test(chroot_jail): cover the chroot-jail subsystem (#29)

Author: markovejnovic

.github/workflows/ci.yml

@@ -229,16 +229,18 @@ jobs:
         with:
           tool: nextest
 
-      # The feature-gated E2E suites self-skip without root. Run ONLY these two as
-      # root (via sudo -E so the runner's cargo/rustup home and PATH are kept) so
-      # the root-only cases -- sys-test ok, fake-bin argv capture -- actually run.
-      # The rest of the suite (owner-axis tests assume a non-root uid) stays in the
-      # non-root `rust` job above.
-      - name: Gated E2E suites as root
+      # Root-gated cases are tagged by name: every test that needs root ends in
+      # `_as_root` and self-skips when run unprivileged. We select them by that
+      # suffix (via sudo -E so the runner's cargo/rustup home and PATH are kept)
+      # so the root-only paths -- sys-test ok, fake-bin argv capture, mknod/chown
+      # jail build -- actually run. A new root test is picked up automatically by
+      # following the naming convention; no test-binary enumeration to maintain.
+      # The rest of the suite (owner-axis tests assume a non-root uid) stays in
+      # the non-root `rust` job above.
+      - name: Gated tests as root
         run: |
           sudo -E env "PATH=$PATH" \
-            cargo nextest run --features insecure_test_seams \
-              --test e2e_config --test e2e_argv
+            cargo nextest run --features insecure_test_seams -E 'test(/_as_root$/)'
 
   # Uploads the triggering event payload so the workflow_run publisher
   # (test-results.yml) can map results back to the originating PR -- required

AGENTS.md

@@ -132,13 +132,25 @@ Coverage is a side effect of good tests, never the target.
 
 ## Other conventions
 
-- **Comments earn their place.** No section-divider banners (`# --- foo ---`),
-  no comment that just restates what the next line does. A comment explains a
-  non-obvious *why* a reader cannot recover from the code — a workaround, an
-  invariant, a deliberate trade-off. Prefer self-documenting code: a named
-  function, a `Unit.*` quantity instead of a bare `1024 * 1024`, a descriptive
-  variable — over a comment narrating the mechanics. If you reach for a comment
-  to explain *what*, rename the thing instead.
+- **NEVER write section-divider banners** — comments like `// --- foo ---`,
+  `# === bar ===`, `// ---- Tests ----`, or any comment whose job is to label a
+  region of a file. They are a code smell: reaching for one is a signal that
+  the file is doing too many things at once. When you feel the urge, do NOT
+  write the banner — make the underlying decision instead:
+    1. **Split it out.** If the regions are genuinely distinct
+       responsibilities, they belong in separate modules/files (or, for tests,
+       separate test files or submodules). Extract them.
+    2. **Or drop the comment entirely.** If the code is already cohesive, the
+       banner adds nothing a reader can't see from the names — delete it. A
+       blank line is sufficient separation.
+  There is no third option where the banner stays.
+- **Comments earn their place.** No comment that just restates what the next
+  line does. A comment explains a non-obvious *why* a reader cannot recover
+  from the code — a workaround, an invariant, a deliberate trade-off. Prefer
+  self-documenting code: a named function, a `Unit.*` quantity instead of a
+  bare `1024 * 1024`, a descriptive variable — over a comment narrating the
+  mechanics. If you reach for a comment to explain *what*, rename the thing
+  instead.
 - Don't hand-roll magic numbers for sizes/durations/bandwidth: use the
   `Unit.*` types (`Unit.Information.mib(8)`, not `8 * 1024 * 1024`) and
   `use Unit.Operators` for unit-aware arithmetic.

native/suidhelper/Cargo.toml

@@ -46,6 +46,14 @@ path = "tests/tools/dmsetup_parsers.rs"
 name = "util_confinement"
 path = "tests/util/confinement.rs"
 
+[[test]]
+name = "tools_chroot_jail_remove"
+path = "tests/tools/chroot_jail_remove.rs"
+
+[[test]]
+name = "util_chroot_jail"
+path = "tests/util/chroot_jail.rs"
+
 [[test]]
 name = "e2e_config"
 path = "tests/e2e/config.rs"
@@ -54,6 +62,10 @@ path = "tests/e2e/config.rs"
 name = "e2e_argv"
 path = "tests/e2e/argv.rs"
 
+[[test]]
+name = "e2e_chroot_jail"
+path = "tests/e2e/chroot_jail.rs"
+
 [dependencies]
 clap = { version = "4", features = ["derive"] }
 nix = { version = "0.29", features = ["user", "fs", "dir"] }

native/suidhelper/src/tools/chroot_jail/mod.rs

@@ -2,7 +2,7 @@
 //! `chroot-jail`: per-VM chroot/jail lifecycle.
 
