github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/dev.bats

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/dev.bats (about)

     1  #!/usr/bin/env bats
     2  
     3  load helpers
     4  
     5  function setup() {
     6  	setup_busybox
     7  }
     8  
     9  function teardown() {
    10  	teardown_bundle
    11  }
    12  
    13  @test "runc run [redundant default /dev/tty]" {
    14  	update_config ' .linux.devices += [{"path": "/dev/tty", "type": "c", "major": 5, "minor": 0}]
    15  		      | .process.args |= ["ls", "-lLn", "/dev/tty"]'
    16  
    17  	runc run test_dev
    18  	[ "$status" -eq 0 ]
    19  
    20  	if [ $EUID -ne 0 ]; then
    21  		[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"65534".+"65534".+"5,".+"0".+"/dev/tty" ]]
    22  	else
    23  		[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"0".+"/dev/tty" ]]
    24  	fi
    25  }
    26  
    27  @test "runc run [redundant default /dev/ptmx]" {
    28  	update_config ' .linux.devices += [{"path": "/dev/ptmx", "type": "c", "major": 5, "minor": 2}]
    29  		      | .process.args |= ["ls", "-lLn", "/dev/ptmx"]'
    30  
    31  	runc run test_dev
    32  	[ "$status" -eq 0 ]
    33  	[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"2".+"/dev/ptmx" ]]
    34  }
    35  
    36  @test "runc run/update [device cgroup deny]" {
    37  	requires root
    38  
    39  	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"}]
    40  			| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
    41  			| .process.capabilities.bounding += ["CAP_SYSLOG"]
    42  			| .process.capabilities.effective += ["CAP_SYSLOG"]
    43  			| .process.capabilities.permitted += ["CAP_SYSLOG"]
    44  			| .process.args |= ["sh"]'
    45  
    46  	runc run -d --console-socket "$CONSOLE_SOCKET" test_deny
    47  	[ "$status" -eq 0 ]
    48  
    49  	# test write
    50  	runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
    51  	[ "$status" -eq 1 ]
    52  	[[ "${output}" == *'Operation not permitted'* ]]
    53  
    54  	# test read
    55  	runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
    56  	[ "$status" -eq 1 ]
    57  	[[ "${output}" == *'Operation not permitted'* ]]
    58  
    59  	runc update test_deny --pids-limit 42
    60  
    61  	# test write
    62  	runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
    63  	[ "$status" -eq 1 ]
    64  	[[ "${output}" == *'Operation not permitted'* ]]
    65  
    66  	# test read
    67  	runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
    68  	[ "$status" -eq 1 ]
    69  	[[ "${output}" == *'Operation not permitted'* ]]
    70  }
    71  
    72  @test "runc run [device cgroup allow rw char device]" {
    73  	requires root
    74  
    75  	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "c", "major": 1, "minor": 11, "access": "rw"}]
    76  			| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
    77  			| .process.args |= ["sh"]
    78  			| .process.capabilities.bounding += ["CAP_SYSLOG"]
    79  			| .process.capabilities.effective += ["CAP_SYSLOG"]
    80  			| .process.capabilities.permitted += ["CAP_SYSLOG"]
    81  			| .hostname = "myhostname"'
    82  
    83  	runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_char
    84  	[ "$status" -eq 0 ]
    85  
    86  	# test write
    87  	runc exec test_allow_char sh -c 'hostname | tee /dev/kmsg'
    88  	[ "$status" -eq 0 ]
    89  	[[ "${lines[0]}" == *'myhostname'* ]]
    90  
    91  	# test read
    92  	runc exec test_allow_char sh -c 'head -n 1 /dev/kmsg'
    93  	[ "$status" -eq 0 ]
    94  
    95  	# test access
    96  	TEST_NAME="dev_access_test"
    97  	gcc -static -o "rootfs/bin/${TEST_NAME}" "${TESTDATA}/${TEST_NAME}.c"
    98  	runc exec test_allow_char sh -c "${TEST_NAME} /dev/kmsg"
    99  	[ "$status" -eq 0 ]
   100  }
   101  
   102  @test "runc run [device cgroup allow rm block device]" {
   103  	requires root
   104  
   105  	# Get the first block device.
   106  	IFS=$' \t:' read -r device major minor <<<"$(lsblk -nd -o NAME,MAJ:MIN)"
   107  	# Could have used -o PATH but lsblk from CentOS 7 does not have it.
   108  	device="/dev/$device"
   109  
   110  	update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "b", "major": '"$major"', "minor": '"$minor"', "access": "rwm"}]
   111  			| .linux.devices = [{"path": "'"$device"'", "type": "b", "major": '"$major"', "minor": '"$minor"'}]
   112  			| .process.args |= ["sh"]
   113  			| .process.capabilities.bounding += ["CAP_MKNOD"]
   114  			| .process.capabilities.effective += ["CAP_MKNOD"]
   115  			| .process.capabilities.permitted += ["CAP_MKNOD"]'
   116  
   117  	runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_block
   118  	[ "$status" -eq 0 ]
   119  
   120  	# test mknod
   121  	runc exec test_allow_block sh -c 'mknod /dev/fooblock b '"$major"' '"$minor"''
   122  	[ "$status" -eq 0 ]
   123  
   124  	# test read
   125  	runc exec test_allow_block sh -c 'fdisk -l '"$device"''
   126  	[ "$status" -eq 0 ]
   127  }
   128  
   129  # https://github.com/opencontainers/runc/issues/3551
   130  @test "runc exec vs systemctl daemon-reload" {
   131  	requires systemd root
   132  
   133  	runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
   134  	[ "$status" -eq 0 ]
   135  
   136  	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
   137  	[ "$status" -eq 0 ]
   138  
   139  	systemctl daemon-reload
   140  
   141  	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
   142  	[ "$status" -eq 0 ]
   143  }