Files
runc/tests/integration/mask.bats
T
Akihiro Suda 53179559a1 MaskPaths: support directory
For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
  - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
  - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-23 16:14:41 +00:00

57 lines
1.2 KiB
Bash

#!/usr/bin/env bats
load helpers
function setup() {
teardown_busybox
setup_busybox
}
function teardown() {
teardown_busybox
}
@test "MaskPaths(file)" {
# run busybox detached
runc run -d --console /dev/pts/ptmx test_busybox
[ "$status" -eq 0 ]
wait_for_container 15 1 test_busybox
runc exec test_busybox cat /proc/kcore
[ "$status" -eq 0 ]
[[ "${output}" == "" ]]
runc exec test_busybox rm -f /proc/kcore
[ "$status" -eq 1 ]
[[ "${output}" == *"Permission denied"* ]]
runc exec test_busybox umount /proc/kcore
[ "$status" -eq 1 ]
[[ "${output}" == *"Operation not permitted"* ]]
}
@test "MaskPaths(directory)" {
# run busybox detached
runc run -d --console /dev/pts/ptmx test_busybox
[ "$status" -eq 0 ]
wait_for_container 15 1 test_busybox
runc exec test_busybox ls /sys/firmware
[ "$status" -eq 0 ]
[[ "${output}" == "" ]]
runc exec test_busybox touch /sys/firmware/foo
[ "$status" -eq 1 ]
[[ "${output}" == *"Read-only file system"* ]]
runc exec test_busybox rm -rf /sys/firmware
[ "$status" -eq 1 ]
[[ "${output}" == *"Read-only file system"* ]]
runc exec test_busybox umount /sys/firmware
[ "$status" -eq 1 ]
[[ "${output}" == *"Operation not permitted"* ]]
}