...
1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7}
8
9function teardown() {
10 teardown_bundle
11}
12
13# https://github.com/opencontainers/runc/issues/3991
14@test "runc run [tmpcopyup]" {
15 mkdir -p rootfs/dir1/dir2
16 chmod 777 rootfs/dir1/dir2
17 update_config ' .mounts += [{
18 source: "tmpfs",
19 destination: "/dir1",
20 type: "tmpfs",
21 options: ["tmpcopyup"]
22 }]
23 | .process.args |= ["ls", "-ld", "/dir1/dir2"]'
24
25 umask 022
26 runc run test_busybox
27 [ "$status" -eq 0 ]
28 [[ "${lines[0]}" == *'drwxrwxrwx'* ]]
29}
30
31@test "runc run [bind mount]" {
32 update_config ' .mounts += [{
33 source: ".",
34 destination: "/tmp/bind",
35 options: ["bind"]
36 }]
37 | .process.args |= ["ls", "/tmp/bind/config.json"]'
38
39 runc run test_busybox
40 [ "$status" -eq 0 ]
41 [[ "${lines[0]}" == *'/tmp/bind/config.json'* ]]
42}
43
44# https://github.com/opencontainers/runc/issues/2246
45@test "runc run [ro tmpfs mount]" {
46 update_config ' .mounts += [{
47 source: "tmpfs",
48 destination: "/mnt",
49 type: "tmpfs",
50 options: ["ro", "nodev", "nosuid", "mode=755"]
51 }]
52 | .process.args |= ["grep", "^tmpfs /mnt", "/proc/mounts"]'
53
54 runc run test_busybox
55 [ "$status" -eq 0 ]
56 [[ "${lines[0]}" == *'ro,'* ]]
57}
58
59# https://github.com/opencontainers/runc/issues/3248
60@test "runc run [ro /dev mount]" {
61 update_config ' .mounts |= map((select(.destination == "/dev") | .options += ["ro"]) // .)
62 | .process.args |= ["grep", "^tmpfs /dev", "/proc/mounts"]'
63
64 runc run test_busybox
65 [ "$status" -eq 0 ]
66 [[ "${lines[0]}" == *'ro,'* ]]
67}
68
69# https://github.com/opencontainers/runc/issues/2683
70@test "runc run [tmpfs mount with absolute symlink]" {
71 # in container, /conf -> /real/conf
72 mkdir -p rootfs/real/conf
73 ln -s /real/conf rootfs/conf
74 update_config ' .mounts += [{
75 type: "tmpfs",
76 source: "tmpfs",
77 destination: "/conf/stack",
78 options: ["ro", "nodev", "nosuid"]
79 }]
80 | .process.args |= ["true"]'
81 runc run test_busybox
82 [ "$status" -eq 0 ]
83}
84
85@test "runc run [ro /sys/fs/cgroup mounts]" {
86 # Without cgroup namespace.
87 update_config '.linux.namespaces -= [{"type": "cgroup"}]'
88 test_ro_cgroup_mount
89}
90
91# shellcheck disable=SC2030
92@test "runc run [ro /sys/fs/cgroup mounts + cgroupns]" {
93 requires cgroupns
94 # With cgroup namespace.
95 update_config '.linux.namespaces |= if index({"type": "cgroup"}) then . else . + [{"type": "cgroup"}] end'
96 test_ro_cgroup_mount
97}
98
99# https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
100# shellcheck disable=SC2031
101function test_ro_cgroup_mount() {
102 local lines status
103 # shellcheck disable=SC2016
104 update_config '.process.args |= ["sh", "-euc", "for f in `grep /sys/fs/cgroup /proc/mounts | awk \"{print \\\\$2}\"| uniq`; do test -e $f && grep -w $f /proc/mounts | tail -n1; done"]'
105 runc run test_busybox
106 [ "$status" -eq 0 ]
107 [ "${#lines[@]}" -ne 0 ]
108 for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
109}
View as plain text