diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 3a850b4..2f8c037 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -15,9 +15,13 @@ jobs: if: github.event.pull_request.draft == false steps: + - name: Allow unprivileged user namespaces (for Ubuntu 24.04) + run: | + sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0 + - name: Install dependencies run: | - sudo apt-get install expect mergerfs attr pandoc + sudo apt-get install util-linux expect mergerfs attr pandoc - name: Checkout uses: actions/checkout@v4 @@ -50,6 +54,10 @@ jobs: if: github.event.pull_request.draft == false steps: + - name: Allow unprivileged user namespaces (for Ubuntu 24.04) + run: | + sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0 + - name: Install dependencies run: | sudo apt-get install expect mergerfs attr pandoc @@ -92,6 +100,10 @@ jobs: if: github.event.pull_request.draft == false steps: + - name: Allow unprivileged user namespaces (for Ubuntu 24.04) + run: | + sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0 + - name: Install dependencies run: | sudo apt-get install expect mergerfs attr pandoc diff --git a/test/stdstream.sh b/test/stdstream.sh new file mode 100755 index 0000000..e7a3e22 --- /dev/null +++ b/test/stdstream.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree 2>/dev/null || echo "${0%/*}")}" +TRY="$TRY_TOP/try" + +cmdfile="$(mktemp)" + +cat > "$cmdfile" <<'EOF' +read x < /dev/stdin +echo $((x * 2)) > /dev/stdout +echo $((x * 3)) > /dev/stderr + +EOF + +chmod +x "$cmdfile" + +try_stdout=$(mktemp) +try_stderr=$(mktemp) +sh_stdout=$(mktemp) +sh_stderr=$(mktemp) + +# test stdout +echo 5 | "$TRY" "$cmdfile" >"$try_stdout" 2>"$try_stderr" +echo 5 | sh "$cmdfile" >"$sh_stdout" 2>"$sh_stderr" + +diff "$try_stdout" "$sh_stdout" || exit 1 + +# using grep because there's try errors printed +grep -q 15 "$try_stderr" +grep -q 15 "$sh_stderr" + +rm "$try_stdout" "$try_stderr" "$sh_stdout" "$sh_stderr" + +cat > "$cmdfile" <<'EOF' +read x <&0 +echo $((x * 2)) >&1 +echo $((x * 3)) >&2 + +EOF + +# test stdout +echo 5 | "$TRY" "$cmdfile" >"$try_stdout" 2>"$try_stderr" +echo 5 | sh "$cmdfile" >"$sh_stdout" 2>"$sh_stderr" + +diff "$try_stdout" "$sh_stdout" || exit 1 + +# using grep because there's try errors printed +grep -q 15 "$try_stderr" +grep -q 15 "$sh_stderr" + +rm "$try_stdout" "$try_stderr" "$sh_stdout" "$sh_stderr" diff --git a/test/tempfiles.sh b/test/tempfiles.sh new file mode 100755 index 0000000..25e6adb --- /dev/null +++ b/test/tempfiles.sh @@ -0,0 +1,30 @@ +#!/bin/sh +# shellcheck disable=SC2010,SC2126,SC2181 + +TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree 2>/dev/null || echo "${0%/*}")}" +TRY="$TRY_TOP/try" + +workdir="$(mktemp -d)" +cd "$workdir" || exit 1 + +initial_count="$(ls "${TMPDIR-/tmp}" | grep -e "^.*\.try-[0-9]*$" | wc -l)" + +sandbox=$($TRY -n "touch $HOME/foo") +[ $? -eq 0 ] || exit 2 + +post_count="$(ls "${TMPDIR-/tmp}" | grep -e "^.*\.try-[0-9]*$" | wc -l)" + +# just one new tempfile +[ "$((initial_count + 1))" -eq "$post_count" ] || exit 3 +[ -f "$sandbox/upperdir$HOME/foo" ] || exit 4 + +# deliberately not the pattern of try sandboxes +sandbox=local +mkdir "$sandbox" || exit 5 +$TRY -D "$sandbox" "touch $HOME/bar" || exit 6 + +final_count="$(ls "${TMPDIR-/tmp}" | grep -e "^.