...
1#!/usr/bin/env bats
2
3load helpers
4
5function setup() {
6 setup_busybox
7}
8
9function teardown() {
10 teardown_bundle
11}
12
13@test "runc run [seccomp -ENOSYS handling]" {
14 TEST_NAME="seccomp_syscall_test1"
15
16 # Compile the test binary and update the config to run it.
17 gcc -static -o rootfs/seccomp_test "${TESTDATA}/${TEST_NAME}.c"
18 update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")"
19 update_config '.process.args = ["/seccomp_test"]'
20
21 runc run test_busybox
22 [ "$status" -eq 0 ]
23}
24
25@test "runc run [seccomp defaultErrnoRet=ENXIO]" {
26 TEST_NAME="seccomp_syscall_test2"
27
28 # Compile the test binary and update the config to run it.
29 gcc -static -o rootfs/seccomp_test2 "${TESTDATA}/${TEST_NAME}.c"
30 update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")"
31 update_config '.process.args = ["/seccomp_test2"]'
32
33 runc run test_busybox
34 [ "$status" -eq 0 ]
35}
36
37# TODO:
38# - Test other actions like SCMP_ACT_TRAP, SCMP_ACT_TRACE, SCMP_ACT_LOG.
39# - Test args (index, value, valueTwo, etc).
40
41@test "runc run [seccomp] (SCMP_ACT_ERRNO default)" {
42 update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
43 | .process.noNewPrivileges = false
44 | .linux.seccomp = {
45 "defaultAction":"SCMP_ACT_ALLOW",
46 "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
47 "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
48 }'
49
50 runc run test_busybox
51 [ "$status" -ne 0 ]
52 [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
53}
54
55@test "runc run [seccomp] (SCMP_ACT_ERRNO explicit errno)" {
56 update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
57 | .process.noNewPrivileges = false
58 | .linux.seccomp = {
59 "defaultAction":"SCMP_ACT_ALLOW",
60 "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
61 "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
62 }'
63
64 runc run test_busybox
65 [ "$status" -ne 0 ]
66 [[ "$output" == *"Network is down"* ]]
67}
68
69@test "runc run [seccomp] (SCMP_ACT_KILL)" {
70 update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
71 | .process.noNewPrivileges = false
72 | .linux.seccomp = {
73 "defaultAction":"SCMP_ACT_ALLOW",
74 "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
75 "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
76 }'
77
78 runc run test_busybox
79 [ "$status" -ne 0 ]
80}
81
82# check that a startContainer hook is run with the seccomp filters applied
83@test "runc run [seccomp] (startContainer hook)" {
84 update_config ' .process.args = ["/bin/true"]
85 | .linux.seccomp = {
86 "defaultAction":"SCMP_ACT_ALLOW",
87 "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
88 "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
89 }
90 | .hooks = {
91 "startContainer": [ {
92 "path": "/bin/sh",
93 "args": ["sh", "-c", "mkdir /dev/shm/foo"]
94 } ]
95 }'
96
97 runc run test_busybox
98 [ "$status" -ne 0 ]
99 [[ "$output" == *"error running hook"* ]]
100 [[ "$output" == *"bad system call"* ]]
101}
View as plain text