github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/cgroups/fs/apply_raw_test.go

github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/cgroups/fs/apply_raw_test.go (about)

     1  // +build linux
     2  
     3  package fs
     4  
     5  import (
     6  	"path/filepath"
     7  	"strings"
     8  	"testing"
     9  
    10  	"github.com/opencontainers/runc/libcontainer/configs"
    11  )
    12  
    13  func TestInvalidCgroupPath(t *testing.T) {
    14  	root, err := getCgroupRoot()
    15  	if err != nil {
    16  		t.Errorf("couldn't get cgroup root: %v", err)
    17  	}
    18  
    19  	config := &configs.Cgroup{
    20  		Path: "../../../../../../../../../../some/path",
    21  	}
    22  
    23  	data, err := getCgroupData(config, 0)
    24  	if err != nil {
    25  		t.Errorf("couldn't get cgroup data: %v", err)
    26  	}
    27  
    28  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
    29  	if strings.HasPrefix(data.innerPath, "..") {
    30  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
    31  	}
    32  
    33  	// Double-check, using an actual cgroup.
    34  	deviceRoot := filepath.Join(root, "devices")
    35  	devicePath, err := data.path("devices")
    36  	if err != nil {
    37  		t.Errorf("couldn't get cgroup path: %v", err)
    38  	}
    39  	if !strings.HasPrefix(devicePath, deviceRoot) {
    40  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
    41  	}
    42  }
    43  
    44  func TestInvalidAbsoluteCgroupPath(t *testing.T) {
    45  	root, err := getCgroupRoot()
    46  	if err != nil {
    47  		t.Errorf("couldn't get cgroup root: %v", err)
    48  	}
    49  
    50  	config := &configs.Cgroup{
    51  		Path: "/../../../../../../../../../../some/path",
    52  	}
    53  
    54  	data, err := getCgroupData(config, 0)
    55  	if err != nil {
    56  		t.Errorf("couldn't get cgroup data: %v", err)
    57  	}
    58  
    59  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
    60  	if strings.HasPrefix(data.innerPath, "..") {
    61  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
    62  	}
    63  
    64  	// Double-check, using an actual cgroup.
    65  	deviceRoot := filepath.Join(root, "devices")
    66  	devicePath, err := data.path("devices")
    67  	if err != nil {
    68  		t.Errorf("couldn't get cgroup path: %v", err)
    69  	}
    70  	if !strings.HasPrefix(devicePath, deviceRoot) {
    71  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
    72  	}
    73  }
    74  
    75  // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent.
    76  func TestInvalidCgroupParent(t *testing.T) {
    77  	root, err := getCgroupRoot()
    78  	if err != nil {
    79  		t.Errorf("couldn't get cgroup root: %v", err)
    80  	}
    81  
    82  	config := &configs.Cgroup{
    83  		Parent: "../../../../../../../../../../some/path",
    84  		Name:   "name",
    85  	}
    86  
    87  	data, err := getCgroupData(config, 0)
    88  	if err != nil {
    89  		t.Errorf("couldn't get cgroup data: %v", err)
    90  	}
    91  
    92  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
    93  	if strings.HasPrefix(data.innerPath, "..") {
    94  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
    95  	}
    96  
    97  	// Double-check, using an actual cgroup.
    98  	deviceRoot := filepath.Join(root, "devices")
    99  	devicePath, err := data.path("devices")
   100  	if err != nil {
   101  		t.Errorf("couldn't get cgroup path: %v", err)
   102  	}
   103  	if !strings.HasPrefix(devicePath, deviceRoot) {
   104  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
   105  	}
   106  }
   107  
   108  // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent.
   109  func TestInvalidAbsoluteCgroupParent(t *testing.T) {
   110  	root, err := getCgroupRoot()
   111  	if err != nil {
   112  		t.Errorf("couldn't get cgroup root: %v", err)
   113  	}
   114  
   115  	config := &configs.Cgroup{
   116  		Parent: "/../../../../../../../../../../some/path",
   117  		Name:   "name",
   118  	}
   119  
   120  	data, err := getCgroupData(config, 0)
   121  	if err != nil {
   122  		t.Errorf("couldn't get cgroup data: %v", err)
   123  	}
   124  
   125  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
   126  	if strings.HasPrefix(data.innerPath, "..") {
   127  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
   128  	}
   129  
   130  	// Double-check, using an actual cgroup.
   131  	deviceRoot := filepath.Join(root, "devices")
   132  	devicePath, err := data.path("devices")
   133  	if err != nil {
   134  		t.Errorf("couldn't get cgroup path: %v", err)
   135  	}
   136  	if !strings.HasPrefix(devicePath, deviceRoot) {
   137  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
   138  	}
   139  }
   140  
   141  // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent.
