Merge pull request #1755 from giuseppe/add-more-tests

add new tests

Author: flouthoc

tests/init.c

@@ -251,9 +251,9 @@ cat (char *file)
 }
 
 static int
-open_only (char *file)
+open_only (char *file, int flags)
 {
-  int fd = open (file, O_RDONLY);
+  int fd = open (file, flags);
   if (fd >= 0)
     {
       close (fd);
@@ -541,7 +541,14 @@ main (int argc, char **argv)
     {
       if (argc < 3)
         error (EXIT_FAILURE, 0, "'open' requires an argument");
-      return open_only (argv[2]);
+      return open_only (argv[2], O_RDONLY);
+    }
+
+  if (strcmp (argv[1], "openwronly") == 0)
+    {
+      if (argc < 3)
+        error (EXIT_FAILURE, 0, "'openwronly' requires an argument");
+      return open_only (argv[2], O_WRONLY);
     }
 
   if (strcmp (argv[1], "access") == 0)
@@ -599,6 +606,45 @@ main (int argc, char **argv)
       return 0;
     }
 
+  if (strcmp (argv[1], "isfifo") == 0)
+    {
+      struct stat st;
+      if (argc < 3)
+        error (EXIT_FAILURE, 0, "'isfifo' requires a path argument");
+      if (stat (argv[2], &st) < 0)
+        error (EXIT_FAILURE, errno, "stat %s", argv[2]);
+      if (S_ISFIFO (st.st_mode))
+        exit (0);
+      else
+        exit (1);
+    }
+
+  if (strcmp (argv[1], "ischar") == 0)
+    {
+      struct stat st;
+      if (argc < 3)
+        error (EXIT_FAILURE, 0, "'ischar' requires a path argument");
+      if (stat (argv[2], &st) < 0)
+        error (EXIT_FAILURE, errno, "stat %s", argv[2]);
+      if (S_ISCHR (st.st_mode))
+        exit (0);
+      else
+        exit (1);
+    }
+
+  if (strcmp (argv[1], "isblock") == 0)
+    {
+      struct stat st;
+      if (argc < 3)
+        error (EXIT_FAILURE, 0, "'isblock' requires a path argument");
+      if (stat (argv[2], &st) < 0)
+        error (EXIT_FAILURE, errno, "stat %s", argv[2]);
+      if (S_ISBLK (st.st_mode))
+        exit (0);
+      else
+        exit (1);
+    }
+
   if (strcmp (argv[1], "owner") == 0)
     {
       struct stat st;
@@ -789,7 +835,11 @@ main (int argc, char **argv)
           while (ret < 0 && errno == EINTR);
           if (ret < 0)
             return ret;
-          return status;
+          if (WIFEXITED (status))
+            return WEXITSTATUS (status);
+          if (WIFSIGNALED (status))
+            return 128 + WTERMSIG (status);
+          return EXIT_FAILURE;
         }
       return ls (argv[2]);
     }

tests/test_devices.py

@@ -288,7 +288,98 @@ def test_net_devices():
 
     return 0
 
+def test_mknod_fifo_device():
+    if is_rootless():
+        return 77
+
+    conf = base_config()
+    add_all_namespaces(conf)
+    conf['process']['args'] = ['/init', 'isfifo', '/dev/testfifo']
+    conf['linux']['devices'] = [
+        {"path": "/dev/testfifo", "type": "p", "fileMode": 0o0660, "uid": 1, "gid": 2}
+    ]
+    try:
+        run_and_get_output(conf)
+    except Exception as e:
+        sys.stderr.write(f"test_mknod_fifo_device failed: %s\n" % e)
+        return -1
+    return 0
+
+def test_mknod_char_device():
+    if is_rootless():
+        return 77
+
+    conf = base_config()
+    add_all_namespaces(conf)
+    conf['process']['args'] = ['/init', 'ischar', '/dev/testchar']
+    conf['linux']['devices'] = [
+        {"path": "/dev/testchar", "type": "c", "major": 251, "minor": 1, "fileMode": 0o0640, "uid": 3, "gid": 4}
+    ]
+    try:
+        run_and_get_output(conf)
+    except Exception as e:
+        sys.stderr.write(f"test_mknod_char_device failed: {e}\n")
+        return -1
+    return 0
+
+def test_allow_device_read_only():
+    if is_rootless():
+        return 77
+
+    try:
+        # Best effort load
+        subprocess.run(["modprobe", "null_blk", "nr_devices=1"])
+    except:
+        pass
+    try:
+        st = os.stat("/dev/nullb0")
+        major, minor = os.major(st.st_rdev), os.minor(st.st_rdev)
+    except:
+        return 77
+
+    conf = base_config()
+    add_all_namespaces(conf)
+
+    conf['linux']['devices'] = [{
+        "path": "/dev/controlledchar",
+        "type": "b",
+        "major": major,
+        "minor": minor,
+        "fileMode": 0o0666
+    }]
+    conf['linux']['resources'] = {
+        "devices": [
+            {"allow": False, "access": "rwm"},
+            {"allow": True, "type": "b", "major": major, "minor": minor, "access": "r"},
+        ]
+    }
+
+    conf['process']['args'] = ['/init', 'open', '/dev/controlledchar']
+    try:
+        run_and_get_output(conf)
+    except Exception as e:
+        sys.stderr.write(f"test_allow_device_read_only failed: %s\n" % e)
+        return -1
+
+    conf['process']['args'] = ['/init', 'openwronly', '/dev/controlledchar']
+    try:
+        run_and_get_output(conf)
+        sys.stderr.write("test_allow_device_read_only: write access was unexpectedly allowed.\n")
+        return 1
+    except Exception as e:
+        output_str = getattr(e, 'output', b'').decode(errors='ignore')
+        if "Operation not permitted" in output_str or "Permission denied" in output_str:
+            return 0
+        else:
+            sys.stderr.write(f"test_allow_device_read_only (write attempt) failed with: %s, output: %s\n" % (e, output_str))
+            return 1
+
+    return 1
+
 all_tests = {
+    "mknod-fifo-device": test_mknod_fifo_device,
+    "mknod-char-device": test_mknod_char_device,
+    "allow-device-read-only": test_allow_device_read_only,
     "owner-device" : test_owner_device,
     "deny-devices" : test_deny_devices,
     "allow-device" : test_allow_device,

