github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_no_new_privs_test.go

github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_no_new_privs_test.go (about)

     1  // Copyright 2016 The rkt Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // +build host coreos src
    16  
    17  package main
    18  
    19  import (
    20  	"fmt"
    21  	"os"
    22  	"testing"
    23  
    24  	"github.com/rkt/rkt/tests/testutils"
    25  )
    26  
    27  func TestNoNewPrivileges(t *testing.T) {
    28  	for _, tt := range []struct {
    29  		rktParams string
    30  		patch     []string
    31  		expected  string
    32  	}{
    33  		{
    34  			patch:    []string{"--isolators=os/linux/no-new-privileges,true"},
    35  			expected: "no_new_privs: 1 err: errno 0",
    36  		},
    37  		{
    38  			rktParams: "--user=1000 --group=100",
    39  			patch:     []string{"--isolators=os/linux/no-new-privileges,true"},
    40  			expected:  "no_new_privs: 1 err: errno 0",
    41  		},
    42  		{
    43  			patch:    []string{"--isolators=os/linux/no-new-privileges,false"},
    44  			expected: "no_new_privs: 0 err: errno 0",
    45  		},
    46  		{
    47  			rktParams: "--user=1000 --group=100",
    48  			patch:     []string{"--isolators=os/linux/no-new-privileges,false", "--seccomp-mode=retain", "--seccomp-set=@appc.io/all"},
    49  			expected:  "no_new_privs: 0 err: errno 0",
    50  		},
    51  		{
    52  			patch:    []string{`--isolators=os/linux/no-new-privileges,false:os/linux/no-new-privileges,true`},
    53  			expected: "no_new_privs: 1 err: errno 0",
    54  		},
    55  		{
    56  			rktParams: "--user=1000 --group=100",
    57  			patch:     []string{`--isolators=os/linux/no-new-privileges,false:os/linux/no-new-privileges,true`},
    58  			expected:  "no_new_privs: 1 err: errno 0",
    59  		},
    60  		{
    61  			patch:    nil,
    62  			expected: "no_new_privs: 0 err: errno 0",
    63  		},
    64  	} {
    65  		func() {
    66  			ctx := testutils.NewRktRunCtx()
    67  			defer ctx.Cleanup()
    68  
    69  			ps := []string{}
    70  			if len(tt.patch) > 0 {
    71  				ps = append(ps, tt.patch...)
    72  			}
    73  
    74  			image := patchTestACI("rkt-no-new-privs.aci", ps...)
    75  			defer os.Remove(image)
    76  
    77  			rktParams := fmt.Sprintf(
    78  				"%s --exec=/inspect -- -print-no-new-privs",
    79  				tt.rktParams,
    80  			)
    81  
    82  			rktCmd := fmt.Sprintf(
    83  				"%s --debug --insecure-options=image,paths run %s %s",
    84  				ctx.Cmd(),
    85  				image,
    86  				rktParams,
    87  			)
    88  
    89  			runRktAndCheckOutput(t, rktCmd, tt.expected, false)
    90  		}()
    91  	}
    92  }