/
cgroup_delegation.bats
61 lines (44 loc) · 1.72 KB
/
cgroup_delegation.bats
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/usr/bin/env bats
load helpers
function teardown() {
teardown_bundle
}
function setup() {
requires root cgroups_v2 systemd
setup_busybox
# chown test temp dir to allow host user to read it
chown 100000 "$ROOT"
# chown rootfs to allow host user to mkdir mount points
chown 100000 "$ROOT"/bundle/rootfs
set_cgroups_path
# configure a user namespace
update_config ' .linux.namespaces += [{"type": "user"}]
| .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}]
| .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65536}]
'
}
@test "runc exec (cgroup v2, ro cgroupfs, new cgroupns) does not chown cgroup" {
runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
[ "$status" -eq 0 ]
runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
[ "$status" -eq 0 ]
[ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user
}
@test "runc exec (cgroup v2, rw cgroupfs, inherit cgroupns) does not chown cgroup" {
set_cgroup_mount_writable
# inherit cgroup namespace (remove cgroup from namespaces list)
update_config '.linux.namespaces |= map(select(.type != "cgroup"))'
runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
[ "$status" -eq 0 ]
runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
[ "$status" -eq 0 ]
[ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user
}
@test "runc exec (cgroup v2, rw cgroupfs, new cgroupns) does chown cgroup" {
set_cgroup_mount_writable
runc run -d --console-socket "$CONSOLE_SOCKET" test_cgroup_chown
[ "$status" -eq 0 ]
runc exec test_cgroup_chown sh -c "stat -c %U /sys/fs/cgroup"
[ "$status" -eq 0 ]
[ "$output" = "root" ] # /sys/fs/cgroup owned by root (of user namespace)
}