 mod prepare;
-mod remove;
+pub mod remove;
 
 pub use prepare::PrepareArgs;
 pub use remove::RemoveArgs;

native/suidhelper/src/tools/chroot_jail/remove.rs

@@ -74,8 +74,8 @@ impl IsTool for Remove {
     type RunT = Result<(), Error>;
 
     fn run_privileged(&self) -> Self::RunT {
-        remove_chroot(&self.args.chroot)?;
-        remove_cgroup(&self.args.cgroup)?;
+        remove_chroot_under(&Config::get().jail_base(), &self.args.chroot)?;
+        remove_cgroup_under(Path::new(CGROUP_BASE), &self.args.cgroup)?;
         Ok(())
     }
 
@@ -85,18 +85,17 @@ impl IsTool for Remove {
     }
 }
 
-/// Recursively remove the per-VM chroot `<JAIL_BASE>/<exec>/<id>`, fd-relative
-/// after an `O_NOFOLLOW` walk from `JAIL_BASE`. Idempotent on a missing target.
-fn remove_chroot(chroot: &Path) -> Result<(), Error> {
-    let jail_base = Config::get().jail_base();
+/// Recursively remove the per-VM chroot `<jail_base>/<exec>/<id>`, fd-relative
+/// after an `O_NOFOLLOW` walk from `jail_base`. Idempotent on a missing target.
+/// `--chroot` must be exactly `<exec>/<id>` (one parent component, one leaf).
+pub fn remove_chroot_under(jail_base: &Path, chroot: &Path) -> Result<(), Error> {
     let path: LexicalPath = chroot.to_path_buf().try_into().map_err(Error::ChrootPath)?;
-    let (parents, leaf) = path.relative_to(&jail_base).map_err(Error::ChrootPath)?;
-    // Exactly <exec>/<id>: one parent component, one leaf.
+    let (parents, leaf) = path.relative_to(jail_base).map_err(Error::ChrootPath)?;
     if parents.len() != 1 {
         return Err(Error::ChrootDepth(chroot.to_path_buf()));
     }
 
-    let Some(parent) = walk(jail_base, &parents)? else {
+    let Some(parent) = walk(jail_base.to_path_buf(), &parents)? else {
         return Ok(()); // an ancestor is already gone
     };
     match parent.remove_dir_all(&leaf) {
@@ -107,17 +106,16 @@ fn remove_chroot(chroot: &Path) -> Result<(), Error> {
 }
 
 /// Remove the (empty) per-VM cgroup leaf, fd-relative after an `O_NOFOLLOW` walk
-/// from `/sys/fs/cgroup`. Idempotent on `ENOENT`/`ENOTEMPTY`.
-fn remove_cgroup(cgroup: &Path) -> Result<(), Error> {
-    let base = PathBuf::from(CGROUP_BASE);
+/// from `base`. `--cgroup` must be at least two components below `base` (one or
+/// more parents, plus the leaf). Idempotent on `ENOENT`/`ENOTEMPTY`.
+pub fn remove_cgroup_under(base: &Path, cgroup: &Path) -> Result<(), Error> {
     let path: LexicalPath = cgroup.to_path_buf().try_into().map_err(Error::CgroupPath)?;
-    let (parents, leaf) = path.relative_to(&base).map_err(Error::CgroupPath)?;
-    // At least two components below the base: one or more parents, plus the leaf.
+    let (parents, leaf) = path.relative_to(base).map_err(Error::CgroupPath)?;
     if parents.is_empty() {
         return Err(Error::CgroupDepth(cgroup.to_path_buf()));
     }
 
-    let Some(parent) = walk(base, &parents)? else {
+    let Some(parent) = walk(base.to_path_buf(), &parents)? else {
         return Ok(()); // an ancestor is already gone
     };
     match parent.rmdir(&leaf) {

native/suidhelper/src/tools/mod.rs

@@ -4,7 +4,7 @@
 //! privilege boundary.
 
 mod blockdev;
-mod chroot_jail;
+pub mod chroot_jail;
 mod dmsetup;
 mod losetup;
 

native/suidhelper/src/util/chroot_jail.rs

@@ -34,7 +34,7 @@ pub enum Error {
         source: io::Error,
     },
     #[error("kernel source must be under {}: {path}", .base.display())]
-    OutsideBase { base: &'static Path, path: PathBuf },
+    OutsideBase { base: PathBuf, path: PathBuf },
     #[error("open kernel source {path}: {source}")]
     OpenSrc {
         path: PathBuf,
@@ -103,41 +103,53 @@ impl<K> ChrootJail<K, Unset> {
 }
 
