summaryrefslogtreecommitdiffhomepage
path: root/test/e2e
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2021-07-12 16:52:53 -0700
committergVisor bot <gvisor-bot@google.com>2021-07-12 16:55:40 -0700
commitf51e0486d4f3bd25371c9449de27a3d966b813e3 (patch)
treef80560cef9ddf213035fec07f710035fc6933fb0 /test/e2e
parent7132b9a07b55b1c2944f19bb938878d147785a72 (diff)
Fix stdios ownership
Set stdio ownership based on the container's user to ensure the user can open/read/write to/from stdios. 1. stdios in the host are changed to have the owner be the same uid/gid of the process running the sandbox. This ensures that the sandbox has full control over it. 2. stdios owner owner inside the sandbox is changed to match the container's user to give access inside the container and make it behave the same as runc. Fixes #6180 PiperOrigin-RevId: 384347009
Diffstat (limited to 'test/e2e')
-rw-r--r--test/e2e/integration_test.go113
1 files changed, 108 insertions, 5 deletions
diff --git a/test/e2e/integration_test.go b/test/e2e/integration_test.go
index 1accc3b3b..f53417cab 100644
--- a/test/e2e/integration_test.go
+++ b/test/e2e/integration_test.go
@@ -30,6 +30,7 @@ import (
"net/http"
"os"
"path/filepath"
+ "regexp"
"strconv"
"strings"
"testing"
@@ -426,10 +427,10 @@ func TestTmpMount(t *testing.T) {
// Test that it is allowed to mount a file on top of /dev files, e.g.
// /dev/random.
func TestMountOverDev(t *testing.T) {
- if usingVFS2, err := dockerutil.UsingVFS2(); !usingVFS2 {
- t.Skip("VFS1 doesn't allow /dev/random to be mounted.")
- } else if err != nil {
+ if vfs2, err := dockerutil.UsingVFS2(); err != nil {
t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err)
+ } else if !vfs2 {
+ t.Skip("VFS1 doesn't allow /dev/random to be mounted.")
}
random, err := ioutil.TempFile(testutil.TmpDir(), "random")
@@ -574,11 +575,12 @@ func runIntegrationTest(t *testing.T, capAdd []string, args ...string) {
d := dockerutil.MakeContainer(ctx, t)
defer d.CleanUp(ctx)
- if got, err := d.Run(ctx, dockerutil.RunOpts{
+ opts := dockerutil.RunOpts{
Image: "basic/integrationtest",
WorkDir: "/root",
CapAdd: capAdd,
- }, args...); err != nil {
+ }
+ if got, err := d.Run(ctx, opts, args...); err != nil {
t.Fatalf("docker run failed: %v", err)
} else if got != "" {
t.Errorf("test failed:\n%s", got)
@@ -609,6 +611,107 @@ func TestBindOverlay(t *testing.T) {
}
}
+func TestStdios(t *testing.T) {
+ if vfs2, err := dockerutil.UsingVFS2(); err != nil {
+ t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err)
+ } else if !vfs2 {
+ t.Skip("VFS1 doesn't adjust stdios user")
+ }
+
+ ctx := context.Background()
+ d := dockerutil.MakeContainer(ctx, t)
+ defer d.CleanUp(ctx)
+
+ testStdios(t, func(user string, args ...string) (string, error) {
+ defer d.CleanUp(ctx)
+ opts := dockerutil.RunOpts{
+ Image: "basic/alpine",
+ User: user,
+ }
+ return d.Run(ctx, opts, args...)
+ })
+}
+
+func TestStdiosExec(t *testing.T) {
+ if vfs2, err := dockerutil.UsingVFS2(); err != nil {
+ t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err)
+ } else if !vfs2 {
+ t.Skip("VFS1 doesn't adjust stdios user")
+ }
+
+ ctx := context.Background()
+ d := dockerutil.MakeContainer(ctx, t)
+ defer d.CleanUp(ctx)
+
+ runOpts := dockerutil.RunOpts{Image: "basic/alpine"}
+ if err := d.Spawn(ctx, runOpts, "sleep", "100"); err != nil {
+ t.Fatalf("docker run failed: %v", err)
+ }
+
+ testStdios(t, func(user string, args ...string) (string, error) {
+ opts := dockerutil.ExecOpts{User: user}
+ return d.Exec(ctx, opts, args...)
+ })
+}
+
+func testStdios(t *testing.T, run func(string, ...string) (string, error)) {
+ const cmd = "stat -L /proc/self/fd/0 /proc/self/fd/1 /proc/self/fd/2 | grep 'Uid:'"
+ got, err := run("123", "/bin/sh", "-c", cmd)
+ if err != nil {
+ t.Fatalf("docker exec failed: %v", err)
+ }
+ if len(got) == 0 {
+ t.Errorf("Unexpected empty output from %q", cmd)
+ }
+ re := regexp.MustCompile(`Uid: \(\s*(\w+)\/.*\)`)
+ for _, line := range strings.SplitN(got, "\n", 3) {
+ t.Logf("stat -L: %s", line)
+ matches := re.FindSubmatch([]byte(line))
+ if len(matches) != 2 {
+ t.Fatalf("wrong output format: %q: matches: %v", line, matches)
+ }
+ if want, got := "123", string(matches[1]); want != got {
+ t.Errorf("wrong user, want: %q, got: %q", want, got)
+ }
+ }
+
+ // Check that stdout and stderr can be open and written to. This checks
+ // that ownership and permissions are correct inside gVisor.
+ got, err = run("456", "/bin/sh", "-c", "echo foobar | tee /proc/self/fd/1 > /proc/self/fd/2")
+ if err != nil {
+ t.Fatalf("docker run failed: %v", err)
+ }
+ t.Logf("echo foobar: %q", got)
+ // Check it repeats twice, once for stdout and once for stderr.
+ if want := "foobar\nfoobar\n"; want != got {
+ t.Errorf("Wrong echo output, want: %q, got: %q", want, got)
+ }
+
+ // Check that timestamps can be changed. Setting timestamps require an extra
+ // write check _after_ the file was opened, and may fail if the underlying
+ // host file is not setup correctly.
+ if _, err := run("789", "touch", "/proc/self/fd/0", "/proc/self/fd/1", "/proc/self/fd/2"); err != nil {
+ t.Fatalf("docker run failed: %v", err)
+ }
+}
+
+func TestStdiosChown(t *testing.T) {
+ if vfs2, err := dockerutil.UsingVFS2(); err != nil {
+ t.Fatalf("Failed to read config for runtime %s: %v", dockerutil.Runtime(), err)
+ } else if !vfs2 {
+ t.Skip("VFS1 doesn't adjust stdios user")
+ }
+
+ ctx := context.Background()
+ d := dockerutil.MakeContainer(ctx, t)
+ defer d.CleanUp(ctx)
+
+ opts := dockerutil.RunOpts{Image: "basic/alpine"}
+ if _, err := d.Run(ctx, opts, "chown", "123", "/proc/self/fd/0", "/proc/self/fd/1", "/proc/self/fd/2"); err != nil {
+ t.Fatalf("docker run failed: %v", err)
+ }
+}
+
func TestMain(m *testing.M) {
dockerutil.EnsureSupportedDockerVersion()
flag.Parse()