...

Text file src/github.com/opencontainers/runc/tests/integration/seccomp.bats

Documentation: github.com/opencontainers/runc/tests/integration

     1#!/usr/bin/env bats
     2
     3load helpers
     4
     5function setup() {
     6	setup_busybox
     7}
     8
     9function teardown() {
    10	teardown_bundle
    11}
    12
    13@test "runc run [seccomp -ENOSYS handling]" {
    14	TEST_NAME="seccomp_syscall_test1"
    15
    16	# Compile the test binary and update the config to run it.
    17	gcc -static -o rootfs/seccomp_test "${TESTDATA}/${TEST_NAME}.c"
    18	update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")"
    19	update_config '.process.args = ["/seccomp_test"]'
    20
    21	runc run test_busybox
    22	[ "$status" -eq 0 ]
    23}
    24
    25@test "runc run [seccomp defaultErrnoRet=ENXIO]" {
    26	TEST_NAME="seccomp_syscall_test2"
    27
    28	# Compile the test binary and update the config to run it.
    29	gcc -static -o rootfs/seccomp_test2 "${TESTDATA}/${TEST_NAME}.c"
    30	update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")"
    31	update_config '.process.args = ["/seccomp_test2"]'
    32
    33	runc run test_busybox
    34	[ "$status" -eq 0 ]
    35}
    36
    37# TODO:
    38# - Test other actions like SCMP_ACT_TRAP, SCMP_ACT_TRACE, SCMP_ACT_LOG.
    39# - Test args (index, value, valueTwo, etc).
    40
    41@test "runc run [seccomp] (SCMP_ACT_ERRNO default)" {
    42	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
    43			| .process.noNewPrivileges = false
    44			| .linux.seccomp = {
    45				"defaultAction":"SCMP_ACT_ALLOW",
    46				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
    47				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
    48			}'
    49
    50	runc run test_busybox
    51	[ "$status" -ne 0 ]
    52	[[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
    53}
    54
    55@test "runc run [seccomp] (SCMP_ACT_ERRNO explicit errno)" {
    56	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
    57			| .process.noNewPrivileges = false
    58			| .linux.seccomp = {
    59				"defaultAction":"SCMP_ACT_ALLOW",
    60				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
    61				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
    62			}'
    63
    64	runc run test_busybox
    65	[ "$status" -ne 0 ]
    66	[[ "$output" == *"Network is down"* ]]
    67}
    68
    69@test "runc run [seccomp] (SCMP_ACT_KILL)" {
    70	update_config '  .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
    71			| .process.noNewPrivileges = false
    72			| .linux.seccomp = {
    73				"defaultAction":"SCMP_ACT_ALLOW",
    74				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
    75				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
    76			}'
    77
    78	runc run test_busybox
    79	[ "$status" -ne 0 ]
    80}
    81
    82# check that a startContainer hook is run with the seccomp filters applied
    83@test "runc run [seccomp] (startContainer hook)" {
    84	update_config '   .process.args = ["/bin/true"]
    85			| .linux.seccomp = {
    86				"defaultAction":"SCMP_ACT_ALLOW",
    87				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
    88				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
    89			}
    90			| .hooks = {
    91				"startContainer": [ {
    92						"path": "/bin/sh",
    93						"args": ["sh", "-c", "mkdir /dev/shm/foo"]
    94				} ]
    95			}'
    96
    97	runc run test_busybox
    98	[ "$status" -ne 0 ]
    99	[[ "$output" == *"error running hook"* ]]
   100	[[ "$output" == *"bad system call"* ]]
   101}

View as plain text