 impl ChrootJail<Kernel, Rootfs> {
-    /// Realize the jail on disk: confined walk to the chroot dir, then stage the
-    /// kernel and create the rootfs node relative to that fd.
+    /// Realize the jail on disk under the configured `JAIL_BASE`/`HYPER_BASE`.
     pub fn build(self) -> Result<(), Error> {
-        let chroot = open_chroot(&self.chroot)?;
-        stage_kernel(&chroot, &self.kernel.0, self.uid, self.gid)?;
+        let cfg = Config::get();
+        self.build_under(&cfg.jail_base(), cfg.hyper_base())
+    }
+
+    /// Realize the jail relative to explicit base directories: confined walk to
+    /// the chroot dir, then stage the kernel and create the rootfs node relative
+    /// to that fd. The public [`build`](Self::build) wires `Config` into this.
+    pub fn build_under(self, jail_base: &Path, hyper_base: &Path) -> Result<(), Error> {
+        let chroot = open_chroot_under(jail_base, &self.chroot)?;
+        stage_kernel_under(&chroot, &self.kernel.0, hyper_base, self.uid, self.gid)?;
         make_rootfs(&chroot, &self.rootfs.0, self.uid, self.gid)?;
         Ok(())
     }
 }
 
-/// Open the chroot directory by walking it from `JAIL_BASE` with `O_NOFOLLOW`, so
+/// Open the chroot directory by walking it from `jail_base` with `O_NOFOLLOW`, so
 /// a symlinked component cannot redirect outside the jail.
-fn open_chroot(chroot: &Path) -> Result<SafeDir, Error> {
-    let jail_base = Config::get().jail_base();
+pub fn open_chroot_under(jail_base: &Path, chroot: &Path) -> Result<SafeDir, Error> {
     let path: SafePath<IsAbsolute, StrictComponents> = chroot.to_path_buf().try_into()?;
-    let (parents, leaf) = path.relative_to(&jail_base)?;
-    let anchor: SafePath<IsAbsolute, StrictComponents> = jail_base.try_into()?;
+    let (parents, leaf) = path.relative_to(jail_base)?;
+    let anchor: SafePath<IsAbsolute, StrictComponents> = jail_base.to_path_buf().try_into()?;
 
     let mut components = parents;
     components.push(leaf);
     Ok(SafeDir::open(&anchor)?.descend(&components)?)
 }
 
 /// Stage host file `src` into `chroot` as `vmlinux`: confine the source under
-/// `HYPER_BASE`, hard-link it (copy across filesystems), then chown to `uid:gid`.
-fn stage_kernel(chroot: &SafeDir, src: &Path, uid: u32, gid: u32) -> Result<(), Error> {
+/// `hyper_base` (after canonicalization), hard-link it (copy across filesystems),
+/// then chown to `uid:gid`.
+pub fn stage_kernel_under(
+    chroot: &SafeDir,
+    src: &Path,
+    hyper_base: &Path,
+    uid: u32,
+    gid: u32,
+) -> Result<(), Error> {
     let kernel = Path::new(KERNEL_NAME);
     let src_canon = std::fs::canonicalize(src).map_err(|source| Error::Source {
         path: src.to_path_buf(),
         source,
     })?;
-    let base = Config::get().hyper_base();
-    if !src_canon.starts_with(base) {
+    if !src_canon.starts_with(hyper_base) {
         return Err(Error::OutsideBase {
-            base,
+            base: hyper_base.to_path_buf(),
             path: src_canon,
         });
     }

native/suidhelper/tests/e2e/argv.rs

@@ -54,7 +54,7 @@ fn recorded_argv(record: &Path) -> Vec<String> {
 }
 
 #[test]
-fn dmsetup_create_snapshot_reconstructs_canonical_table() {
+fn dmsetup_create_snapshot_reconstructs_canonical_table_as_root() {
     if !is_root() {
         eprintln!("SKIP dmsetup_create: needs root to acquire + own the fake bin");
         return;
@@ -100,7 +100,7 @@ fn dmsetup_create_snapshot_reconstructs_canonical_table() {
 }
 
 #[test]
-fn dmsetup_remove_retry_toggle() {
+fn dmsetup_remove_retry_toggle_as_root() {
     if !is_root() {
         eprintln!("SKIP dmsetup_remove: needs root");
         return;
@@ -126,7 +126,7 @@ fn dmsetup_remove_retry_toggle() {
 }
 
 #[test]
-fn dmsetup_message_create_thin() {
+fn dmsetup_message_create_thin_as_root() {
     if !is_root() {
         eprintln!("SKIP dmsetup_message: needs root");
         return;
@@ -157,7 +157,7 @@ fn dmsetup_message_create_thin() {
 }
 
 #[test]
-fn blockdev_getsz_argv_and_parse() {
+fn blockdev_getsz_argv_and_parse_as_root() {
     if !is_root() {
         eprintln!("SKIP blockdev: needs root");
         return;