forked from adamlaska/runc
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdev.bats
More file actions
130 lines (102 loc) · 4.11 KB
/
dev.bats
File metadata and controls
130 lines (102 loc) · 4.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/env bats
load helpers
function setup() {
setup_busybox
}
function teardown() {
teardown_bundle
}
@test "runc run [redundant default /dev/tty]" {
update_config ' .linux.devices += [{"path": "/dev/tty", "type": "c", "major": 5, "minor": 0}]
| .process.args |= ["ls", "-lLn", "/dev/tty"]'
runc run test_dev
[ "$status" -eq 0 ]
if [[ "$ROOTLESS" -ne 0 ]]; then
[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"65534".+"65534".+"5,".+"0".+"/dev/tty" ]]
else
[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"0".+"/dev/tty" ]]
fi
}
@test "runc run [redundant default /dev/ptmx]" {
update_config ' .linux.devices += [{"path": "/dev/ptmx", "type": "c", "major": 5, "minor": 2}]
| .process.args |= ["ls", "-lLn", "/dev/ptmx"]'
runc run test_dev
[ "$status" -eq 0 ]
[[ "${lines[0]}" =~ "crw-rw-rw".+"1".+"0".+"0".+"5,".+"2".+"/dev/ptmx" ]]
}
@test "runc run/update [device cgroup deny]" {
requires root
update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"}]
| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
| .process.capabilities.bounding += ["CAP_SYSLOG"]
| .process.capabilities.effective += ["CAP_SYSLOG"]
| .process.capabilities.inheritable += ["CAP_SYSLOG"]
| .process.capabilities.permitted += ["CAP_SYSLOG"]
| .process.args |= ["sh"]'
runc run -d --console-socket "$CONSOLE_SOCKET" test_deny
[ "$status" -eq 0 ]
# test write
runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
[ "$status" -eq 1 ]
[[ "${output}" == *'Operation not permitted'* ]]
# test read
runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
[ "$status" -eq 1 ]
[[ "${output}" == *'Operation not permitted'* ]]
runc update test_deny --pids-limit 42
# test write
runc exec test_deny sh -c 'hostname | tee /dev/kmsg'
[ "$status" -eq 1 ]
[[ "${output}" == *'Operation not permitted'* ]]
# test read
runc exec test_deny sh -c 'head -n 1 /dev/kmsg'
[ "$status" -eq 1 ]
[[ "${output}" == *'Operation not permitted'* ]]
}
@test "runc run [device cgroup allow rw char device]" {
requires root
update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "c", "major": 1, "minor": 11, "access": "rw"}]
| .linux.devices = [{"path": "/dev/kmsg", "type": "c", "major": 1, "minor": 11}]
| .process.args |= ["sh"]
| .process.capabilities.bounding += ["CAP_SYSLOG"]
| .process.capabilities.effective += ["CAP_SYSLOG"]
| .process.capabilities.inheritable += ["CAP_SYSLOG"]
| .process.capabilities.permitted += ["CAP_SYSLOG"]
| .hostname = "myhostname"'
runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_char
[ "$status" -eq 0 ]
# test write
runc exec test_allow_char sh -c 'hostname | tee /dev/kmsg'
[ "$status" -eq 0 ]
[[ "${lines[0]}" == *'myhostname'* ]]
# test read
runc exec test_allow_char sh -c 'head -n 1 /dev/kmsg'
[ "$status" -eq 0 ]
# test access
TEST_NAME="dev_access_test"
gcc -static -o "rootfs/bin/${TEST_NAME}" "${TESTDATA}/${TEST_NAME}.c"
runc exec test_allow_char sh -c "${TEST_NAME} /dev/kmsg"
[ "$status" -eq 0 ]
}
@test "runc run [device cgroup allow rm block device]" {
requires root
# Get the first block device.
IFS=$' \t:' read -r device major minor <<<"$(lsblk -nd -o NAME,MAJ:MIN)"
# Could have used -o PATH but lsblk from CentOS 7 does not have it.
device="/dev/$device"
update_config ' .linux.resources.devices = [{"allow": false, "access": "rwm"},{"allow": true, "type": "b", "major": '"$major"', "minor": '"$minor"', "access": "rwm"}]
| .linux.devices = [{"path": "'"$device"'", "type": "b", "major": '"$major"', "minor": '"$minor"'}]
| .process.args |= ["sh"]
| .process.capabilities.bounding += ["CAP_MKNOD"]
| .process.capabilities.effective += ["CAP_MKNOD"]
| .process.capabilities.inheritable += ["CAP_MKNOD"]
| .process.capabilities.permitted += ["CAP_MKNOD"]'
runc run -d --console-socket "$CONSOLE_SOCKET" test_allow_block
[ "$status" -eq 0 ]
# test mknod
runc exec test_allow_block sh -c 'mknod /dev/fooblock b '"$major"' '"$minor"''
[ "$status" -eq 0 ]
# test read
runc exec test_allow_block sh -c 'fdisk -l '"$device"''
[ "$status" -eq 0 ]
}