github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/capabilities.bats (about) 1 #!/usr/bin/env bats 2 3 load helpers 4 5 function setup() { 6 setup_busybox 7 update_config '.process.args = ["/bin/cat", "/proc/self/status"]' 8 } 9 10 function teardown() { 11 teardown_bundle 12 } 13 14 @test "runc run no capability" { 15 runc run test_no_caps 16 [ "$status" -eq 0 ] 17 18 [[ "${output}" == *"CapInh: 0000000000000000"* ]] 19 [[ "${output}" == *"CapAmb: 0000000000000000"* ]] 20 [[ "${output}" == *"NoNewPrivs: 1"* ]] 21 } 22 23 @test "runc run with unknown capability" { 24 update_config '.process.capabilities.bounding = ["CAP_UNKNOWN", "UNKNOWN_CAP"]' 25 runc run test_unknown_caps 26 [ "$status" -eq 0 ] 27 28 [[ "${output}" == *"CapInh: 0000000000000000"* ]] 29 [[ "${output}" == *"CapAmb: 0000000000000000"* ]] 30 [[ "${output}" == *"NoNewPrivs: 1"* ]] 31 } 32 33 @test "runc run with new privileges" { 34 update_config '.process.noNewPrivileges = false' 35 runc run test_new_privileges 36 [ "$status" -eq 0 ] 37 38 [[ "${output}" == *"CapInh: 0000000000000000"* ]] 39 [[ "${output}" == *"CapAmb: 0000000000000000"* ]] 40 [[ "${output}" == *"NoNewPrivs: 0"* ]] 41 } 42 43 @test "runc run with some capabilities" { 44 update_config '.process.user = {"uid":0}' 45 update_config '.process.capabilities.bounding = ["CAP_SYS_ADMIN"]' 46 update_config '.process.capabilities.permitted = ["CAP_SYS_ADMIN", "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE"]' 47 runc run test_some_caps 48 [ "$status" -eq 0 ] 49 50 [[ "${output}" == *"CapInh: 0000000000000000"* ]] 51 [[ "${output}" == *"CapBnd: 0000000000200000"* ]] 52 [[ "${output}" == *"CapEff: 0000000000200000"* ]] 53 [[ "${output}" == *"CapPrm: 0000000000200000"* ]] 54 [[ "${output}" == *"NoNewPrivs: 1"* ]] 55 }