#!/usr/bin/env bats load helpers function setup() { teardown_busybox setup_busybox # Create fake rootfs. mkdir rootfs/testdir echo "Forbidden information!" > rootfs/testfile # add extra masked paths sed -i 's;"maskedPaths": \[;"maskedPaths": \["/testdir","/testfile",;g' config.json } function teardown() { teardown_busybox } @test "mask paths [file]" { # run busybox detached runc run -d --console /dev/pts/ptmx test_busybox [ "$status" -eq 0 ] wait_for_container 15 1 test_busybox runc exec test_busybox cat /testfile [ "$status" -eq 0 ] [[ "${output}" == "" ]] runc exec test_busybox rm -f /testfile [ "$status" -eq 1 ] [[ "${output}" == *"Read-only file system"* ]] runc exec test_busybox umount /testfile [ "$status" -eq 1 ] [[ "${output}" == *"Operation not permitted"* ]] } @test "mask paths [directory]" { # run busybox detached runc run -d --console /dev/pts/ptmx test_busybox [ "$status" -eq 0 ] wait_for_container 15 1 test_busybox runc exec test_busybox ls /testdir [ "$status" -eq 0 ] [[ "${output}" == "" ]] runc exec test_busybox touch /testdir/foo [ "$status" -eq 1 ] [[ "${output}" == *"Read-only file system"* ]] runc exec test_busybox rm -rf /testdir [ "$status" -eq 1 ] [[ "${output}" == *"Read-only file system"* ]] runc exec test_busybox umount /testdir [ "$status" -eq 1 ] [[ "${output}" == *"Operation not permitted"* ]] }