github.com/moby/docker@v26.1.3+incompatible/oci/oci_test.go (about) 1 package oci 2 3 import ( 4 "testing" 5 6 "github.com/opencontainers/runtime-spec/specs-go" 7 "gotest.tools/v3/assert" 8 ) 9 10 func TestAppendDevicePermissionsFromCgroupRules(t *testing.T) { 11 ptr := func(i int64) *int64 { return &i } 12 13 tests := []struct { 14 doc string 15 rule string 16 expected specs.LinuxDeviceCgroup 17 expectedErr string 18 }{ 19 { 20 doc: "empty rule", 21 rule: "", 22 expectedErr: `invalid device cgroup rule format: ''`, 23 }, 24 { 25 doc: "multiple spaces after first column", 26 rule: "c 1:1 rwm", 27 expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm'`, 28 }, 29 { 30 doc: "multiple spaces after second column", 31 rule: "c 1:1 rwm", 32 expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm'`, 33 }, 34 { 35 doc: "leading spaces", 36 rule: " c 1:1 rwm", 37 expectedErr: `invalid device cgroup rule format: ' c 1:1 rwm'`, 38 }, 39 { 40 doc: "trailing spaces", 41 rule: "c 1:1 rwm ", 42 expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm '`, 43 }, 44 { 45 doc: "unknown device type", 46 rule: "z 1:1 rwm", 47 expectedErr: `invalid device cgroup rule format: 'z 1:1 rwm'`, 48 }, 49 { 50 doc: "invalid device type", 51 rule: "zz 1:1 rwm", 52 expectedErr: `invalid device cgroup rule format: 'zz 1:1 rwm'`, 53 }, 54 { 55 doc: "missing colon", 56 rule: "c 11 rwm", 57 expectedErr: `invalid device cgroup rule format: 'c 11 rwm'`, 58 }, 59 { 60 doc: "invalid device major-minor", 61 rule: "c a:a rwm", 62 expectedErr: `invalid device cgroup rule format: 'c a:a rwm'`, 63 }, 64 { 65 doc: "negative major device", 66 rule: "c -1:1 rwm", 67 expectedErr: `invalid device cgroup rule format: 'c -1:1 rwm'`, 68 }, 69 { 70 doc: "negative minor device", 71 rule: "c 1:-1 rwm", 72 expectedErr: `invalid device cgroup rule format: 'c 1:-1 rwm'`, 73 }, 74 { 75 doc: "missing permissions", 76 rule: "c 1:1", 77 expectedErr: `invalid device cgroup rule format: 'c 1:1'`, 78 }, 79 { 80 doc: "invalid permissions", 81 rule: "c 1:1 x", 82 expectedErr: `invalid device cgroup rule format: 'c 1:1 x'`, 83 }, 84 { 85 doc: "too many permissions", 86 rule: "c 1:1 rwmrwm", 87 expectedErr: `invalid device cgroup rule format: 'c 1:1 rwmrwm'`, 88 }, 89 { 90 doc: "major out of range", 91 rule: "c 18446744073709551616:1 rwm", 92 expectedErr: `invalid major value in device cgroup rule format: 'c 18446744073709551616:1 rwm'`, 93 }, 94 { 95 doc: "minor out of range", 96 rule: "c 1:18446744073709551616 rwm", 97 expectedErr: `invalid minor value in device cgroup rule format: 'c 1:18446744073709551616 rwm'`, 98 }, 99 { 100 doc: "all (a) devices", 101 rule: "a 1:1 rwm", 102 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "a", Major: ptr(1), Minor: ptr(1), Access: "rwm"}, 103 }, 104 { 105 doc: "char (c) devices", 106 rule: "c 1:1 rwm", 107 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "rwm"}, 108 }, 109 { 110 doc: "block (b) devices", 111 rule: "b 1:1 rwm", 112 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "b", Major: ptr(1), Minor: ptr(1), Access: "rwm"}, 113 }, 114 { 115 doc: "char device with rwm permissions", 116 rule: "c 7:128 rwm", 117 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(7), Minor: ptr(128), Access: "rwm"}, 118 }, 119 { 120 doc: "wildcard major", 121 rule: "c *:1 rwm", 122 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(-1), Minor: ptr(1), Access: "rwm"}, 123 }, 124 { 125 doc: "wildcard minor", 126 rule: "c 1:* rwm", 127 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(-1), Access: "rwm"}, 128 }, 129 { 130 doc: "wildcard major and minor", 131 rule: "c *:* rwm", 132 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(-1), Minor: ptr(-1), Access: "rwm"}, 133 }, 134 { 135 doc: "read (r) permission", 136 rule: "c 1:1 r", 137 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "r"}, 138 }, 139 { 140 doc: "write (w) permission", 141 rule: "c 1:1 w", 142 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "w"}, 143 }, 144 { 145 doc: "mknod (m) permission", 146 rule: "c 1:1 m", 147 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "m"}, 148 }, 149 { 150 doc: "mknod (m) and read (r) permission", 151 rule: "c 1:1 mr", 152 expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "mr"}, 153 }, 154 } 155 156 for _, tc := range tests { 157 tc := tc 158 t.Run(tc.doc, func(t *testing.T) { 159 out, err := AppendDevicePermissionsFromCgroupRules([]specs.LinuxDeviceCgroup{}, []string{tc.rule}) 160 if tc.expectedErr != "" { 161 assert.Error(t, err, tc.expectedErr) 162 return 163 } 164 assert.NilError(t, err) 165 assert.DeepEqual(t, out, []specs.LinuxDeviceCgroup{tc.expected}) 166 }) 167 } 168 }