github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_devices_test.go (about) 1 // Copyright 2016 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build host coreos src 16 17 package main 18 19 import ( 20 "fmt" 21 "testing" 22 23 "github.com/rkt/rkt/tests/testutils" 24 ) 25 26 func TestDevices(t *testing.T) { 27 ctx := testutils.NewRktRunCtx() 28 defer ctx.Cleanup() 29 30 image := getInspectImagePath() 31 32 for _, tt := range []struct { 33 rktArgs string 34 rktAppArgs string 35 execArgs string 36 expectedOutput string 37 expectErr bool 38 }{ 39 /* There should be no restriction on /dev/null */ 40 { 41 rktArgs: "--insecure-options=image", 42 rktAppArgs: "", 43 execArgs: "--check-mknod=c:1:3:/null", 44 expectedOutput: "mknod /null: succeed", 45 expectErr: false, 46 }, 47 48 /* Test the old ptmx device node, before devpts filesystem 49 * existed. It should be blocked. Containers should use the new 50 * ptmx from devpts instead. It is created with 51 * "mknod name c 5 2" according to: 52 * https://github.com/torvalds/linux/blob/master/Documentation/filesystems/devpts.txt 53 */ 54 { 55 rktArgs: "--insecure-options=image", 56 rktAppArgs: "", 57 execArgs: "--check-mknod=c:5:2:/ptmx", 58 expectedOutput: "mknod /ptmx: fail", 59 expectErr: true, 60 }, 61 62 /* /dev/loop-control has major:minor 10:237 according to: 63 * https://github.com/torvalds/linux/blob/master/Documentation/devices.txt#L424 64 */ 65 { 66 rktArgs: "--insecure-options=image", 67 rktAppArgs: "", 68 execArgs: "--check-mknod=c:10:237:/loop-control", 69 expectedOutput: "mknod /loop-control: fail", 70 expectErr: true, 71 }, 72 73 /* We should be able to create /dev/loop-control with the paths 74 * insecure option. 75 */ 76 { 77 rktArgs: "--insecure-options=image,paths", 78 rktAppArgs: "", 79 execArgs: "--check-mknod=c:10:237:/loop-control", 80 expectedOutput: "mknod /loop-control: succeed", 81 expectErr: false, 82 }, 83 84 /* Test mounting /dev/loop-control. We should be able to access it 85 * without the paths insecure option. It should return "invalid 86 * argument" instead of "operation not permitted". 87 */ 88 { 89 rktArgs: "--insecure-options=image --volume loopcontrol,kind=host,source=/dev/loop-control --set-env=FILE=/tmp/loop-control", 90 rktAppArgs: "--mount volume=loopcontrol,target=/tmp/loop-control", 91 execArgs: "--read-file", 92 expectedOutput: `Cannot read file "/tmp/loop-control": read /tmp/loop-control: invalid argument`, 93 expectErr: true, 94 }, 95 96 /* Test mounting /dev/loop-control. We should be able to create 97 * other devices with mknod with the paths insecure option. 98 * Let's try the old ptmx device again. 99 */ 100 { 101 rktArgs: "--insecure-options=image,paths --volume loopcontrol,kind=host,source=/dev/loop-control --set-env=FILE=/tmp/loop-control", 102 rktAppArgs: "--mount volume=loopcontrol,target=/tmp/loop-control", 103 execArgs: "--check-mknod=c:5:2:/ptmx", 104 expectedOutput: "mknod /ptmx: succeed", 105 expectErr: false, 106 }, 107 } { 108 rktCmd := fmt.Sprintf( 109 "%s --debug run %s %s %s --exec=/inspect -- %s", 110 ctx.Cmd(), tt.rktArgs, image, tt.rktAppArgs, tt.execArgs) 111 t.Logf("Running %s", rktCmd) 112 113 runRktAndCheckOutput(t, rktCmd, tt.expectedOutput, tt.expectErr) 114 } 115 }