github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/cwd.bats (about) 1 #!/usr/bin/env bats 2 3 load helpers 4 5 function setup() { 6 setup_busybox 7 } 8 9 function teardown() { 10 teardown_bundle 11 } 12 13 # Test case for https://github.com/opencontainers/runc/pull/2086 14 @test "runc exec --user with no access to cwd" { 15 requires root 16 17 chown 42 rootfs/root 18 chmod 700 rootfs/root 19 20 update_config ' .process.cwd = "/root" 21 | .process.user.uid = 42 22 | .process.args |= ["sleep", "1h"]' 23 24 runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox 25 [ "$status" -eq 0 ] 26 27 runc exec --user 0 test_busybox true 28 [ "$status" -eq 0 ] 29 } 30 31 # Verify a cwd owned by the container user can be chdir'd to, 32 # even if runc doesn't have the privilege to do so. 33 @test "runc create sets up user before chdir to cwd if needed" { 34 requires rootless rootless_idmap 35 36 # Some setup for this test (AUX_DIR and AUX_UID) is done 37 # by rootless.sh. Check that setup is done... 38 if [[ ! -v AUX_UID || ! -v AUX_DIR || ! -d "$AUX_DIR" ]]; then 39 skip "bad/unset AUX_DIR/AUX_UID" 40 fi 41 # ... and is correct, i.e. the current user 42 # does not have permission to access AUX_DIR. 43 if ls -l "$AUX_DIR" 2>/dev/null; then 44 skip "bad AUX_DIR permissions" 45 fi 46 47 update_config ' .mounts += [{ 48 source: "'"$AUX_DIR"'", 49 destination: "'"$AUX_DIR"'", 50 options: ["bind"] 51 }] 52 | .process.user.uid = '"$AUX_UID"' 53 | .process.cwd = "'"$AUX_DIR"'" 54 | .process.args |= ["ls", "'"$AUX_DIR"'"]' 55 56 runc run test_busybox 57 [ "$status" -eq 0 ] 58 } 59 60 # Verify a cwd not owned by the container user can be chdir'd to, 61 # if runc does have the privilege to do so. 62 @test "runc create can chdir if runc has access" { 63 requires root 64 65 mkdir -p rootfs/home/nonroot 66 chmod 700 rootfs/home/nonroot 67 68 update_config ' .process.cwd = "/root" 69 | .process.user.uid = 42 70 | .process.args |= ["ls", "/tmp"]' 71 72 runc run test_busybox 73 [ "$status" -eq 0 ] 74 }