#!/usr/bin/env bats load helpers function setup() { setup_busybox # Create fake rootfs. mkdir rootfs/testdir echo "Forbidden information!" >rootfs/testfile # add extra masked paths update_config '(.. | select(.maskedPaths? != null)) .maskedPaths += ["/testdir", "/testfile"]' } function teardown() { teardown_bundle } @test "mask paths [file]" { # run busybox detached runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox [ "$status" -eq 0 ] runc exec test_busybox cat /testfile [ "$status" -eq 0 ] [ -z "$output" ] runc exec test_busybox rm -f /testfile [ "$status" -eq 1 ] [[ "${output}" == *"Read-only file system"* ]] runc exec test_busybox umount /testfile [ "$status" -eq 1 ] [[ "${output}" == *"Operation not permitted"* ]] } @test "mask paths [directory]" { # run busybox detached runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox [ "$status" -eq 0 ] runc exec test_busybox ls /testdir [ "$status" -eq 0 ] [ -z "$output" ] runc exec test_busybox touch /testdir/foo [ "$status" -eq 1 ] [[ "${output}" == *"Read-only file system"* ]] runc exec test_busybox rm -rf /testdir [ "$status" -eq 1 ] [[ "${output}" == *"Read-only file system"* ]] runc exec test_busybox umount /testdir [ "$status" -eq 1 ] [[ "${output}" == *"Operation not permitted"* ]] }