	79	fprintf(stderr, "%s", mdata->message);
d81423f2 LT	80
	81	f = fopen("/proc/self/mountinfo", "r");
	82	if (!f)
	83	return 0;
643bcac9	84
d81423f2	85	while (fgets(buf, LXC_LINELEN, f)) {
643bcac9 CB	86	char *buf2;
	87
	88	/* checking mount_root is tricky since it will be prefixed with
	89	* whatever path was the source of the mount in the original
	90	* mount namespace. So only verify it when we know that root is
	91	* in fact "/".
	92	*/
	93	if (mdata->mount_root && comp_field(buf, mdata->mount_root, 3) != 0)
	94	continue;
	95
	96	if (comp_field(buf, mdata->mount_point, 4) != 0)
	97	continue;
	98
	99	if (!mdata->fstype \|\| !mdata->mount_source)
	100	goto on_success;
	101
	102	buf2 = strchr(buf, '-');
	103	if (comp_field(buf2, mdata->fstype, 1) != 0 \|\|
	104	comp_field(buf2, mdata->mount_source, 2) != 0)
	105	continue;
	106
	107	on_success:
	108	fclose(f);
	109	fprintf(stderr, "PRESENT\n");
	110	if (mdata->should_be_present)
	111	_exit(EXIT_SUCCESS);
	112
	113	_exit(EXIT_FAILURE);
d81423f2	114	}
643bcac9	115
d81423f2	116	fclose(f);
c8c568c8 LT	117	fprintf(stderr, "MISSING\n");
	118	if (!mdata->should_be_present)
	119	_exit(EXIT_SUCCESS);
643bcac9	120
d81423f2 LT	121	_exit(EXIT_FAILURE);
	122	}
	123
c8c568c8	124	static int check_containers_mountinfo(struct lxc_container c, struct mountinfo_data d)
d81423f2 LT	125	{
	126	pid_t pid;
	127	int ret = -1;
	128	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
	129
	130	ret = c->attach(c, find_in_proc_mounts, d, &attach_options, &pid);
	131	if (ret < 0) {
	132	fprintf(stderr, "Check of the container's mountinfo failed\n");
	133	return ret;
	134	}
	135
	136	ret = wait_for_pid(pid);
	137	if (ret < 0)
643bcac9	138	fprintf(stderr, "Attached function failed\n");
d81423f2 LT	139
	140	return ret;
	141	}
	142
	143	/* config_items: NULL-terminated array of config pairs */
	144	static int perform_container_test(const char name, const char config_items[])
	145	{
	146	int i;
	147	char *sret;
	148	char template_log[sizeof(TEMPLATE)], template_dir[sizeof(TEMPLATE)],
f994bc87 CB	149	device_message[4096],
	150	dir_message[4096],
	151	fs_message[4096];
d81423f2 LT	152	struct lxc_container *c;
	153	struct lxc_mount mnt;
	154	struct lxc_log log;
	155	int ret = -1, dev_msg_size = sizeof("Check urandom device injected into "" - ") - 1 + strlen(name) + 1,
117deb70 LT	156	dir_msg_size = sizeof("Check dir "" injected into "" - ") - 1 + sizeof(TEMPLATE) - 1 + strlen(name) + 1,
117deb70 LT	157	fs_msg_size = sizeof("Check devtmpfs injected into "" - ") - 1 + strlen(name) + 1;
c8c568c8	158	struct mountinfo_data device = {
117deb70	159	.mount_root = "/urandom",
d81423f2	160	.mount_point = "/mnt/mount_injection_test_urandom",
117deb70	161	.fstype = NULL,
d81423f2	162	.mount_source = "/dev/urandom",
c8c568c8 LT	163	.message = "",
c8c568c8 LT	164	.should_be_present = true
d81423f2	165	}, dir = {
643bcac9	166	.mount_root = NULL,
d81423f2	167	.mount_point = template_dir,
643bcac9	168	.fstype = NULL,
d81423f2	169	.mount_source = NULL,
c8c568c8 LT	170	.message = "",
c8c568c8 LT	171	.should_be_present = true
117deb70 LT	172	}, fs = {
	173	.mount_root = "/",
	174	.mount_point = "/mnt/mount_injection_test_devtmpfs",
	175	.fstype = "devtmpfs",
	176	.mount_source = NULL,
	177	.message = "",
	178	.should_be_present = true
d81423f2 LT	179	};
	180
	181	/* Temp paths and messages setup */
	182	strcpy(template_dir, TEMPLATE);
	183	sret = mkdtemp(template_dir);
	184	if (!sret) {
	185	lxc_error("Failed to create temporary src file for container %s\n", name);
	186	exit(EXIT_FAILURE);
	187	}
	188
	189	ret = snprintf(device_message, dev_msg_size, "Check urandom device injected into %s - ", name);
	190	if (ret < 0 \|\| ret >= dev_msg_size) {
	191	fprintf(stderr, "Failed to create message for dev\n");
