Add test for MaskedPaths and ReadonlyPaths.

hack/install-docker.sh

@@ -38,7 +38,7 @@ sudo add-apt-repository \
 sudo apt-get update
 # Docker is downgraded because exec process in 18.x doesn't inherit additional group id from the init process.
 # See more details at https://github.com/moby/moby/issues/38865.
-sudo apt-get -y --allow-downgrades install docker-ce=17.03.3~ce-0~ubuntu-xenial
+sudo apt-get -y --allow-downgrades install docker-ce=5:18.09.5~3-0~ubuntu-xenial
 
 # Restart docker daemon.
 sudo service docker restart

pkg/validate/security_context_linux.go

@@ -476,6 +476,64 @@ var _ = framework.KubeDescribe("Security Context", func() {
 
 			checkNetworkManagement(rc, containerID, false)
 		})
+
+		It("runtime should support MaskedPaths", func() {
+			By("create pod")
+			podID, podConfig = framework.CreatePodSandboxForContainer(rc)
+
+			By("create container with MaskedPaths")
+			containerName := "container-with-maskedpaths" + framework.NewUUID()
+			containerConfig := &runtimeapi.ContainerConfig{
+				Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
+				Image:    &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage},
+				Command:  pauseCmd,
+				Linux: &runtimeapi.LinuxContainerConfig{
+					SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
+						MaskedPaths: []string{"/bin/ls"},
+					},
+				},
+			}
+
+			containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)
+			startContainer(rc, containerID)
+			Eventually(func() runtimeapi.ContainerState {
+				return getContainerStatus(rc, containerID).State
+			}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))
+
+			cmd := []string{"/bin/sh", "-c", "ls"}
+			_, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
+			Expect(err).To(HaveOccurred())
+			Expect(string(stderr)).To(Equal("/bin/sh: ls: Permission denied\n"))
+		})
+
+		It("runtime should support ReadonlyPaths", func() {
+			By("create pod")
+			podID, podConfig = framework.CreatePodSandboxForContainer(rc)
+
+			By("create container with ReadonlyPaths")
+			containerName := "container-with-readonlypaths" + framework.NewUUID()
+			containerConfig := &runtimeapi.ContainerConfig{
+				Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
+				Image:    &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage},
+				Command:  pauseCmd,
+				Linux: &runtimeapi.LinuxContainerConfig{
+					SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
+						ReadonlyPaths: []string{"/tmp"},
+					},
+				},
+			}
+
+			containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)
+			startContainer(rc, containerID)
+			Eventually(func() runtimeapi.ContainerState {
+				return getContainerStatus(rc, containerID).State
+			}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))
+
+			cmd := []string{"touch", "/tmp/test"}
+			_, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
+			Expect(err).To(HaveOccurred())
+			Expect(string(stderr)).To(Equal("touch: /tmp/test: Read-only file system\n"))
+		})
 	})
 
 	// TODO(random-liu): We should set apparmor to unconfined in seccomp test to prevent