gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/runsc/specutils/safemount_test/safemount_test.go (about) 1 // Copyright 2021 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package safemount_test 16 17 import ( 18 "os" 19 "os/exec" 20 "syscall" 21 "testing" 22 23 "golang.org/x/sys/unix" 24 "gvisor.dev/gvisor/pkg/test/testutil" 25 ) 26 27 func TestSafeMount(t *testing.T) { 28 // We run the actual tests in another process, as we need CAP_SYS_ADMIN to 29 // call mount(2). The new process runs in its own user and mount namespaces. 30 runner, err := testutil.FindFile("runsc/specutils/safemount_test/safemount_runner") 31 if err != nil { 32 t.Fatalf("failed to find test runner binary: %v", err) 33 } 34 cmd := exec.Command(runner, t.TempDir()) 35 cmd.SysProcAttr = &unix.SysProcAttr{ 36 Cloneflags: unix.CLONE_NEWNS | unix.CLONE_NEWUSER, 37 UidMappings: []syscall.SysProcIDMap{ 38 {ContainerID: 0, HostID: os.Getuid(), Size: 1}, 39 }, 40 GidMappings: []syscall.SysProcIDMap{ 41 {ContainerID: 0, HostID: os.Getgid(), Size: 1}, 42 }, 43 GidMappingsEnableSetgroups: false, 44 Credential: &syscall.Credential{ 45 Uid: 0, 46 Gid: 0, 47 }, 48 } 49 output, err := cmd.CombinedOutput() 50 if err != nil { 51 t.Fatalf("failed running %s with error: %v\ntest output:\n%s", cmd, err, output) 52 } 53 }