1*bb4ee6a4SAndroid Build Coastguard Worker // Copyright 2023 The ChromiumOS Authors
2*bb4ee6a4SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*bb4ee6a4SAndroid Build Coastguard Worker // found in the LICENSE file.
4*bb4ee6a4SAndroid Build Coastguard Worker
5*bb4ee6a4SAndroid Build Coastguard Worker use std::path::PathBuf;
6*bb4ee6a4SAndroid Build Coastguard Worker
7*bb4ee6a4SAndroid Build Coastguard Worker use serde::Deserialize;
8*bb4ee6a4SAndroid Build Coastguard Worker use serde::Serialize;
9*bb4ee6a4SAndroid Build Coastguard Worker use serde_keyvalue::FromKeyValues;
10*bb4ee6a4SAndroid Build Coastguard Worker
jail_config_default_pivot_root() -> PathBuf11*bb4ee6a4SAndroid Build Coastguard Worker fn jail_config_default_pivot_root() -> PathBuf {
12*bb4ee6a4SAndroid Build Coastguard Worker PathBuf::from(option_env!("DEFAULT_PIVOT_ROOT").unwrap_or("/var/empty"))
13*bb4ee6a4SAndroid Build Coastguard Worker }
14*bb4ee6a4SAndroid Build Coastguard Worker
15*bb4ee6a4SAndroid Build Coastguard Worker #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq, FromKeyValues)]
16*bb4ee6a4SAndroid Build Coastguard Worker #[serde(deny_unknown_fields, rename_all = "kebab-case")]
17*bb4ee6a4SAndroid Build Coastguard Worker pub struct JailConfig {
18*bb4ee6a4SAndroid Build Coastguard Worker #[serde(default = "jail_config_default_pivot_root")]
19*bb4ee6a4SAndroid Build Coastguard Worker pub pivot_root: PathBuf,
20*bb4ee6a4SAndroid Build Coastguard Worker #[cfg(any(target_os = "android", target_os = "linux"))]
21*bb4ee6a4SAndroid Build Coastguard Worker #[serde(default)]
22*bb4ee6a4SAndroid Build Coastguard Worker pub seccomp_policy_dir: Option<PathBuf>,
23*bb4ee6a4SAndroid Build Coastguard Worker #[serde(default)]
24*bb4ee6a4SAndroid Build Coastguard Worker pub seccomp_log_failures: bool,
25*bb4ee6a4SAndroid Build Coastguard Worker }
26*bb4ee6a4SAndroid Build Coastguard Worker
27*bb4ee6a4SAndroid Build Coastguard Worker impl Default for JailConfig {
default() -> Self28*bb4ee6a4SAndroid Build Coastguard Worker fn default() -> Self {
29*bb4ee6a4SAndroid Build Coastguard Worker JailConfig {
30*bb4ee6a4SAndroid Build Coastguard Worker pivot_root: jail_config_default_pivot_root(),
31*bb4ee6a4SAndroid Build Coastguard Worker #[cfg(any(target_os = "android", target_os = "linux"))]
32*bb4ee6a4SAndroid Build Coastguard Worker seccomp_policy_dir: None,
33*bb4ee6a4SAndroid Build Coastguard Worker seccomp_log_failures: false,
34*bb4ee6a4SAndroid Build Coastguard Worker }
35*bb4ee6a4SAndroid Build Coastguard Worker }
36*bb4ee6a4SAndroid Build Coastguard Worker }
37*bb4ee6a4SAndroid Build Coastguard Worker
38*bb4ee6a4SAndroid Build Coastguard Worker #[cfg(test)]
39*bb4ee6a4SAndroid Build Coastguard Worker mod tests {
40*bb4ee6a4SAndroid Build Coastguard Worker use serde_keyvalue::from_key_values;
41*bb4ee6a4SAndroid Build Coastguard Worker
42*bb4ee6a4SAndroid Build Coastguard Worker use super::*;
43*bb4ee6a4SAndroid Build Coastguard Worker
44*bb4ee6a4SAndroid Build Coastguard Worker #[test]
parse_jailconfig()45*bb4ee6a4SAndroid Build Coastguard Worker fn parse_jailconfig() {
46*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig = Default::default();
47*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(
48*bb4ee6a4SAndroid Build Coastguard Worker config,
49*bb4ee6a4SAndroid Build Coastguard Worker JailConfig {
50*bb4ee6a4SAndroid Build Coastguard Worker pivot_root: jail_config_default_pivot_root(),
51*bb4ee6a4SAndroid Build Coastguard Worker #[cfg(any(target_os = "android", target_os = "linux"))]
52*bb4ee6a4SAndroid Build Coastguard Worker seccomp_policy_dir: None,
53*bb4ee6a4SAndroid Build Coastguard Worker seccomp_log_failures: false,
54*bb4ee6a4SAndroid Build Coastguard Worker }
55*bb4ee6a4SAndroid Build Coastguard Worker );
56*bb4ee6a4SAndroid Build Coastguard Worker
