1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7}
8
9function teardown() {
10 teardown_bundle
11}
12
13# Test case for https://github.com/opencontainers/runc/pull/2086
14@test "runc exec --user with no access to cwd" {
15 requires root
16
17 chown 42 rootfs/root
18 chmod 700 rootfs/root
19
20 update_config ' .process.cwd = "/root"
21 | .process.user.uid = 42
22 | .process.args |= ["sleep", "1h"]'
23
24 runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
25 [ "$status" -eq 0 ]
26
27 runc exec --user 0 test_busybox true
28 [ "$status" -eq 0 ]
29}
30
31# Verify a cwd owned by the container user can be chdir'd to,
32# even if runc doesn't have the privilege to do so.
33@test "runc create sets up user before chdir to cwd if needed" {
34 requires rootless rootless_idmap
35
36 # Some setup for this test (AUX_DIR and AUX_UID) is done
37 # by rootless.sh. Check that setup is done...
38 if [[ ! -d "$AUX_DIR" || -z "$AUX_UID" ]]; then
39 skip "bad/unset AUX_DIR/AUX_UID"
40 fi
41 # ... and is correct, i.e. the current user
42 # does not have permission to access AUX_DIR.
43 if ls -l "$AUX_DIR" 2>/dev/null; then
44 skip "bad AUX_DIR permissions"
45 fi
46
47 update_config ' .mounts += [{
48 source: "'"$AUX_DIR"'",
49 destination: "'"$AUX_DIR"'",
50 options: ["bind"]
51 }]
52 | .process.user.uid = '"$AUX_UID"'
53 | .process.cwd = "'"$AUX_DIR"'"
54 | .process.args |= ["ls", "'"$AUX_DIR"'"]'
55
56 runc run test_busybox
57 [ "$status" -eq 0 ]
58}
59
60# Verify a cwd not owned by the container user can be chdir'd to,
61# if runc does have the privilege to do so.
62@test "runc create can chdir if runc has access" {
63 requires root
64
65 mkdir -p rootfs/home/nonroot
66 chmod 700 rootfs/home/nonroot
67
68 update_config ' .process.cwd = "/root"
69 | .process.user.uid = 42
70 | .process.args |= ["ls", "/tmp"]'
71
72 runc run test_busybox
73 [ "$status" -eq 0 ]
74}
View as plain text