diff --git a/tests/contest/contest/src/main.rs b/tests/contest/contest/src/main.rs index 10d60f85a..bb1019ca8 100644 --- a/tests/contest/contest/src/main.rs +++ b/tests/contest/contest/src/main.rs @@ -26,6 +26,7 @@ use crate::tests::process_oom_score_adj::get_process_oom_score_adj_test; use crate::tests::process_rlimits::get_process_rlimits_test; use crate::tests::process_user::get_process_user_test; use crate::tests::readonly_paths::get_ro_paths_test; +use crate::tests::root_readonly_true::get_root_readonly_test; use crate::tests::scheduler::get_scheduler_test; use crate::tests::seccomp::get_seccomp_test; use crate::tests::seccomp_notify::get_seccomp_notify_test; @@ -118,6 +119,7 @@ fn main() -> Result<()> { let scheduler = get_scheduler_test(); let io_priority_test = get_io_priority_test(); let devices = get_devices_test(); + let root_readonly = get_root_readonly_test(); let process = get_process_test(); let process_user = get_process_user_test(); let process_rlimtis = get_process_rlimits_test(); @@ -146,6 +148,7 @@ fn main() -> Result<()> { tm.add_test_group(Box::new(sysctl)); tm.add_test_group(Box::new(scheduler)); tm.add_test_group(Box::new(devices)); + tm.add_test_group(Box::new(root_readonly)); tm.add_test_group(Box::new(process)); tm.add_test_group(Box::new(process_user)); tm.add_test_group(Box::new(process_rlimtis)); diff --git a/tests/contest/contest/src/tests/mod.rs b/tests/contest/contest/src/tests/mod.rs index b3edce99a..6e8e39be8 100644 --- a/tests/contest/contest/src/tests/mod.rs +++ b/tests/contest/contest/src/tests/mod.rs @@ -16,6 +16,7 @@ pub mod process_oom_score_adj; pub mod process_rlimits; pub mod process_user; pub mod readonly_paths; +pub mod root_readonly_true; pub mod scheduler; pub mod seccomp; pub mod seccomp_notify; diff --git a/tests/contest/contest/src/tests/root_readonly_true/mod.rs b/tests/contest/contest/src/tests/root_readonly_true/mod.rs new file mode 100644 index 000000000..32bcfe81d --- /dev/null +++ b/tests/contest/contest/src/tests/root_readonly_true/mod.rs @@ -0,0 +1,2 @@ +mod root_readonly_tests; +pub use root_readonly_tests::get_root_readonly_test; diff --git a/tests/contest/contest/src/tests/root_readonly_true/root_readonly_tests.rs b/tests/contest/contest/src/tests/root_readonly_true/root_readonly_tests.rs new file mode 100644 index 000000000..c87b30adf --- /dev/null +++ b/tests/contest/contest/src/tests/root_readonly_true/root_readonly_tests.rs @@ -0,0 +1,44 @@ +use anyhow::{Context, Ok, Result}; +use oci_spec::runtime::{ProcessBuilder, RootBuilder, Spec, SpecBuilder}; +use test_framework::{test_result, Test, TestGroup, TestResult}; + +use crate::utils::test_inside_container; +use crate::utils::test_utils::CreateOptions; + +fn create_spec(readonly: bool) -> Result { + let spec = SpecBuilder::default() + .root(RootBuilder::default().readonly(readonly).build().unwrap()) + .process( + ProcessBuilder::default() + .args(vec!["runtimetest".to_string(), "root_readonly".to_string()]) + .build() + .expect("error in creating config"), + ) + .build() + .context("failed to build spec")?; + + Ok(spec) +} + +fn root_readonly_true_test() -> TestResult { + let spec_true = test_result!(create_spec(true)); + test_inside_container(spec_true, &CreateOptions::default(), &|_| Ok(())) +} + +fn root_readonly_false_test() -> TestResult { + let spec_false = test_result!