Testing openat2 in systemd-nspawn /* openat2_test.c */
/* compile: gcc -O0 -g -static -o openat2_test openat2_test.c */
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/openat2.h>
#include <syscall.h>
int main (int argc , char * argv []) {
int dirfd = 0 ;
int fd = 0 ;
struct open_how how = {
.flags = O_RDONLY ,
.mode = 0 ,
.resolve = RESOLVE_IN_ROOT
};
if ((dirfd = open ("/" , O_RDONLY )) < 0 ) {
perror ("open" );
goto cleanup;
}
if ((fd = syscall (__NR_openat2 , dirfd , "/etc/os-release" , & how , sizeof (how ))) < 0 ) {
perror ("openat2" );
goto cleanup;
}
dprintf (1 , "success\n" );
cleanup:
if (dirfd > 0 ) {
if (close (dirfd ) < 0 ) {
perror ("close" );
}
dirfd = 0 ;
}
if (fd > 0 ) {
if (close (fd ) < 0 ) {
perror ("close" );
}
fd = 0 ;
}
}$ sudo systemd-nspawn -M openat2 -D /home/mohan/Virt/containers/container0/ --capability=all /home/mohan/Downloads/openat2_test
Spawning container openat2 on /home/mohan/Virt/containers/container0.
Press ^] three times within 1s to kill container.
openat2: Operation not permitted
Container openat2 exited successfully.
$ systemd-nwpawn output (with --system-call-filter=openat2) $ sudo systemd-nspawn -M openat2 -D /home/mohan/Virt/containers/container0/ --capability=all --system-call-filter=openat2 /home/mohan/Downloads/openat2_test
Spawning container openat2 on /home/mohan/Virt/containers/container0.
Press ^] three times within 1s to kill container.
openat2: Operation not permitted
Container openat2 exited successfully.
$ $ ./openat2_test
success
$ 