runc/tests/integration/mask.bats

#!/usr/bin/env bats

load helpers

function setup() {
	teardown_busybox
	setup_busybox

	# Create fake rootfs.
	mkdir rootfs/testdir
	echo "Forbidden information!" > rootfs/testfile

	# add extra masked paths
	update_config '(.. | select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]' 
}

function teardown() {
	teardown_busybox
}

@test "mask paths [file]" {
	# run busybox detached
	runc run -d --console-socket $CONSOLE_SOCKET test_busybox
	[ "$status" -eq 0 ]

	runc exec test_busybox cat /testfile
	[ "$status" -eq 0 ]
	[[ "${output}" == "" ]]

	runc exec test_busybox rm -f /testfile
	[ "$status" -eq 1 ]
	[[ "${output}" == *"Read-only file system"* ]]

	runc exec test_busybox umount /testfile
	[ "$status" -eq 1 ]
	[[ "${output}" == *"Operation not permitted"* ]]
}

@test "mask paths [directory]" {
	# run busybox detached
	runc run -d --console-socket $CONSOLE_SOCKET test_busybox
	[ "$status" -eq 0 ]

	runc exec test_busybox ls /testdir
	[ "$status" -eq 0 ]
	[[ "${output}" == "" ]]

	runc exec test_busybox touch /testdir/foo
	[ "$status" -eq 1 ]
	[[ "${output}" == *"Read-only file system"* ]]

	runc exec test_busybox rm -rf /testdir
	[ "$status" -eq 1 ]
	[[ "${output}" == *"Read-only file system"* ]]

	runc exec test_busybox umount /testdir
	[ "$status" -eq 1 ]
	[[ "${output}" == *"Operation not permitted"* ]]
}
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00			`#!/usr/bin/env bats`

			`load helpers`

			`function setup() {`
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`teardown_busybox`
			`setup_busybox`

			`# Create fake rootfs.`
			`mkdir rootfs/testdir`
			`echo "Forbidden information!" > rootfs/testfile`

			`# add extra masked paths`
Replace sed with jq for more readable json manipulation in tests Signed-off-by: John Hwang <John.F.Hwang@gmail.com> 2020-05-25 08:54:13 +08:00			`update_config '(.. \| select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]'`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00			`}`

			`function teardown() {`
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`teardown_busybox`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00			`}`

tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`@test "mask paths [file]" {`
			`# run busybox detached`
tests: fix all the things This fixes all of the tests that were broken as part of the console rewrite. This includes fixing the integration tests that used TTY handling inside libcontainer, as well as the bats integration tests that needed to be rewritten to use recvtty (as they rely on detached containers that are running). This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-09-06 20:40:01 +08:00			`runc run -d --console-socket $CONSOLE_SOCKET test_busybox`
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`[ "$status" -eq 0 ]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox cat /testfile`
			`[ "$status" -eq 0 ]`
			`[[ "${output}" == "" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox rm -f /testfile`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Read-only file system" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox umount /testfile`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Operation not permitted" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00			`}`

tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`@test "mask paths [directory]" {`
			`# run busybox detached`
tests: fix all the things This fixes all of the tests that were broken as part of the console rewrite. This includes fixing the integration tests that used TTY handling inside libcontainer, as well as the bats integration tests that needed to be rewritten to use recvtty (as they rely on detached containers that are running). This patch is part of the console rewrite patchset. Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-09-06 20:40:01 +08:00			`runc run -d --console-socket $CONSOLE_SOCKET test_busybox`
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`[ "$status" -eq 0 ]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox ls /testdir`
			`[ "$status" -eq 0 ]`
			`[[ "${output}" == "" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox touch /testdir/foo`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Read-only file system" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox rm -rf /testdir`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Read-only file system" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00
tests: mask: use test paths rather than /sys In certain circumstances (such as the rootless containers patchset), it is not possible to test things using /sys/firmware. In addition, we should be testing our own functionality rather than testing protection against /sys attacks (for which the system might already have extra protections). Instead, just make some fake paths in the rootfs that we then mask. Oddly I noticed that one of the errors changed when doing this (because before we tested removing a file from /sys/firmware which is -EPERM). So the old test was broken. Fixes: 53179559a15f5 ("MaskPaths: support directory") Fixes: #1068 Signed-off-by: Aleksa Sarai <asarai@suse.de> 2016-10-17 21:52:48 +08:00			`runc exec test_busybox umount /testdir`
			`[ "$status" -eq 1 ]`
			`[[ "${output}" == "Operation not permitted" ]]`
MaskPaths: support directory For example, the /sys/firmware directory should be masked because it can contain some sensitive files: - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information: - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-09-23 15:02:10 +08:00			`}`