github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/libcontainer/rootfs_linux_test.go (about) 1 package libcontainer 2 3 import ( 4 "testing" 5 6 "github.com/opencontainers/runc/libcontainer/configs" 7 8 "golang.org/x/sys/unix" 9 ) 10 11 func TestCheckMountDestInProc(t *testing.T) { 12 m := mountEntry{ 13 Mount: &configs.Mount{ 14 Destination: "/proc/sys", 15 Source: "/proc/sys", 16 Device: "bind", 17 Flags: unix.MS_BIND, 18 }, 19 } 20 dest := "/rootfs/proc/sys" 21 err := checkProcMount("/rootfs", dest, m) 22 if err == nil { 23 t.Fatal("destination inside proc should return an error") 24 } 25 } 26 27 func TestCheckProcMountOnProc(t *testing.T) { 28 m := mountEntry{ 29 Mount: &configs.Mount{ 30 Destination: "/proc", 31 Source: "foo", 32 Device: "proc", 33 }, 34 } 35 dest := "/rootfs/proc/" 36 err := checkProcMount("/rootfs", dest, m) 37 if err != nil { 38 t.Fatalf("procfs type mount on /proc should not return an error: %v", err) 39 } 40 } 41 42 func TestCheckBindMountOnProc(t *testing.T) { 43 m := mountEntry{ 44 Mount: &configs.Mount{ 45 Destination: "/proc", 46 Source: "/proc/self", 47 Device: "bind", 48 Flags: unix.MS_BIND, 49 }, 50 } 51 dest := "/rootfs/proc/" 52 err := checkProcMount("/rootfs", dest, m) 53 if err != nil { 54 t.Fatalf("bind-mount of procfs on top of /proc should not return an error (for now): %v", err) 55 } 56 } 57 58 func TestCheckTrickyMountOnProc(t *testing.T) { 59 // Make a non-bind mount that looks like a bit like a bind-mount. 60 m := mountEntry{ 61 Mount: &configs.Mount{ 62 Destination: "/proc", 63 Source: "/proc", 64 Device: "overlay", 65 Data: "lowerdir=/tmp/fakeproc,upperdir=/tmp/fakeproc2,workdir=/tmp/work", 66 }, 67 } 68 dest := "/rootfs/proc/" 69 err := checkProcMount("/rootfs", dest, m) 70 if err == nil { 71 t.Fatalf("dodgy overlayfs mount on top of /proc should return an error") 72 } 73 } 74 75 func TestCheckTrickyBindMountOnProc(t *testing.T) { 76 // Make a bind mount that looks like it might be a procfs mount. 77 m := mountEntry{ 78 Mount: &configs.Mount{ 79 Destination: "/proc", 80 Source: "/sys", 81 Device: "proc", 82 Flags: unix.MS_BIND, 83 }, 84 } 85 dest := "/rootfs/proc/" 86 err := checkProcMount("/rootfs", dest, m) 87 if err == nil { 88 t.Fatalf("dodgy bind-mount on top of /proc should return an error") 89 } 90 } 91 92 func TestCheckMountDestInSys(t *testing.T) { 93 m := mountEntry{ 94 Mount: &configs.Mount{ 95 Destination: "/sys/fs/cgroup", 96 Source: "tmpfs", 97 Device: "tmpfs", 98 }, 99 } 100 dest := "/rootfs//sys/fs/cgroup" 101 err := checkProcMount("/rootfs", dest, m) 102 if err != nil { 103 t.Fatalf("destination inside /sys should not return an error: %v", err) 104 } 105 } 106 107 func TestCheckMountDestFalsePositive(t *testing.T) { 108 m := mountEntry{ 109 Mount: &configs.Mount{ 110 Destination: "/sysfiles/fs/cgroup", 111 Source: "tmpfs", 112 Device: "tmpfs", 113 }, 114 } 115 dest := "/rootfs/sysfiles/fs/cgroup" 116 err := checkProcMount("/rootfs", dest, m) 117 if err != nil { 118 t.Fatal(err) 119 } 120 } 121 122 func TestCheckMountDestNsLastPid(t *testing.T) { 123 m := mountEntry{ 124 Mount: &configs.Mount{ 125 Destination: "/proc/sys/kernel/ns_last_pid", 126 Source: "lxcfs", 127 Device: "fuse.lxcfs", 128 }, 129 } 130 dest := "/rootfs/proc/sys/kernel/ns_last_pid" 131 err := checkProcMount("/rootfs", dest, m) 132 if err != nil { 133 t.Fatalf("/proc/sys/kernel/ns_last_pid should not return an error: %v", err) 134 } 135 } 136 137 func TestCheckCryptoFipsEnabled(t *testing.T) { 138 m := mountEntry{ 139 Mount: &configs.Mount{ 140 Destination: "/proc/sys/crypto/fips_enabled", 141 Source: "tmpfs", 142 Device: "tmpfs", 143 }, 144 } 145 dest := "/rootfs/proc/sys/crypto/fips_enabled" 146 err := checkProcMount("/rootfs", dest, m) 147 if err != nil { 148 t.Fatalf("/proc/sys/crypto/fips_enabled should not return an error: %v", err) 149 } 150 } 151 152 func TestNeedsSetupDev(t *testing.T) { 153 config := &configs.Config{ 154 Mounts: []*configs.Mount{ 155 { 156 Device: "bind", 157 Source: "/dev", 158 Destination: "/dev", 159 }, 160 }, 161 } 162 if needsSetupDev(config) { 163 t.Fatal("expected needsSetupDev to be false, got true") 164 } 165 } 166 167 func TestNeedsSetupDevStrangeSource(t *testing.T) { 168 config := &configs.Config{ 169 Mounts: []*configs.Mount{ 170 { 171 Device: "bind", 172 Source: "/devx", 173 Destination: "/dev", 174 }, 175 }, 176 } 177 if needsSetupDev(config) { 178 t.Fatal("expected needsSetupDev to be false, got true") 179 } 180 } 181 182 func TestNeedsSetupDevStrangeDest(t *testing.T) { 183 config := &configs.Config{ 184 Mounts: []*configs.Mount{ 185 { 186 Device: "bind", 187 Source: "/dev", 188 Destination: "/devx", 189 }, 190 }, 191 } 192 if !needsSetupDev(config) { 193 t.Fatal("expected needsSetupDev to be true, got false") 194 } 195 } 196 197 func TestNeedsSetupDevStrangeSourceDest(t *testing.T) { 198 config := &configs.Config{ 199 Mounts: []*configs.Mount{ 200 { 201 Device: "bind", 202 Source: "/devx", 203 Destination: "/devx", 204 }, 205 }, 206 } 207 if !needsSetupDev(config) { 208 t.Fatal("expected needsSetupDev to be true, got false") 209 } 210 }