...
1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7}
8
9function teardown() {
10 teardown_bundle
11}
12
13@test "runc run [redundant default /dev/tty]" {
14 update_config ' .linux.devices += [{"path": "/dev/tty", "type": "c", "major": 5, "minor": 0}]
15 | .process.args |= ["ls", "-lLn", "/dev/tty"]'
16
17 runc run test_dev
18 [ "$status" -eq 0 ]
19
20 if [[ "$ROOTLESS" -ne 0 ]]; then
21 [[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"65534".+"65534".+"5,".+"0".+"/dev/tty" ]]
22 else
23 [[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"0".+"/dev/tty" ]]
24 fi
25}
26
27@test "runc run [redundant default /dev/ptmx]" {
28 update_config ' .linux.devices += [{"path": "/dev/ptmx", "type": "c", "major": 5, "minor": 2}]
29 | .process.args |= ["ls", "-lLn", "/dev/ptmx"]'
30
31 runc run test_dev
32 [ "$status" -eq 0 ]
33 [[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"2".+"/dev/ptmx" ]]
34}
35
36@test "runc run/update [device cgroup deny]" {
37 requires root
38
39 update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"}]
40 | .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
41 | .process.capabilities.bounding += ["CAP_SYSLOG"]
42 | .process.capabilities.effective += ["CAP_SYSLOG"]
43 | .process.capabilities.inheritable += ["CAP_SYSLOG"]
44 | .process.capabilities.permitted += ["CAP_SYSLOG"]
45 | .process.args |= ["sh"]'
46
47 runc run -d --console-socket "$CONSOLE_SOCKET" test_deny
48 [ "$status" -eq 0 ]
49
50 # test write
51 runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
52 [ "$status" -eq 1 ]
53 [[ "${output}" == *'Operation not permitted'* ]]
54
55 # test read
56 runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
57 [ "$status" -eq 1 ]
58 [[ "${output}" == *'Operation not permitted'* ]]
59
60 runc update test_deny --pids-limit 42
61
62 # test write
63 runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
64 [ "$status" -eq 1 ]
65 [[ "${output}" == *'Operation not permitted'* ]]
66
67 # test read
68 runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
69 [ "$status" -eq 1 ]
70 [[ "${output}" == *'Operation not permitted'* ]]
71}
72
73@test "runc run [device cgroup allow rw char device]" {
74 requires root
75
76 update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "c", "major": 1, "minor": 11, "access": "rw"}]
77 | .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
78 | .process.args |= ["sh"]
79 | .process.capabilities.bounding += ["CAP_SYSLOG"]
80 | .process.capabilities.effective += ["CAP_SYSLOG"]
81 | .process.capabilities.inheritable += ["CAP_SYSLOG"]
82 | .process.capabilities.permitted += ["CAP_SYSLOG"]
83 | .hostname = "myhostname"'
84
85 runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_char
86 [ "$status" -eq 0 ]
87
88 # test write
89 runc exec test_allow_char sh -c 'hostname | tee /dev/kmsg'
90 [ "$status" -eq 0 ]
91 [[ "${lines[0]}" == *'myhostname'* ]]
92
93 # test read
94 runc exec test_allow_char sh -c 'head -n 1 /dev/kmsg'
95 [ "$status" -eq 0 ]
96
97 # test access
98 TEST_NAME="dev_access_test"
99 gcc -static -o "rootfs/bin/${TEST_NAME}" "${TESTDATA}/${TEST_NAME}.c"
100 runc exec test_allow_char sh -c "${TEST_NAME} /dev/kmsg"
101 [ "$status" -eq 0 ]
102}
103
104@test "runc run [device cgroup allow rm block device]" {
105 requires root
106
107 # Get the first block device.
108 IFS=$' \t:' read -r device major minor <<<"$(lsblk -nd -o NAME,MAJ:MIN)"
109 # Could have used -o PATH but lsblk from CentOS 7 does not have it.
110 device="/dev/$device"
111
112 update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "b", "major": '"$major"', "minor": '"$minor"', "access": "rwm"}]
113 | .linux.devices = [{"path": "'"$device"'", "type": "b", "major": '"$major"', "minor": '"$minor"'}]
114 | .process.args |= ["sh"]
115 | .process.capabilities.bounding += ["CAP_MKNOD"]
116 | .process.capabilities.effective += ["CAP_MKNOD"]
117 | .process.capabilities.inheritable += ["CAP_MKNOD"]
118 | .process.capabilities.permitted += ["CAP_MKNOD"]'
119
120 runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_block
121 [ "$status" -eq 0 ]
122
123 # test mknod
124 runc exec test_allow_block sh -c 'mknod /dev/fooblock b '"$major"' '"$minor"''
125 [ "$status" -eq 0 ]
126
127 # test read
128 runc exec test_allow_block sh -c 'fdisk -l '"$device"''
129 [ "$status" -eq 0 ]
130}
131
132# https://github.com/opencontainers/runc/issues/3551
133@test "runc exec vs systemctl daemon-reload" {
134 requires systemd root
135
136 runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
137 [ "$status" -eq 0 ]
138
139 runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
140 [ "$status" -eq 0 ]
141
142 systemctl daemon-reload
143
144 runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
145 [ "$status" -eq 0 ]
146}
View as plain text