github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/cgroups/fs/paths_test.go

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/cgroups/fs/paths_test.go (about)

     1  package fs
     2  
     3  import (
     4  	"path/filepath"
     5  	"strings"
     6  	"testing"
     7  
     8  	"github.com/opencontainers/runc/libcontainer/cgroups"
     9  	"github.com/opencontainers/runc/libcontainer/configs"
    10  )
    11  
    12  func TestInvalidCgroupPath(t *testing.T) {
    13  	if cgroups.IsCgroup2UnifiedMode() {
    14  		t.Skip("cgroup v2 is not supported")
    15  	}
    16  
    17  	root, err := rootPath()
    18  	if err != nil {
    19  		t.Fatalf("couldn't get cgroup root: %v", err)
    20  	}
    21  
    22  	testCases := []struct {
    23  		test               string
    24  		path, name, parent string
    25  	}{
    26  		{
    27  			test: "invalid cgroup path",
    28  			path: "../../../../../../../../../../some/path",
    29  		},
    30  		{
    31  			test: "invalid absolute cgroup path",
    32  			path: "/../../../../../../../../../../some/path",
    33  		},
    34  		{
    35  			test:   "invalid cgroup parent",
    36  			parent: "../../../../../../../../../../some/path",
    37  			name:   "name",
    38  		},
    39  		{
    40  			test:   "invalid absolute cgroup parent",
    41  			parent: "/../../../../../../../../../../some/path",
    42  			name:   "name",
    43  		},
    44  		{
    45  			test:   "invalid cgroup name",
    46  			parent: "parent",
    47  			name:   "../../../../../../../../../../some/path",
    48  		},
    49  		{
    50  			test:   "invalid absolute cgroup name",
    51  			parent: "parent",
    52  			name:   "/../../../../../../../../../../some/path",
    53  		},
    54  		{
    55  			test:   "invalid cgroup name and parent",
    56  			parent: "../../../../../../../../../../some/path",
    57  			name:   "../../../../../../../../../../some/path",
    58  		},
    59  		{
    60  			test:   "invalid absolute cgroup name and parent",
    61  			parent: "/../../../../../../../../../../some/path",
    62  			name:   "/../../../../../../../../../../some/path",
    63  		},
    64  	}
    65  
    66  	for _, tc := range testCases {
    67  		t.Run(tc.test, func(t *testing.T) {
    68  			config := &configs.Cgroup{Path: tc.path, Name: tc.name, Parent: tc.parent}
    69  
    70  			inner, err := innerPath(config)
    71  			if err != nil {
    72  				t.Fatalf("couldn't get cgroup data: %v", err)
    73  			}
    74  
    75  			// Make sure the final inner path doesn't go outside the cgroup mountpoint.
    76  			if strings.HasPrefix(inner, "..") {
    77  				t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
    78  			}
    79  
    80  			// Double-check, using an actual cgroup.
    81  			deviceRoot := filepath.Join(root, "devices")
    82  			devicePath, err := subsysPath(root, inner, "devices")
    83  			if err != nil {
    84  				t.Fatalf("couldn't get cgroup path: %v", err)
    85  			}
    86  			if !strings.HasPrefix(devicePath, deviceRoot) {
    87  				t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
    88  			}
    89  		})
    90  	}
    91  }
    92  
    93  func TestTryDefaultCgroupRoot(t *testing.T) {
    94  	res := tryDefaultCgroupRoot()
    95  	exp := defaultCgroupRoot
    96  	if cgroups.IsCgroup2UnifiedMode() {
    97  		// checking that tryDefaultCgroupRoot does return ""
    98  		// in case /sys/fs/cgroup is not cgroup v1 root dir.
    99  		exp = ""
   100  	}
   101  	if res != exp {
   102  		t.Errorf("tryDefaultCgroupRoot: want %q, got %q", exp, res)
   103  	}
   104  }