runc/tests/integration/mask.bats

#!/usr/bin/env bats

load helpers

function setup() {
  teardown_busybox
  setup_busybox
}

function teardown() {
  teardown_busybox
}

@test "MaskPaths(file)" {
  # run busybox detached
  runc run -d --console /dev/pts/ptmx test_busybox
  [ "$status" -eq 0 ]

  wait_for_container 15 1 test_busybox

  runc exec test_busybox cat /proc/kcore
  [ "$status" -eq 0 ]
  [[ "${output}" == "" ]]

  runc exec test_busybox rm -f /proc/kcore
  [ "$status" -eq 1 ]
  [[ "${output}" == *"Permission denied"* ]]

  runc exec test_busybox umount /proc/kcore
  [ "$status" -eq 1 ]
  [[ "${output}" == *"Operation not permitted"* ]]
}

@test "MaskPaths(directory)" {
  # run busybox detached
  runc run -d --console /dev/pts/ptmx test_busybox
  [ "$status" -eq 0 ]

  wait_for_container 15 1 test_busybox

  runc exec test_busybox ls /sys/firmware
  [ "$status" -eq 0 ]
  [[ "${output}" == "" ]]

  runc exec test_busybox touch /sys/firmware/foo
  [ "$status" -eq 1 ]
  [[ "${output}" == *"Read-only file system"* ]]

  runc exec test_busybox rm -rf /sys/firmware
  [ "$status" -eq 1 ]
  [[ "${output}" == *"Read-only file system"* ]]

  runc exec test_busybox umount /sys/firmware
  [ "$status" -eq 1 ]
  [[ "${output}" == *"Operation not permitted"* ]]
}
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00			`#!/usr/bin/env bats`

			`load helpers`

			`function setup() {`
			`teardown_busybox`
			`setup_busybox`
			`}`

			`function teardown() {`
			`teardown_busybox`
			`}`

			`@test "MaskPaths(file)" {`
			`# run busybox detached`
			`runc run -d --console /dev/pts/ptmx test_busybox`
			`[ "$status" -eq 0 ]`

			`wait_for_container 15 1 test_busybox`

			`runc exec test_busybox cat /proc/kcore`
			`[ "$status" -eq 0 ]`
			`[[ "${output}" == "" ]]`

			`runc exec test_busybox rm -f /proc/kcore`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Permission denied" ]]`

			`runc exec test_busybox umount /proc/kcore`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Operation not permitted" ]]`
			`}`

			`@test "MaskPaths(directory)" {`
			`# run busybox detached`
			`runc run -d --console /dev/pts/ptmx test_busybox`
			`[ "$status" -eq 0 ]`

			`wait_for_container 15 1 test_busybox`

			`runc exec test_busybox ls /sys/firmware`
			`[ "$status" -eq 0 ]`
			`[[ "${output}" == "" ]]`

			`runc exec test_busybox touch /sys/firmware/foo`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Read-only file system" ]]`

			`runc exec test_busybox rm -rf /sys/firmware`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Read-only file system" ]]`

			`runc exec test_busybox umount /sys/firmware`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Operation not permitted" ]]`
			`}`