...
1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7
8 # Create fake rootfs.
9 mkdir rootfs/testdir
10 echo "Forbidden information!" >rootfs/testfile
11
12 # add extra masked paths
13 update_config '(.. | select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]'
14}
15
16function teardown() {
17 teardown_bundle
18}
19
20@test "mask paths [file]" {
21 # run busybox detached
22 runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
23 [ "$status" -eq 0 ]
24
25 runc exec test_busybox cat /testfile
26 [ "$status" -eq 0 ]
27 [[ "${output}" == "" ]]
28
29 runc exec test_busybox rm -f /testfile
30 [ "$status" -eq 1 ]
31 [[ "${output}" == *"Read-only file system"* ]]
32
33 runc exec test_busybox umount /testfile
34 [ "$status" -eq 1 ]
35 [[ "${output}" == *"Operation not permitted"* ]]
36}
37
38@test "mask paths [directory]" {
39 # run busybox detached
40 runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
41 [ "$status" -eq 0 ]
42
43 runc exec test_busybox ls /testdir
44 [ "$status" -eq 0 ]
45 [[ "${output}" == "" ]]
46
47 runc exec test_busybox touch /testdir/foo
48 [ "$status" -eq 1 ]
49 [[ "${output}" == *"Read-only file system"* ]]
50
51 runc exec test_busybox rm -rf /testdir
52 [ "$status" -eq 1 ]
53 [[ "${output}" == *"Read-only file system"* ]]
54
55 runc exec test_busybox umount /testdir
56 [ "$status" -eq 1 ]
57 [[ "${output}" == *"Operation not permitted"* ]]
58}
59
60@test "mask paths [prohibit symlink /proc]" {
61 ln -s /symlink rootfs/proc
62 runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
63 [ "$status" -eq 1 ]
64 [[ "${output}" == *"must be mounted on ordinary directory"* ]]
65}
66
67@test "mask paths [prohibit symlink /sys]" {
68 # In rootless containers, /sys is a bind mount not a real sysfs.
69 requires root
70
71 ln -s /symlink rootfs/sys
72 runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
73 [ "$status" -eq 1 ]
74 # On cgroup v1, this may fail before checking if /sys is a symlink,
75 # so we merely check that it fails, and do not check the exact error
76 # message like for /proc above.
77}
View as plain text