Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test for MaskedPaths and ReadonlyPaths. #487

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion hack/install-docker.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ sudo add-apt-repository \
sudo apt-get update
# Docker is downgraded because exec process in 18.x doesn't inherit additional group id from the init process.
# See more details at https://github.com/moby/moby/issues/38865.
sudo apt-get -y --allow-downgrades install docker-ce=17.03.3~ce-0~ubuntu-xenial
sudo apt-get -y --allow-downgrades install docker-ce=5:18.09.5~3-0~ubuntu-xenial

# Restart docker daemon.
sudo service docker restart
58 changes: 58 additions & 0 deletions pkg/validate/security_context_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,64 @@ var _ = framework.KubeDescribe("Security Context", func() {

checkNetworkManagement(rc, containerID, false)
})

It("runtime should support MaskedPaths", func() {
By("create pod")
podID, podConfig = framework.CreatePodSandboxForContainer(rc)

By("create container with MaskedPaths")
containerName := "container-with-maskedpaths" + framework.NewUUID()
containerConfig := &runtimeapi.ContainerConfig{
Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
Image: &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage},
Command: pauseCmd,
Linux: &runtimeapi.LinuxContainerConfig{
SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
MaskedPaths: []string{"/bin/ls"},
},
},
}

containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)
startContainer(rc, containerID)
Eventually(func() runtimeapi.ContainerState {
return getContainerStatus(rc, containerID).State
}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))

cmd := []string{"/bin/sh", "-c", "ls"}
_, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
Expect(err).To(HaveOccurred())
Expect(string(stderr)).To(Equal("/bin/sh: ls: Permission denied\n"))
})

It("runtime should support ReadonlyPaths", func() {
By("create pod")
podID, podConfig = framework.CreatePodSandboxForContainer(rc)

By("create container with ReadonlyPaths")
containerName := "container-with-readonlypaths" + framework.NewUUID()
containerConfig := &runtimeapi.ContainerConfig{
Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
Image: &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage},
Command: pauseCmd,
Linux: &runtimeapi.LinuxContainerConfig{
SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
ReadonlyPaths: []string{"/tmp"},
},
},
}

containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)
startContainer(rc, containerID)
Eventually(func() runtimeapi.ContainerState {
return getContainerStatus(rc, containerID).State
}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))

cmd := []string{"touch", "/tmp/test"}
_, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
Expect(err).To(HaveOccurred())
Expect(string(stderr)).To(Equal("touch: /tmp/test: Read-only file system\n"))
})
})

// TODO(random-liu): We should set apparmor to unconfined in seccomp test to prevent
Expand Down