*\.try-[0-9]*$" | wc -l)" + +# no new tempfiles! +[ "$post_count" -eq "$final_count" ] || exit 7 +[ -f "$sandbox/upperdir$HOME/bar" ] || exit 8 diff --git a/try b/try index 09e8c08..3f8e059 100755 --- a/try +++ b/try @@ -9,6 +9,8 @@ TRY_VERSION="0.2.0" TRY_COMMAND="${0##*/}" +EXECID="$(date +%s%3N)" +export EXECID export TRY_COMMAND # exit status invariants @@ -32,10 +34,15 @@ try() { if [ "$SANDBOX_DIR" ] then ## If the name of a sandbox is given then we need to exit prematurely if its directory doesn't exist - ! [ -d "$SANDBOX_DIR" ] && { error "could not find sandbox directory $SANDBOX_DIR" 2; } + [ -d "$SANDBOX_DIR" ] || error "could not find sandbox directory $SANDBOX_DIR" 2 + # Force absolute path + SANDBOX_DIR="$(cd "$SANDBOX_DIR" && pwd)" + + # shellcheck disable=SC2181 + [ "$?" -eq 0 ] || error "could not find sandbox directory $SANDBOX_DIR (could not cd in)" 2 else ## Create a new sandbox if one was not given - SANDBOX_DIR=$(mktemp -d) + SANDBOX_DIR="$(mktemp -d --suffix ".try-$EXECID")" fi ## If the sandbox is not valid we exit early @@ -48,7 +55,11 @@ try() { ## because we have already checked if it valid. export SANDBOX_DIR - try_mount_log="$(mktemp)" + # We created "$IGNORE_FILE" up front, but now we can stash it in the sandbox. + mv "$IGNORE_FILE" "$SANDBOX_DIR"/ignore + IGNORE_FILE="$SANDBOX_DIR"/ignore + + try_mount_log="$SANDBOX_DIR"/mount.log export try_mount_log # If we're in a docker container, we want to mount tmpfs on sandbox_dir, #136 @@ -64,14 +75,14 @@ try() { mkdir -p "$SANDBOX_DIR/upperdir" "$SANDBOX_DIR/workdir" "$SANDBOX_DIR/temproot" ## Find all the directories and mounts that need to be mounted - DIRS_AND_MOUNTS="$(mktemp)" + DIRS_AND_MOUNTS="$SANDBOX_DIR"/mounts export DIRS_AND_MOUNTS find / -maxdepth 1 >"$DIRS_AND_MOUNTS" findmnt --real -r -o target -n >>"$DIRS_AND_MOUNTS" sort -u -o "$DIRS_AND_MOUNTS" "$DIRS_AND_MOUNTS" # Calculate UPDATED_DIRS_AND_MOUNTS that contains the merge arguments in LOWER_DIRS - UPDATED_DIRS_AND_MOUNTS="$(mktemp)" + UPDATED_DIRS_AND_MOUNTS="$SANDBOX_DIR"/mounts.updated export UPDATED_DIRS_AND_MOUNTS while IFS="" read -r mountpoint do @@ -122,9 +133,9 @@ try() { chmod "$(stat -c %a /)" "$SANDBOX_DIR/temproot" - mount_and_execute="$(mktemp)" - chroot_executable="$(mktemp)" - script_to_execute="$(mktemp)" + mount_and_execute="$SANDBOX_DIR"/mount_and_execute.sh + chroot_executable="$SANDBOX_DIR"/chroot_executable.sh + script_to_execute="$SANDBOX_DIR"/script_to_execute.sh export chroot_executable export script_to_execute @@ -225,7 +236,8 @@ do ## We can ignore this mountpoint, if the user program tries to use it, it will crash, but if not we can run normally printf "%s: Warning: Failed mounting $mountpoint as an overlay and mergerfs or unionfs not set and could not be found, see \"$try_mount_log\"\n" "$TRY_COMMAND" >&2 else - merger_dir=$(mktemp -d) + merger_dir="$SANDBOX_DIR"/mergerdir."$(echo "$pure_mountpoint" | tr '/' '.')" + mkdir "$merger_dir" ## Create a union directory "$UNION_HELPER" $mountpoint $merger_dir 2>>"$try_mount_log" || @@ -249,6 +261,10 @@ unshare --root="$SANDBOX_DIR/temproot" /bin/sh "$chroot_executable" exitcode="$?" # unmount the devices +rm "$sandbox_dir/temproot/dev/stdin" +rm "$sandbox_dir/temproot/dev/stdout" +rm "$sandbox_dir/temproot/dev/stderr" + unmount_devices "$SANDBOX_DIR" exit $exitcode @@ -262,6 +278,9 @@ unset START_DIR SANDBOX_DIR UNION_HELPER DIRS_AND_MOUNTS TRY_EXIT_STATUS unset script_to_execute chroot_executable try_mount_log mount -t proc proc /proc && +ln -s /proc/self/fd/0 /dev/stdin && +ln -s /proc/self/fd/1 /dev/stdout && +ln -s /proc/self/fd/2 /dev/stderr && cd "$START_DIR" && . "$script_to_execute" EOF @@ -603,7 +622,10 @@ EOF NO_COMMIT="interactive" # Includes all patterns given using the `-i` flag; will be used with `grep -f` -IGNORE_FILE="$(mktemp)" +# +# We have to create this temporary up front. +# We move it to $SANDBOX_DIR/ignore in `try()`, but delete it when we don't move it. +IGNORE_FILE="$(mktemp --suffix ".try-$EXECID")" while getopts ":yvnhxi:D:U:L:" opt do @@ -648,9 +670,13 @@ fi TRY_EXIT_STATUS=1 case "$1" in (summary) : "${SANDBOX_DIR=$2}" - summary;; + summary + rm "$IGNORE_FILE" # we didn't move it to the sandbox, so clean up + ;; (commit) : "${SANDBOX_DIR=$2}" - commit;; + commit + rm "$IGNORE_FILE" # we didn't move it to the sandbox, so clean up + ;; (explore) : "${SANDBOX_DIR=$2}" try "$SHELL";; (--) shift