From 28a93e24f6a33a8254c16c31961d523c71bdb1d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roman=20Smr=C5=BE?= <roman.smrz@seznam.cz>
Date: Sat, 5 Jul 2025 18:15:06 +0200
Subject: Isolate filesystems using mount namespace

Recursively bind and set to read-only all the host filesystems and
bind-mount as read-write only the test dir. Provide new writable tmpfs
under /tmp.

Changelog: Make host filesystems read-only for the test process (except for test dir)
---
 src/Sandbox.hs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 src/Sandbox.hs

(limited to 'src/Sandbox.hs')

diff --git a/src/Sandbox.hs b/src/Sandbox.hs
new file mode 100644
index 0000000..a05a455
--- /dev/null
+++ b/src/Sandbox.hs
@@ -0,0 +1,16 @@
+module Sandbox (
+    isolateFilesystem,
+) where
+
+import Foreign.C.String
+import Foreign.C.Types
+
+import System.Directory
+
+
+isolateFilesystem :: FilePath -> IO Bool
+isolateFilesystem rwDir = do
+    absDir <- makeAbsolute rwDir
+    withCString absDir c_isolate_fs >>= return . (== 0)
+
+foreign import ccall unsafe "erebos_tester_isolate_fs" c_isolate_fs :: CString -> IO CInt
-- 
cgit v1.2.3