...

Text file src/github.com/opencontainers/runc/tests/integration/dev.bats

Documentation: github.com/opencontainers/runc/tests/integration

     1#!/usr/bin/env bats
     2
     3load helpers
     4
     5function setup() {
     6	setup_busybox
     7}
     8
     9function teardown() {
    10	teardown_bundle
    11}
    12
    13@test "runc run [redundant default /dev/tty]" {
    14	update_config ' .linux.devices += [{"path": "/dev/tty", "type": "c", "major": 5, "minor": 0}]
    15		      | .process.args |= ["ls", "-lLn", "/dev/tty"]'
    16
    17	runc run test_dev
    18	[ "$status" -eq 0 ]
    19
    20	if [[ "$ROOTLESS" -ne 0 ]]; then
    21		[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"65534".+"65534".+"5,".+"0".+"/dev/tty" ]]
    22	else
    23		[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"0".+"/dev/tty" ]]
    24	fi
    25}
    26
    27@test "runc run [redundant default /dev/ptmx]" {
    28	update_config ' .linux.devices += [{"path": "/dev/ptmx", "type": "c", "major": 5, "minor": 2}]
    29		      | .process.args |= ["ls", "-lLn", "/dev/ptmx"]'
    30
    31	runc run test_dev
    32	[ "$status" -eq 0 ]
    33	[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"2".+"/dev/ptmx" ]]
    34}
    35
    36@test "runc run/update [device cgroup deny]" {
    37	requires root
    38
    39	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"}]
    40			| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
    41			| .process.capabilities.bounding += ["CAP_SYSLOG"]
    42			| .process.capabilities.effective += ["CAP_SYSLOG"]
    43			| .process.capabilities.inheritable += ["CAP_SYSLOG"]
    44			| .process.capabilities.permitted += ["CAP_SYSLOG"]
    45			| .process.args |= ["sh"]'
    46
    47	runc run -d --console-socket "$CONSOLE_SOCKET" test_deny
    48	[ "$status" -eq 0 ]
    49
    50	# test write
    51	runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
    52	[ "$status" -eq 1 ]
    53	[[ "${output}" == *'Operation not permitted'* ]]
    54
    55	# test read
    56	runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
    57	[ "$status" -eq 1 ]
    58	[[ "${output}" == *'Operation not permitted'* ]]
    59
    60	runc update test_deny --pids-limit 42
    61
    62	# test write
    63	runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
    64	[ "$status" -eq 1 ]
    65	[[ "${output}" == *'Operation not permitted'* ]]
    66
    67	# test read
    68	runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
    69	[ "$status" -eq 1 ]
    70	[[ "${output}" == *'Operation not permitted'* ]]
    71}
    72
    73@test "runc run [device cgroup allow rw char device]" {
    74	requires root
    75
    76	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "c", "major": 1, "minor": 11, "access": "rw"}]
    77			| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
    78			| .process.args |= ["sh"]
    79			| .process.capabilities.bounding += ["CAP_SYSLOG"]
    80			| .process.capabilities.effective += ["CAP_SYSLOG"]
    81			| .process.capabilities.inheritable += ["CAP_SYSLOG"]
    82			| .process.capabilities.permitted += ["CAP_SYSLOG"]
    83			| .hostname = "myhostname"'
    84
    85	runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_char
    86	[ "$status" -eq 0 ]
    87
    88	# test write
    89	runc exec test_allow_char sh -c 'hostname | tee /dev/kmsg'
    90	[ "$status" -eq 0 ]
    91	[[ "${lines[0]}" == *'myhostname'* ]]
    92
    93	# test read
    94	runc exec test_allow_char sh -c 'head -n 1 /dev/kmsg'
    95	[ "$status" -eq 0 ]
    96
    97	# test access
    98	TEST_NAME="dev_access_test"
    99	gcc -static -o "rootfs/bin/${TEST_NAME}" "${TESTDATA}/${TEST_NAME}.c"
   100	runc exec test_allow_char sh -c "${TEST_NAME} /dev/kmsg"
   101	[ "$status" -eq 0 ]
   102}
   103
   104@test "runc run [device cgroup allow rm block device]" {
   105	requires root
   106
   107	# Get the first block device.
   108	IFS=$' \t:' read -r device major minor <<<"$(lsblk -nd -o NAME,MAJ:MIN)"
   109	# Could have used -o PATH but lsblk from CentOS 7 does not have it.
   110	device="/dev/$device"
   111
   112	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "b", "major": '"$major"', "minor": '"$minor"', "access": "rwm"}]
   113			| .linux.devices = [{"path": "'"$device"'", "type": "b", "major": '"$major"', "minor": '"$minor"'}]
   114			| .process.args |= ["sh"]
   115			| .process.capabilities.bounding += ["CAP_MKNOD"]
   116			| .process.capabilities.effective += ["CAP_MKNOD"]
   117			| .process.capabilities.inheritable += ["CAP_MKNOD"]
   118			| .process.capabilities.permitted += ["CAP_MKNOD"]'
   119
   120	runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_block
   121	[ "$status" -eq 0 ]
   122
   123	# test mknod
   124	runc exec test_allow_block sh -c 'mknod /dev/fooblock b '"$major"' '"$minor"''
   125	[ "$status" -eq 0 ]
   126
   127	# test read
   128	runc exec test_allow_block sh -c 'fdisk -l '"$device"''
   129	[ "$status" -eq 0 ]
   130}
   131
   132# https://github.com/opencontainers/runc/issues/3551
   133@test "runc exec vs systemctl daemon-reload" {
   134	requires systemd root
   135
   136	runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
   137	[ "$status" -eq 0 ]
   138
   139	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
   140	[ "$status" -eq 0 ]
   141
   142	systemctl daemon-reload
   143
   144	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
   145	[ "$status" -eq 0 ]
   146}

View as plain text