|
| 1 | +package main |
| 2 | + |
| 3 | +import ( |
| 4 | + "fmt" |
| 5 | + "os/exec" |
| 6 | + "runtime" |
| 7 | + "syscall" |
| 8 | + |
| 9 | + "github.com/mndrix/tap-go" |
| 10 | + rspec "github.com/opencontainers/runtime-spec/specs-go" |
| 11 | + "github.com/opencontainers/runtime-tools/specerror" |
| 12 | + "github.com/opencontainers/runtime-tools/validation/util" |
| 13 | +) |
| 14 | + |
| 15 | +func checkNSPathMatchType(t *tap.T, ns, wrongNs string) error { |
| 16 | + // Deliberately set ns path with a wrong namespace, to check if the runtime |
| 17 | + // returns error when running with the wrong namespace path. |
| 18 | + unshareNsPath := fmt.Sprintf("/proc/self/ns/%s", wrongNs) |
| 19 | + |
| 20 | + g, err := util.GetDefaultGenerator() |
| 21 | + if err != nil { |
| 22 | + return fmt.Errorf("cannot get default config from generator: %v", err) |
| 23 | + } |
| 24 | + |
| 25 | + rtns := util.GetRuntimeToolsNamespace(ns) |
| 26 | + g.AddOrReplaceLinuxNamespace(rtns, unshareNsPath) |
| 27 | + |
| 28 | + err = util.RuntimeOutsideValidate(g, nil) |
| 29 | + |
| 30 | + t.Ok(err != nil, fmt.Sprintf("got error when setting a wrong namespace path %q with type %s", unshareNsPath, rtns)) |
| 31 | + if err == nil { |
| 32 | + rfcError, errRfc := specerror.NewRFCError(specerror.NSPathMatchTypeError, |
| 33 | + fmt.Errorf("got no error when setting a wrong namespace path %q with type %s", unshareNsPath, rtns), |
| 34 | + rspec.Version) |
| 35 | + if errRfc != nil { |
| 36 | + return fmt.Errorf("cannot get new rfcError: %v", errRfc) |
| 37 | + } |
| 38 | + diagnostic := map[string]string{ |
| 39 | + "expected": fmt.Sprintf("err == %v", err), |
| 40 | + "actual": "err == nil", |
| 41 | + "namespace type": rtns, |
| 42 | + "level": rfcError.Level.String(), |
| 43 | + "reference": rfcError.Reference, |
| 44 | + } |
| 45 | + t.YAML(diagnostic) |
| 46 | + |
| 47 | + return fmt.Errorf("cannot validate path with wrong type") |
| 48 | + } |
| 49 | + |
| 50 | + return nil |
| 51 | +} |
| 52 | + |
| 53 | +func testNSPathMatchType(t *tap.T, ns, unshareOpt, wrongNs string) error { |
| 54 | + // Calling 'unshare' (part of util-linux) is easier than doing it from |
| 55 | + // Golang: mnt namespaces cannot be unshared from multithreaded |
| 56 | + // programs. |
| 57 | + cmd := exec.Command("unshare", unshareOpt, "--fork", "sleep", "10000") |
| 58 | + cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true} |
| 59 | + err := cmd.Start() |
| 60 | + if err != nil { |
| 61 | + return fmt.Errorf("cannot run unshare: %s", err) |
| 62 | + } |
| 63 | + defer func() { |
| 64 | + if cmd.Process != nil { |
| 65 | + cmd.Process.Kill() |
| 66 | + } |
| 67 | + cmd.Wait() |
| 68 | + syscall.Kill(-cmd.Process.Pid, syscall.SIGKILL) |
| 69 | + }() |
| 70 | + if cmd.Process == nil { |
| 71 | + return fmt.Errorf("process failed to start") |
| 72 | + } |
| 73 | + |
| 74 | + return checkNSPathMatchType(t, ns, wrongNs) |
| 75 | +} |
| 76 | + |
| 77 | +func main() { |
| 78 | + t := tap.New() |
| 79 | + t.Header(0) |
| 80 | + |
| 81 | + cases := []struct { |
| 82 | + name string |
| 83 | + unshareOpt string |
| 84 | + wrongname string |
| 85 | + }{ |
| 86 | + {"cgroup", "--cgroup", "ipc"}, |
| 87 | + {"ipc", "--ipc", "mnt"}, |
| 88 | + {"mnt", "--mount", "net"}, |
| 89 | + {"net", "--net", "pid"}, |
| 90 | + {"pid", "--pid", "user"}, |
| 91 | + {"user", "--user", "uts"}, |
| 92 | + {"uts", "--uts", "cgroup"}, |
| 93 | + } |
| 94 | + |
| 95 | + for _, c := range cases { |
| 96 | + if "linux" != runtime.GOOS { |
| 97 | + t.Skip(1, fmt.Sprintf("linux-specific namespace test: %s", c)) |
| 98 | + } |
| 99 | + |
| 100 | + err := testNSPathMatchType(t, c.name, c.unshareOpt, c.wrongname) |
| 101 | + t.Ok(err == nil, fmt.Sprintf("namespace path matches with type %s", c.name)) |
| 102 | + } |
| 103 | + |
| 104 | + t.AutoPlan() |
| 105 | +} |
0 commit comments