github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_no_new_privs_test.go (about) 1 // Copyright 2016 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build host coreos src 16 17 package main 18 19 import ( 20 "fmt" 21 "os" 22 "testing" 23 24 "github.com/rkt/rkt/tests/testutils" 25 ) 26 27 func TestNoNewPrivileges(t *testing.T) { 28 for _, tt := range []struct { 29 rktParams string 30 patch []string 31 expected string 32 }{ 33 { 34 patch: []string{"--isolators=os/linux/no-new-privileges,true"}, 35 expected: "no_new_privs: 1 err: errno 0", 36 }, 37 { 38 rktParams: "--user=1000 --group=100", 39 patch: []string{"--isolators=os/linux/no-new-privileges,true"}, 40 expected: "no_new_privs: 1 err: errno 0", 41 }, 42 { 43 patch: []string{"--isolators=os/linux/no-new-privileges,false"}, 44 expected: "no_new_privs: 0 err: errno 0", 45 }, 46 { 47 rktParams: "--user=1000 --group=100", 48 patch: []string{"--isolators=os/linux/no-new-privileges,false", "--seccomp-mode=retain", "--seccomp-set=@appc.io/all"}, 49 expected: "no_new_privs: 0 err: errno 0", 50 }, 51 { 52 patch: []string{`--isolators=os/linux/no-new-privileges,false:os/linux/no-new-privileges,true`}, 53 expected: "no_new_privs: 1 err: errno 0", 54 }, 55 { 56 rktParams: "--user=1000 --group=100", 57 patch: []string{`--isolators=os/linux/no-new-privileges,false:os/linux/no-new-privileges,true`}, 58 expected: "no_new_privs: 1 err: errno 0", 59 }, 60 { 61 patch: nil, 62 expected: "no_new_privs: 0 err: errno 0", 63 }, 64 } { 65 func() { 66 ctx := testutils.NewRktRunCtx() 67 defer ctx.Cleanup() 68 69 ps := []string{} 70 if len(tt.patch) > 0 { 71 ps = append(ps, tt.patch...) 72 } 73 74 image := patchTestACI("rkt-no-new-privs.aci", ps...) 75 defer os.Remove(image) 76 77 rktParams := fmt.Sprintf( 78 "%s --exec=/inspect -- -print-no-new-privs", 79 tt.rktParams, 80 ) 81 82 rktCmd := fmt.Sprintf( 83 "%s --debug --insecure-options=image,paths run %s %s", 84 ctx.Cmd(), 85 image, 86 rktParams, 87 ) 88 89 runRktAndCheckOutput(t, rktCmd, tt.expected, false) 90 }() 91 } 92 }