	192	exit(EXIT_FAILURE);
	193	}
	194	device.message = &device_message[0];
	195
	196	ret = snprintf(dir_message, dir_msg_size, "Check dir %s injected into %s - ", template_dir, name);
	197	if (ret < 0 \|\| ret >= dir_msg_size) {
	198	fprintf(stderr, "Failed to create message for dir\n");
	199	exit(EXIT_FAILURE);
	200	}
	201	dir.message = &dir_message[0];
	202
117deb70 LT	203	ret = snprintf(fs_message, fs_msg_size, "Check devtmpfs injected into %s - ", name);
	204	if (ret < 0 \|\| ret >= fs_msg_size) {
	205	fprintf(stderr, "Failed to create message for fs\n");
	206	exit(EXIT_FAILURE);
	207	}
	208	fs.message = &fs_message[0];
	209
d81423f2 LT	210	/* Setup logging*/
	211	strcpy(template_log, TEMPLATE);
	212	i = lxc_make_tmpfile(template_log, false);
	213	if (i < 0) {
	214	lxc_error("Failed to create temporary log file for container %s\n", name);
	215	exit(EXIT_FAILURE);
	216	} else {
	217	lxc_debug("Using \"%s\" as temporary log file for container %s\n", template_log, name);
	218	close(i);
	219	}
	220
	221	log.name = name;
	222	log.file = template_log;
	223	log.level = "TRACE";
	224	log.prefix = "mount-injection";
	225	log.quiet = false;
	226	log.lxcpath = NULL;
	227	if (lxc_log_init(&log))
	228	exit(EXIT_FAILURE);
	229
	230	/* Container setup */
	231	c = lxc_container_new(name, NULL);
	232	if (!c) {
	233	fprintf(stderr, "Unable to instantiate container (%s)...\n", name);
	234	goto out;
	235	}
	236
	237	if (c->is_defined(c)) {
	238	fprintf(stderr, "Container (%s) already exists\n", name);
	239	goto out;
	240	}
	241
	242	for (i = 0; config_items[i]; i += 2) {
	243	if (!c->set_config_item(c, config_items[i], config_items[i + 1])) {
	244	fprintf(stderr, "Failed to set \"%s\" config option to \"%s\"\n", config_items[i], config_items[i + 1]);
	245	goto out;
	246	}
	247	}
	248
	249	if (!c->create(c, "busybox", NULL, NULL, 1, NULL)) {
	250	fprintf(stderr, "Creating the container (%s) failed...\n", name);
	251	goto out;
	252	}
	253
	254	c->want_daemonize(c, true);
	255
	256	if (!c->start(c, false, NULL)) {
	257	fprintf(stderr, "Starting the container (%s) failed...\n", name);
	258	goto out;
	259	}
	260
	261	mnt.version = LXC_MOUNT_API_V1;
	262
	263	/* Check device mounted */
117deb70	264	ret = c->mount(c, "/dev/urandom", "/mnt/mount_injection_test_urandom", NULL, MS_BIND, NULL, &mnt);
d81423f2 LT	265	if (ret < 0) {
	266	fprintf(stderr, "Failed to mount \"/dev/urandom\"\n");
	267	goto out;
	268	}
	269
c8c568c8 LT	270	ret = check_containers_mountinfo(c, &device);
	271	if (ret < 0)
	272	goto out;
	273
	274	/* Check device unmounted */
	275	/* TODO: what about other umount flags? */
	276	ret = c->umount(c, "/mnt/mount_injection_test_urandom", MNT_DETACH, &mnt);
	277	if (ret < 0) {
	278	fprintf(stderr, "Failed to umount2 \"/dev/urandom\"\n");
	279	goto out;
	280	}
	281
	282	device.message = "Unmounted \"/mnt/mount_injection_test_urandom\" -- should be missing now: ";
	283	device.should_be_present = false;
d81423f2 LT	284	ret = check_containers_mountinfo(c, &device);
	285	if (ret < 0)
	286	goto out;
	287
	288	/* Check dir mounted */
643bcac9	289	ret = c->mount(c, template_dir, template_dir, NULL, MS_BIND, NULL, &mnt);
d81423f2 LT	290	if (ret < 0) {
	291	fprintf(stderr, "Failed to mount \"%s\"\n", template_dir);
	292	goto out;
	293	}
	294
	295	ret = check_containers_mountinfo(c, &dir);
	296	if (ret < 0)
	297	goto out;
	298
c8c568c8 LT	299	/* Check dir unmounted */
	300	/* TODO: what about other umount flags? */
	301	ret = c->umount(c, template_dir, MNT_DETACH, &mnt);
	302	if (ret < 0) {
	303	fprintf(stderr, "Failed to umount2 \"%s\"\n", template_dir);
	304	goto out;
	305	}
	306
	307	dir.message = "Unmounted dir -- should be missing now: ";
	308	dir.should_be_present = false;