tests/test_pid.py

@@ -39,9 +39,35 @@ def test_pid_user():
         return 0
     return -1
 
+def test_pid_host_namespace():
+    if is_rootless():
+        return 77
+    conf = base_config()
+    conf['process']['args'] = ['/init', 'cat', '/proc/self/status']
+    # No PID namespace is added.  Expect PID to not be 1.
+    out, _ = run_and_get_output(conf)
+    pid = parse_proc_status(out)['Pid']
+    if pid != "1":
+        return 0
+    return -1
+
+def test_pid_ppid_is_zero():
+    conf = base_config()
+    conf['process']['args'] = ['/init', 'cat', '/proc/self/status']
+    add_all_namespaces(conf)
+    out, _ = run_and_get_output(conf)
+    status = parse_proc_status(out)
+    pid = status.get('Pid')
+    ppid = status.get('PPid')
+    if pid == "1" and ppid == "0":
+        return 0
+    return -1
+
 all_tests = {
     "pid" : test_pid,
     "pid-user" : test_pid_user,
+    "pid-host-namespace" : test_pid_host_namespace,
+    "pid-ppid-is-zero" : test_pid_ppid_is_zero,
 }
 
 if __name__ == "__main__":

tests/test_uid_gid.py

@@ -114,12 +114,68 @@ def test_keep_groups():
         return -1
     return 0
 
+def test_additional_gids():
+    if is_rootless():
+        return 77
+    conf = base_config()
+    conf['process']['args'] = ['/init', 'cat', '/proc/self/status']
+    add_all_namespaces(conf)
+    conf['process']['user']['uid'] = 1000
+    conf['process']['user']['gid'] = 1000
+    conf['process']['user']['additionalGids'] = [2000, 3000]
+    out, _ = run_and_get_output(conf)
+    proc_status = parse_proc_status(out)
+
+    gids_status = proc_status['Gid'].split()
+    for g_id in gids_status:
+        if g_id != "1000":
+            return -1
+
+    groups_str = proc_status.get('Groups', "")
+    actual_supplementary_groups = set()
+    if groups_str:
+        actual_supplementary_groups = set(groups_str.split())
+
+    expected_supplementary_groups = {"2000", "3000"}
+
+    if actual_supplementary_groups != expected_supplementary_groups:
+        return -2
+    return 0
+
+def test_umask():
+    if is_rootless():
+        pass
+
+    conf = base_config()
+    add_all_namespaces(conf)
+
+    test_umask_octal_str = "0027"
+    test_umask_int = 0o027
+
+    conf['process']['user']['umask'] = test_umask_int
+    conf['process']['args'] = ['/init', 'cat', '/proc/self/status']
+
+    out, _ = run_and_get_output(conf)
+    proc_status = parse_proc_status(out)
+
+    if 'Umask' not in proc_status:
+        return -1
+
+    umask_from_status = proc_status['Umask']
+
+    if umask_from_status != test_umask_octal_str:
+        return -2
+
+    return 0
+
 all_tests = {
     "uid" : test_uid,
     "gid" : test_gid,
     "userns-full-mapping" : test_userns_full_mapping,
     "no-groups" : test_no_groups,
     "keep-groups" : test_keep_groups,
+    "additional-gids": test_additional_gids,
+    "umask": test_umask,
 }
 
 if __name__ == "__main__":