Isolate filesystems using mount namespaceHEAD master

Recursively bind and set to read-only all the host filesystems and bind-mount as read-write only the test dir. Provide new writable tmpfs under /tmp. Changelog: Make host filesystems read-only for the test process (except for test dir)
author: Roman Smrž <roman.smrz@seznam.cz> 2025-07-05 18:15:06 +0200
committer: Roman Smrž <roman.smrz@seznam.cz> 2025-07-06 13:03:19 +0200
commit: 28a93e24f6a33a8254c16c31961d523c71bdb1d2 (patch)
tree: dfd54319c67c031cadf3398dc93ac648dc7e90be /src/Sandbox.hs
parent: 8e4bacb750d6b3657e5e8c72a8f30f14455812e5 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/src/Sandbox.hs b/src/Sandbox.hs
new file mode 100644
index 0000000..a05a455
--- /dev/null
+++ b/src/Sandbox.hs
@@ -0,0 +1,16 @@
+module Sandbox (
+    isolateFilesystem,
+) where
+
+import Foreign.C.String
+import Foreign.C.Types
+
+import System.Directory
+
+
+isolateFilesystem :: FilePath -> IO Bool
+isolateFilesystem rwDir = do
+    absDir <- makeAbsolute rwDir
+    withCString absDir c_isolate_fs >>= return . (== 0)
+
+foreign import ccall unsafe "erebos_tester_isolate_fs" c_isolate_fs :: CString -> IO CInt
author	Roman Smrž <roman.smrz@seznam.cz>	2025-07-05 18:15:06 +0200
committer	Roman Smrž <roman.smrz@seznam.cz>	2025-07-06 13:03:19 +0200
commit	28a93e24f6a33a8254c16c31961d523c71bdb1d2 (patch)
tree	dfd54319c67c031cadf3398dc93ac648dc7e90be /src/Sandbox.hs
parent	8e4bacb750d6b3657e5e8c72a8f30f14455812e5 (diff)