jail 0.3.1

FreeBSD jail library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

use crate::param;
use crate::process::Jailed;
use crate::running::RunningJail;
use crate::stopped::StoppedJail;
use std::os::unix::process::ExitStatusExt;
use std::process::Command;

#[cfg(feature = "serialize")]
#[test]
fn test_serializing_jail() {
    let rctl_enabled = rctl::State::check().is_enabled();

    let mut stopped = StoppedJail::new("/")
        .name("testjail_serializing")
        .ip("127.0.1.1".parse().expect("couldn't parse IP Addr"))
        .param(
            "osrelease",
            param::Value::String("FreeBSD 42.23".to_string()),
        );

    if rctl_enabled {
        // Skip setting limits if racct is disabled.
        stopped = stopped.limit(
            rctl::Resource::Wallclock,
            rctl::Limit::amount(1),
            rctl::Action::Signal(rctl::Signal::SIGKILL),
        );
    }

    let serialized = serde_json::to_string(&stopped).expect("could not serialize jail");

    let output: serde_json::Value =
        serde_json::from_str(&serialized).expect("could not parse serialized string");

    assert_eq!(output["name"], "testjail_serializing");
    assert_eq!(output["ips"][0], "127.0.1.1");
    assert_eq!(
        output["params"]["osrelease"]["String"]
            .as_str()
            .expect("could not read jails parameter value"),
        "FreeBSD 42.23"
    );

    if rctl_enabled {
        let limits = &output["limits"][0];
        assert_eq!(limits[0], "Wallclock");
        assert_eq!(limits[1]["amount"], 1);
        assert_eq!(limits[2]["Signal"], "SIGKILL")
    }
}

/// Test that rctl limits are actually effective, by limiting a process's Wallclock.
#[test]
fn test_rctl_limit() {
    if !rctl::State::check().is_enabled() {
        // If we don't have RCTL, let's just skip this test.
        return;
    }

    let running = StoppedJail::new("/")
        .name("testjail_rctl_limit")
        .limit(
            rctl::Resource::Wallclock,
            rctl::Limit::amount(1),
            rctl::Action::Signal(rctl::Signal::SIGKILL),
        )
        .start()
        .expect("Could not start Jail");

    // this should hang until killed by the limit
    let output = Command::new("/bin/sleep")
        .arg("10")
        .jail(&running)
        .output()
        .expect("Failed to start sleep command");

    assert!(output.status.code().is_none());
    assert!(output.status.signal() == Some(9));

    println!("{output:?}");

    running.stop().expect("Could not stop Jail");
}

#[test]
fn test_name_nonexistent_jail() {
    // Assume Jail 424242 is not running
    let r: RunningJail = RunningJail::from_jid_unchecked(424242);

    r.name()
        .expect_err("Could get name for jail 424242 which should not be running.");
}

#[test]
fn test_params_nonexistent_jail() {
    // Assume Jail 424242 is not running
    let r: RunningJail = RunningJail::from_jid_unchecked(424242);

    r.params()
        .expect_err("Could get name for jail 424242 which should not be running.");
}

#[test]
fn test_vnet_jail() {
    use sysctl::{Ctl, CtlValue::String, Sysctl};

    let ctl = Ctl::new("kern.osrelease")
        .expect("Failed to read kern.osrelease sysctl")
        .value()
        .expect("Failed to parse kern.osrelease sysctl");

    let version = match ctl {
        String(value) => value[0..2].parse::<u32>(),
        _ => Ok(0),
    }
    .unwrap_or(0);

    if version < 12 {
        // Earlier versions do not support vnet flag, skipping.
        return;
    }

    let running = StoppedJail::new("/")
        .name("vnet_jail")
        .param("vnet", param::Value::Int(1))
        .start()
        .expect("Could not start Jail");

    running.stop().expect("Could not stop Jail");
}