#!/usr/bin/env bats load helpers function teardown() { teardown_bundle } function setup() { requires root cgroups_v2 systemd setup_busybox # chown test temp dir to allow host user to read it chown 100000 "$ROOT" # chown rootfs to allow host user to mkdir mount points chown 100000 "$ROOT"/bundle/rootfs set_cgroups_path # configure a user namespace update_config ' .linux.namespaces += [{"type": "user"}] | .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}] | .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}] ' } @test "runc exec (cgroup v2, ro cgroupfs, new cgroupns) does not chown cgroup" { runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown [ "$status" -eq 0 ] runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" [ "$status" -eq 0 ] [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user } @test "runc exec (cgroup v2, rw cgroupfs, inherit cgroupns) does not chown cgroup" { set_cgroup_mount_writable # inherit cgroup namespace (remove cgroup from namespaces list) update_config '.linux.namespaces |= map(select(.type != "cgroup"))' runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown [ "$status" -eq 0 ] runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" [ "$status" -eq 0 ] [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user } @test "runc exec (cgroup v2, rw cgroupfs, new cgroupns) does chown cgroup" { set_cgroup_mount_writable runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown [ "$status" -eq 0 ] runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup" [ "$status" -eq 0 ] [ "$output" = "root" ] # /sys/fs/cgroup owned by root (of user namespace) }