1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7}
8
9function teardown() {
10 teardown_bundle
11}
12
13@test "runc run --no-pivot must not expose bare /proc" {
14 requires root
15
16 update_config ' .process.args |= ["unshare", "-mrpf", "sh", "-euxc", "mount -t proc none /proc && echo h > /proc/sysrq-trigger"]
17 | .process.capabilities.bounding += ["CAP_SETFCAP"]
18 | .process.capabilities.permitted += ["CAP_SETFCAP"]'
19
20 runc run --no-pivot test_no_pivot
21 [ "$status" -eq 1 ]
22 [[ "$output" == *"mount: permission denied"* ]]
23}
View as plain text