github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/mask.bats

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/mask.bats (about)

     1  #!/usr/bin/env bats
     2  
     3  load helpers
     4  
     5  function setup() {
     6  	setup_busybox
     7  
     8  	# Create fake rootfs.
     9  	mkdir rootfs/testdir
    10  	echo "Forbidden information!" >rootfs/testfile
    11  
    12  	# add extra masked paths
    13  	update_config '(.. | select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]'
    14  }
    15  
    16  function teardown() {
    17  	teardown_bundle
    18  }
    19  
    20  @test "mask paths [file]" {
    21  	# run busybox detached
    22  	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    23  	[ "$status" -eq 0 ]
    24  
    25  	runc exec test_busybox cat /testfile
    26  	[ "$status" -eq 0 ]
    27  	[ -z "$output" ]
    28  
    29  	runc exec test_busybox rm -f /testfile
    30  	[ "$status" -eq 1 ]
    31  	[[ "${output}" == *"Read-only file system"* ]]
    32  
    33  	runc exec test_busybox umount /testfile
    34  	[ "$status" -eq 1 ]
    35  	[[ "${output}" == *"Operation not permitted"* ]]
    36  }
    37  
    38  @test "mask paths [directory]" {
    39  	# run busybox detached
    40  	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    41  	[ "$status" -eq 0 ]
    42  
    43  	runc exec test_busybox ls /testdir
    44  	[ "$status" -eq 0 ]
    45  	[ -z "$output" ]
    46  
    47  	runc exec test_busybox touch /testdir/foo
    48  	[ "$status" -eq 1 ]
    49  	[[ "${output}" == *"Read-only file system"* ]]
    50  
    51  	runc exec test_busybox rm -rf /testdir
    52  	[ "$status" -eq 1 ]
    53  	[[ "${output}" == *"Read-only file system"* ]]
    54  
    55  	runc exec test_busybox umount /testdir
    56  	[ "$status" -eq 1 ]
    57  	[[ "${output}" == *"Operation not permitted"* ]]
    58  }
    59  
    60  @test "mask paths [prohibit symlink /proc]" {
    61  	ln -s /symlink rootfs/proc
    62  	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    63  	[ "$status" -eq 1 ]
    64  	[[ "${output}" == *"must be mounted on ordinary directory"* ]]
    65  }
    66  
    67  @test "mask paths [prohibit symlink /sys]" {
    68  	# In rootless containers, /sys is a bind mount not a real sysfs.
    69  	requires root
    70  
    71  	ln -s /symlink rootfs/sys
    72  	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
    73  	[ "$status" -eq 1 ]
    74  	# On cgroup v1, this may fail before checking if /sys is a symlink,
    75  	# so we merely check that it fails, and do not check the exact error
    76  	# message like for /proc above.
    77  }