...
1#!/usr/bin/env bats
2
3load helpers
4
5function teardown() {
6 teardown_bundle
7}
8
9function setup() {
10 requires root cgroups_v2 systemd
11
12 setup_busybox
13
14 # chown test temp dir to allow host user to read it
15 chown 100000 "$ROOT"
16
17 # chown rootfs to allow host user to mkdir mount points
18 chown 100000 "$ROOT"/bundle/rootfs
19
20 set_cgroups_path
21
22 # configure a user namespace
23 update_config ' .linux.namespaces += [{"type": "user"}]
24 | .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}]
25 | .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}]
26 '
27}
28
29@test "runc exec (cgroup v2, ro cgroupfs, new cgroupns) does not chown cgroup" {
30 runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
31 [ "$status" -eq 0 ]
32
33 runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
34 [ "$status" -eq 0 ]
35 [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user
36}
37
38@test "runc exec (cgroup v2, rw cgroupfs, inherit cgroupns) does not chown cgroup" {
39 set_cgroup_mount_writable
40
41 # inherit cgroup namespace (remove cgroup from namespaces list)
42 update_config '.linux.namespaces |= map(select(.type != "cgroup"))'
43
44 runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
45 [ "$status" -eq 0 ]
46
47 runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
48 [ "$status" -eq 0 ]
49 [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user
50}
51
52@test "runc exec (cgroup v2, rw cgroupfs, new cgroupns) does chown cgroup" {
53 set_cgroup_mount_writable
54
55 runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
56 [ "$status" -eq 0 ]
57
58 runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
59 [ "$status" -eq 0 ]
60 [ "$output" = "root" ] # /sys/fs/cgroup owned by root (of user namespace)
61}
View as plain text