   142  func TestInvalidCgroupName(t *testing.T) {
   143  	root, err := getCgroupRoot()
   144  	if err != nil {
   145  		t.Errorf("couldn't get cgroup root: %v", err)
   146  	}
   147  
   148  	config := &configs.Cgroup{
   149  		Parent: "parent",
   150  		Name:   "../../../../../../../../../../some/path",
   151  	}
   152  
   153  	data, err := getCgroupData(config, 0)
   154  	if err != nil {
   155  		t.Errorf("couldn't get cgroup data: %v", err)
   156  	}
   157  
   158  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
   159  	if strings.HasPrefix(data.innerPath, "..") {
   160  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
   161  	}
   162  
   163  	// Double-check, using an actual cgroup.
   164  	deviceRoot := filepath.Join(root, "devices")
   165  	devicePath, err := data.path("devices")
   166  	if err != nil {
   167  		t.Errorf("couldn't get cgroup path: %v", err)
   168  	}
   169  	if !strings.HasPrefix(devicePath, deviceRoot) {
   170  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
   171  	}
   172  
   173  }
   174  
   175  // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent.
   176  func TestInvalidAbsoluteCgroupName(t *testing.T) {
   177  	root, err := getCgroupRoot()
   178  	if err != nil {
   179  		t.Errorf("couldn't get cgroup root: %v", err)
   180  	}
   181  
   182  	config := &configs.Cgroup{
   183  		Parent: "parent",
   184  		Name:   "/../../../../../../../../../../some/path",
   185  	}
   186  
   187  	data, err := getCgroupData(config, 0)
   188  	if err != nil {
   189  		t.Errorf("couldn't get cgroup data: %v", err)
   190  	}
   191  
   192  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
   193  	if strings.HasPrefix(data.innerPath, "..") {
   194  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
   195  	}
   196  
   197  	// Double-check, using an actual cgroup.
   198  	deviceRoot := filepath.Join(root, "devices")
   199  	devicePath, err := data.path("devices")
   200  	if err != nil {
   201  		t.Errorf("couldn't get cgroup path: %v", err)
   202  	}
   203  	if !strings.HasPrefix(devicePath, deviceRoot) {
   204  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
   205  	}
   206  }
   207  
   208  // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent.
   209  func TestInvalidCgroupNameAndParent(t *testing.T) {
   210  	root, err := getCgroupRoot()
   211  	if err != nil {
   212  		t.Errorf("couldn't get cgroup root: %v", err)
   213  	}
   214  
   215  	config := &configs.Cgroup{
   216  		Parent: "../../../../../../../../../../some/path",
   217  		Name:   "../../../../../../../../../../some/path",
   218  	}
   219  
   220  	data, err := getCgroupData(config, 0)
   221  	if err != nil {
   222  		t.Errorf("couldn't get cgroup data: %v", err)
   223  	}
   224  
   225  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
   226  	if strings.HasPrefix(data.innerPath, "..") {
   227  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
   228  	}
   229  
   230  	// Double-check, using an actual cgroup.
   231  	deviceRoot := filepath.Join(root, "devices")
   232  	devicePath, err := data.path("devices")
   233  	if err != nil {
   234  		t.Errorf("couldn't get cgroup path: %v", err)
   235  	}
   236  	if !strings.HasPrefix(devicePath, deviceRoot) {
   237  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
   238  	}
   239  }
   240  
   241  // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent.
   242  func TestInvalidAbsoluteCgroupNameAndParent(t *testing.T) {
   243  	root, err := getCgroupRoot()
   244  	if err != nil {
   245  		t.Errorf("couldn't get cgroup root: %v", err)
   246  	}
   247  
   248  	config := &configs.Cgroup{
   249  		Parent: "/../../../../../../../../../../some/path",
   250  		Name:   "/../../../../../../../../../../some/path",
   251  	}
   252  
   253  	data, err := getCgroupData(config, 0)
   254  	if err != nil {
   255  		t.Errorf("couldn't get cgroup data: %v", err)
   256  	}
   257  
   258  	// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
   259  	if strings.HasPrefix(data.innerPath, "..") {
   260  		t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
   261  	}
   262  
   263  	// Double-check, using an actual cgroup.
   264  	deviceRoot := filepath.Join(root, "devices")
   265  	devicePath, err := data.path("devices")
   266  	if err != nil {
   267  		t.Errorf("couldn't get cgroup path: %v", err)
   268  	}
   269  	if !strings.HasPrefix(devicePath, deviceRoot) {
   270  		t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
   271  	}
   272  }