github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/security/seccomp/seccomp_linux_test.go

github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/security/seccomp/seccomp_linux_test.go (about)

     1  // Copyright (c) 2018, Sylabs Inc. All rights reserved.
     2  // This software is licensed under a 3-clause BSD license. Please consult the
     3  // LICENSE.md file distributed with the sources of this project regarding your
     4  // rights to use or distribute this software.
     5  
     6  // +build seccomp
     7  
     8  package seccomp
     9  
    10  import (
    11  	"io/ioutil"
    12  	"os"
    13  	"syscall"
    14  	"testing"
    15  
    16  	specs "github.com/opencontainers/runtime-spec/specs-go"
    17  	"github.com/opencontainers/runtime-tools/generate"
    18  	"github.com/sylabs/singularity/internal/pkg/test"
    19  )
    20  
    21  func defaultProfile() *specs.LinuxSeccomp {
    22  	syscalls := []specs.LinuxSyscall{
    23  		{
    24  			Names:  []string{"fchmod"},
    25  			Action: specs.ActErrno,
    26  			Args: []specs.LinuxSeccompArg{
    27  				{
    28  					Index: 1,
    29  					Value: 0777,
    30  					Op:    specs.OpEqualTo,
    31  				},
    32  			},
    33  		},
    34  	}
    35  	return &specs.LinuxSeccomp{
    36  		DefaultAction: specs.ActAllow,
    37  		Syscalls:      syscalls,
    38  	}
    39  }
    40  
    41  func testFchmod(t *testing.T) {
    42  	tmpfile, err := ioutil.TempFile("", "chmod_file")
    43  	if err != nil {
    44  		t.Fatal(err)
    45  	}
    46  	file := tmpfile.Name()
    47  
    48  	defer os.Remove(file)
    49  	defer tmpfile.Close()
    50  
    51  	if hasConditionSupport() {
    52  		// all modes except 0777 are permitted
    53  		if err := syscall.Fchmod(int(tmpfile.Fd()), 0755); err != nil {
    54  			t.Errorf("fchmod syscall failed: %s", err)
    55  		}
    56  		if err := syscall.Fchmod(int(tmpfile.Fd()), 0777); err == nil {
    57  			t.Errorf("fchmod syscall didn't return operation not permitted")
    58  		}
    59  	} else {
    60  		if err := syscall.Fchmod(int(tmpfile.Fd()), 0755); err == nil {
    61  			t.Errorf("fchmod syscall didn't return operation not permitted")
    62  		}
    63  	}
    64  }
    65  
    66  func TestLoadSeccompConfig(t *testing.T) {
    67  	test.DropPrivilege(t)
    68  	defer test.ResetPrivilege(t)
    69  
    70  	if err := LoadSeccompConfig(nil, false); err == nil {
    71  		t.Errorf("shoud have failed with an empty config")
    72  	}
    73  	if err := LoadSeccompConfig(defaultProfile(), true); err != nil {
    74  		t.Errorf("%s", err)
    75  	}
    76  
    77  	testFchmod(t)
    78  }
    79  
    80  func TestLoadProfileFromFile(t *testing.T) {
    81  	test.DropPrivilege(t)
    82  	defer test.ResetPrivilege(t)
    83  
    84  	gen := &generate.Generator{Config: &specs.Spec{}}
    85  
    86  	if err := LoadProfileFromFile("test_profile/fake.json", gen); err == nil {
    87  		t.Errorf("shoud have failed with inexistent file")
    88  	}
    89  
    90  	if err := LoadProfileFromFile("test_profile/test.json", gen); err != nil {
    91  		t.Error(err)
    92  	}
    93  
    94  	if err := LoadSeccompConfig(gen.Config.Linux.Seccomp, true); err != nil {
    95  		t.Errorf("%s", err)
    96  	}
    97  
    98  	testFchmod(t)
    99  }