	309	ret = check_containers_mountinfo(c, &dir);
	310	if (ret < 0)
	311	goto out;
	312
117deb70 LT	313	/* Check fs mounted */
	314	ret = c->mount(c, NULL, "/mnt/mount_injection_test_devtmpfs", "devtmpfs", 0, NULL, &mnt);
	315	if (ret < 0) {
	316	fprintf(stderr, "Failed to mount devtmpfs\n");
	317	goto out;
	318	}
	319
	320	ret = check_containers_mountinfo(c, &fs);
	321	if (ret < 0)
	322	goto out;
	323
	324	/* Check fs unmounted */
	325	/* TODO: what about other umount flags? */
	326	ret = c->umount(c, "/mnt/mount_injection_test_devtmpfs", MNT_DETACH, &mnt);
	327	if (ret < 0) {
	328	fprintf(stderr, "Failed to umount2 devtmpfs\n");
	329	goto out;
	330	}
	331
	332	fs.message = "Unmounted \"/mnt/mount_injection_test_devtmpfs\" -- should be missing now: ";
	333	fs.should_be_present = false;
	334	ret = check_containers_mountinfo(c, &fs);
	335	if (ret < 0)
	336	goto out;
	337
c8c568c8	338	/* Finalize the container */
d81423f2 LT	339	if (!c->stop(c)) {
	340	fprintf(stderr, "Stopping the container (%s) failed...\n", name);
	341	goto out;
	342	}
	343
	344	if (!c->destroy(c)) {
	345	fprintf(stderr, "Destroying the container (%s) failed...\n", name);
	346	goto out;
	347	}
	348
	349	ret = 0;
	350	out:
	351	lxc_container_put(c);
	352
	353	if (ret != 0) {
	354	int fd;
	355
	356	fd = open(template_log, O_RDONLY);
	357	if (fd >= 0) {
	358	char buf[4096];
	359	ssize_t buflen;
	360	while ((buflen = read(fd, buf, 1024)) > 0) {
	361	buflen = write(STDERR_FILENO, buf, buflen);
	362	if (buflen <= 0)
	363	break;
	364	}
	365	close(fd);
	366	}
	367	}
	368
	369	unlink(template_log);
	370	unlink(template_dir);
	371
	372	return ret;
	373	}
	374
39b72573	375	static int do_priv_container_test(void)
d81423f2 LT	376	{
	377	const char *config_items[] = {"lxc.mount.auto", "shmounts:/tmp/mount_injection_test", NULL};
	378	return perform_container_test(NAME"privileged", config_items);
	379	}
	380
39b72573	381	static int do_unpriv_container_test(void)
d81423f2 LT	382	{
	383	const char *config_items[] = {
	384	"lxc.mount.auto", "shmounts:/tmp/mount_injection_test",
d81423f2 LT	385	NULL
	386	};
	387	return perform_container_test(NAME"unprivileged", config_items);
	388	}
	389
6437f1c1 CB	390	static bool lxc_setup_shmount(const char *shmount_path)
	391	{
	392	int ret;
	393
	394	ret = mkdir_p(shmount_path, 0711);
	395	if (ret < 0 && errno != EEXIST) {
	396	fprintf(stderr, "Failed to create directory \"%s\"\n", shmount_path);
	397	return false;
	398	}
	399
	400	/* Prepare host mountpoint */
	401	ret = mount("tmpfs", shmount_path, "tmpfs", 0, "size=100k,mode=0711");
	402	if (ret < 0) {
	403	fprintf(stderr, "Failed to mount \"%s\"\n", shmount_path);
	404	return false;
	405	}
	406
	407	ret = mount(shmount_path, shmount_path, "none", MS_REC \| MS_SHARED, "");
	408	if (ret < 0) {
	409	fprintf(stderr, "Failed to make shared \"%s\"\n", shmount_path);
	410	return false;
	411	}
	412
	413	return true;
	414	}
	415
	416	static void lxc_teardown_shmount(char *shmount_path)
	417	{
	418	(void)umount2(shmount_path, MNT_DETACH);
8408a9cc	419	(void)lxc_rm_rf(shmount_path);
6437f1c1 CB	420	}
6437f1c1 CB	421
d81423f2 LT	422	int main(int argc, char *argv[])
d81423f2 LT	423	{
6437f1c1 CB	424	if (!lxc_setup_shmount("/tmp/mount_injection_test"))
	425	exit(EXIT_FAILURE);
	426
d81423f2 LT	427	if (do_priv_container_test()) {
d81423f2 LT	428	fprintf(stderr, "Privileged mount injection test failed\n");
6437f1c1	429	exit(EXIT_FAILURE);
d81423f2	430	}
117deb70	431
6437f1c1	432	if (do_unpriv_container_test()) {
d81423f2	433	fprintf(stderr, "Unprivileged mount injection test failed\n");
6437f1c1	434	exit(EXIT_FAILURE);
d81423f2	435	}
6437f1c1 CB	436
	437	lxc_teardown_shmount("/tmp/mount_injection_test");
	438
	439	exit(EXIT_SUCCESS);
d81423f2	440	}