Text file src/github.com/opencontainers/runc/tests/integration/mask.bats

Documentation: github.com/opencontainers/runc/tests/integration

     1#!/usr/bin/env bats
     2
     3load helpers
     4
     5function setup() {
     6	setup_busybox
     7
     8	# Create fake rootfs.
     9	mkdir rootfs/testdir
    10	echo "Forbidden information!" >rootfs/testfile
    11
    12	# add extra masked paths
    13	update_config '(.. | select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]'
    14}
    15
    16function teardown() {
    17	teardown_bundle
    18}
    19
    20@test "mask paths [file]" {
    21	# run busybox detached
    22	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    23	[ "$status" -eq 0 ]
    24
    25	runc exec test_busybox cat /testfile
    26	[ "$status" -eq 0 ]
    27	[[ "${output}" == "" ]]
    28
    29	runc exec test_busybox rm -f /testfile
    30	[ "$status" -eq 1 ]
    31	[[ "${output}" == *"Read-only file system"* ]]
    32
    33	runc exec test_busybox umount /testfile
    34	[ "$status" -eq 1 ]
    35	[[ "${output}" == *"Operation not permitted"* ]]
    36}
    37
    38@test "mask paths [directory]" {
    39	# run busybox detached
    40	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    41	[ "$status" -eq 0 ]
    42
    43	runc exec test_busybox ls /testdir
    44	[ "$status" -eq 0 ]
    45	[[ "${output}" == "" ]]
    46
    47	runc exec test_busybox touch /testdir/foo
    48	[ "$status" -eq 1 ]
    49	[[ "${output}" == *"Read-only file system"* ]]
    50
    51	runc exec test_busybox rm -rf /testdir
    52	[ "$status" -eq 1 ]
    53	[[ "${output}" == *"Read-only file system"* ]]
    54
    55	runc exec test_busybox umount /testdir
    56	[ "$status" -eq 1 ]
    57	[[ "${output}" == *"Operation not permitted"* ]]
    58}
    59
    60@test "mask paths [prohibit symlink /proc]" {
    61	ln -s /symlink rootfs/proc
    62	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    63	[ "$status" -eq 1 ]
    64	[[ "${output}" == *"must be mounted on ordinary directory"* ]]
    65}
    66
    67@test "mask paths [prohibit symlink /sys]" {
    68	# In rootless containers, /sys is a bind mount not a real sysfs.
    69	requires root
    70
    71	ln -s /symlink rootfs/sys
    72	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    73	[ "$status" -eq 1 ]
    74	# On cgroup v1, this may fail before checking if /sys is a symlink,
    75	# so we merely check that it fails, and do not check the exact error
    76	# message like for /proc above.
    77}

View as plain text