57*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig = from_key_values("").unwrap();
58*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(config, Default::default());
59*bb4ee6a4SAndroid Build Coastguard Worker
60*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig = from_key_values("pivot-root=/path/to/pivot/root").unwrap();
61*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(
62*bb4ee6a4SAndroid Build Coastguard Worker config,
63*bb4ee6a4SAndroid Build Coastguard Worker JailConfig {
64*bb4ee6a4SAndroid Build Coastguard Worker pivot_root: "/path/to/pivot/root".into(),
65*bb4ee6a4SAndroid Build Coastguard Worker ..Default::default()
66*bb4ee6a4SAndroid Build Coastguard Worker }
67*bb4ee6a4SAndroid Build Coastguard Worker );
68*bb4ee6a4SAndroid Build Coastguard Worker
69*bb4ee6a4SAndroid Build Coastguard Worker cfg_if::cfg_if! {
70*bb4ee6a4SAndroid Build Coastguard Worker if #[cfg(any(target_os = "android", target_os = "linux"))] {
71*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig =
72*bb4ee6a4SAndroid Build Coastguard Worker from_key_values("seccomp-policy-dir=/path/to/seccomp/dir").unwrap();
73*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(config, JailConfig {
74*bb4ee6a4SAndroid Build Coastguard Worker seccomp_policy_dir: Some("/path/to/seccomp/dir".into()),
75*bb4ee6a4SAndroid Build Coastguard Worker ..Default::default()
76*bb4ee6a4SAndroid Build Coastguard Worker });
77*bb4ee6a4SAndroid Build Coastguard Worker }
78*bb4ee6a4SAndroid Build Coastguard Worker }
79*bb4ee6a4SAndroid Build Coastguard Worker
80*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig = from_key_values("seccomp-log-failures").unwrap();
81*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(
82*bb4ee6a4SAndroid Build Coastguard Worker config,
83*bb4ee6a4SAndroid Build Coastguard Worker JailConfig {
84*bb4ee6a4SAndroid Build Coastguard Worker seccomp_log_failures: true,
85*bb4ee6a4SAndroid Build Coastguard Worker ..Default::default()
86*bb4ee6a4SAndroid Build Coastguard Worker }
87*bb4ee6a4SAndroid Build Coastguard Worker );
88*bb4ee6a4SAndroid Build Coastguard Worker
89*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig = from_key_values("seccomp-log-failures=false").unwrap();
90*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(
91*bb4ee6a4SAndroid Build Coastguard Worker config,
92*bb4ee6a4SAndroid Build Coastguard Worker JailConfig {
93*bb4ee6a4SAndroid Build Coastguard Worker seccomp_log_failures: false,
94*bb4ee6a4SAndroid Build Coastguard Worker ..Default::default()
95*bb4ee6a4SAndroid Build Coastguard Worker }
96*bb4ee6a4SAndroid Build Coastguard Worker );
97*bb4ee6a4SAndroid Build Coastguard Worker
98*bb4ee6a4SAndroid Build Coastguard Worker let config: JailConfig =
99*bb4ee6a4SAndroid Build Coastguard Worker from_key_values("pivot-root=/path/to/pivot/root,seccomp-log-failures=true").unwrap();
100*bb4ee6a4SAndroid Build Coastguard Worker #[allow(clippy::needless_update)]
101*bb4ee6a4SAndroid Build Coastguard Worker let expected = JailConfig {
102*bb4ee6a4SAndroid Build Coastguard Worker pivot_root: "/path/to/pivot/root".into(),
103*bb4ee6a4SAndroid Build Coastguard Worker seccomp_log_failures: true,
104*bb4ee6a4SAndroid Build Coastguard Worker ..Default::default()
105*bb4ee6a4SAndroid Build Coastguard Worker };
106*bb4ee6a4SAndroid Build Coastguard Worker assert_eq!(config, expected);
107*bb4ee6a4SAndroid Build Coastguard Worker
108*bb4ee6a4SAndroid Build Coastguard Worker let config: std::result::Result<JailConfig, _> =
109*bb4ee6a4SAndroid Build Coastguard Worker from_key_values("seccomp-log-failures,invalid-arg=value");
110*bb4ee6a4SAndroid Build Coastguard Worker assert!(config.is_err());
111*bb4ee6a4SAndroid Build Coastguard Worker }
112*bb4ee6a4SAndroid Build Coastguard Worker }
113