(create_spec(false)); + test_inside_container(spec_false, &CreateOptions::default(), &|_| Ok(())) +} + +pub fn get_root_readonly_test() -> TestGroup { + let mut root_readonly_test_group = TestGroup::new("root_readonly"); + + let test_true = Test::new("root_readonly_true_test", Box::new(root_readonly_true_test)); + let test_false = Test::new( + "root_readonly_false_test", + Box::new(root_readonly_false_test), + ); + root_readonly_test_group.add(vec![Box::new(test_true), Box::new(test_false)]); + + root_readonly_test_group +} diff --git a/tests/contest/runtimetest/src/main.rs b/tests/contest/runtimetest/src/main.rs index 07bdd0572..ef85a35cb 100644 --- a/tests/contest/runtimetest/src/main.rs +++ b/tests/contest/runtimetest/src/main.rs @@ -44,6 +44,7 @@ fn main() { "io_priority_class_be" => tests::test_io_priority_class(&spec, IoprioClassBe), "io_priority_class_idle" => tests::test_io_priority_class(&spec, IoprioClassIdle), "devices" => tests::validate_devices(&spec), + "root_readonly" => tests::test_validate_root_readonly(&spec), "process" => tests::validate_process(&spec), "process_user" => tests::validate_process_user(&spec), "process_rlimits" => tests::validate_process_rlimits(&spec), diff --git a/tests/contest/runtimetest/src/tests.rs b/tests/contest/runtimetest/src/tests.rs index 2a42d5bd6..721141aaf 100644 --- a/tests/contest/runtimetest/src/tests.rs +++ b/tests/contest/runtimetest/src/tests.rs @@ -16,7 +16,9 @@ use oci_spec::runtime::{ LinuxDevice, LinuxDeviceType, LinuxSchedulerPolicy, PosixRlimit, PosixRlimitType, Spec, }; -use crate::utils::{self, test_read_access, test_write_access}; +use crate::utils::{ + self, test_dir_read_access, test_dir_write_access, test_read_access, test_write_access, +}; ////////// ANCHOR: example_hello_world pub fn hello_world(_spec: &Spec) { @@ -551,6 +553,42 @@ pub fn test_io_priority_class(spec: &Spec, io_priority_class: IOPriorityClass) { } } +pub fn test_validate_root_readonly(spec: &Spec) { + let root = spec.root().as_ref().unwrap(); + if root.readonly().unwrap() { + if let Err(e) = test_dir_write_access("/") { + let errno = Errno::from_raw(e.raw_os_error().unwrap()); + if errno == Errno::EROFS { + /* This is expected */ + } else { + eprintln!( + "readonly root filesystem, error in testing write access for path /, error: {}", + errno + ); + } + } + if let Err(e) = test_dir_read_access("/") { + eprintln!( + "readonly root filesystem, but error in testing read access for path /, error: {}", + e + ); + } + } else { + if let Err(e) = test_dir_write_access("/") { + eprintln!( + "readonly root filesystem is false, but error in testing write access for path /, error: {}", + e + ); + } + if let Err(e) = test_dir_read_access("/") { + eprintln!( + "readonly root filesystem is false, but error in testing read access for path /, error: {}", + e + ); + } + } +} + pub fn validate_process(spec: &Spec) { let process = spec.process().as_ref().unwrap(); let expected_cwd = process.cwd(); diff --git a/tests/contest/runtimetest/src/utils.rs b/tests/contest/runtimetest/src/utils.rs index 4976fe5ae..fd1c1cbde 100644 --- a/tests/contest/runtimetest/src/utils.rs +++ b/tests/contest/runtimetest/src/utils.rs @@ -14,7 +14,7 @@ fn test_file_read_access(path: &str) -> Result<(), std::io::Error> { Ok(()) } -fn test_dir_read_access(path: &str) -> Result<(), std::io::Error> { +pub fn test_dir_read_access(path: &str) -> Result<(), std::io::Error> { let _ = std::fs::read_dir(path)?; Ok(()) } @@ -51,7 +51,7 @@ fn test_file_write_access(path: &str) -> Result<(), std::io::Error> { Ok(()) } -fn test_dir_write_access(path: &str) -> Result<(), std::io::Error> { +pub fn test_dir_write_access(path: &str) -> Result<(), std::io::Error> { let _ = std::fs::OpenOptions::new() .create(true) .truncate(true)