Merge pull request #3206 from kinvolk/rata/notify

Add tests for seccomp agent example
2025-09-26 19:41:35 +08:00 · 2021-09-13 16:10:36 -07:00
parent cd7df39ac5 af641cd587
commit bcadc5bf3e
4 changed files with 65 additions and 203 deletions
--- a/contrib/cmd/seccompagent/README.md
+++ b/contrib/cmd/seccompagent/README.md
@@ -28,10 +28,9 @@ mkdir rootfs
 docker export $(docker create busybox) | tar -C rootfs -xvf -
 ```

-Copy the example `config.json` file from the directory where this README.md is
-to the container directory you prepared earlier (`container-seccomp-notify`).
-This is a config.json as generated by `runc spec` at time of writing, with only
-the `args` and `seccomp` sections modified.
+Then, generate a config.json by running the script gen-seccomp-example-cfg.sh
+from the directory where this README.md is in the container directory you
+prepared earlier (`container-seccomp-notify`).

 Then start the container:
 ```bash
@@ -45,10 +44,19 @@ The container will output something like this:
 + touch test-file
 + chmod 777 test-file
 chmod: changing permissions of 'test-file': No medium found
+ stat /dev/shm/test-dir-foo
+  File: /dev/shm/test-dir-foo
+  Size: 40        	Blocks: 0          IO Block: 4096   directory
+Device: 3eh/62d	Inode: 2           Links: 2
+Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
+Access: 2021-09-09 15:03:13.043716040 +0000
+Modify: 2021-09-09 15:03:13.043716040 +0000
+Change: 2021-09-09 15:03:13.043716040 +0000
+ Birth: -
 + ls -l /dev/shm
 total 0
-drwxr-xr-x 2 root root 40 Jul 21 14:09 test-dir-foo
-rw-r--r-- 1 root root  0 Jul 21 14:09 test-file
+drwxr-xr-x 2 root root 40 Sep  9 15:03 test-dir-foo
+-rw-r--r-- 1 root root  0 Sep  9 15:03 test-file
 + echo Note the agent added a suffix for the directory name and chmod fails
 Note the agent added a suffix for the directory name and chmod fails
 ```
--- a/contrib/cmd/seccompagent/config.json
+++ b/contrib/cmd/seccompagent/config.json
@@ -1,197 +0,0 @@
-{
-	"ociVersion": "1.0.2-dev",
-	"process": {
-		"terminal": true,
-		"user": {
-			"uid": 0,
-			"gid": 0
-		},
-		"args": [
-			"sh",
-			"-c",
-			"set -x; cd /dev/shm; mkdir test-dir; touch test-file; chmod 777 test-file; ls -l /dev/shm; echo \"Note the agent added a suffix for the directory name and chmod fails\" "
-		],
-		"env": [
-			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-			"TERM=xterm"
-		],
-		"cwd": "/",
-		"capabilities": {
-			"bounding": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE"
-			],
-			"effective": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE"
-			],
-			"inheritable": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE"
-			],
-			"permitted": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE"
-			],
-			"ambient": [
-				"CAP_AUDIT_WRITE",
-				"CAP_KILL",
-				"CAP_NET_BIND_SERVICE"
-			]
-		},
-		"rlimits": [
-			{
-				"type": "RLIMIT_NOFILE",
-				"hard": 1024,
-				"soft": 1024
-			}
-		],
-		"noNewPrivileges": true
-	},
-	"root": {
-		"path": "rootfs",
-		"readonly": true
-	},
-	"hostname": "runc",
-	"mounts": [
-		{
-			"destination": "/proc",
-			"type": "proc",
-			"source": "proc"
-		},
-		{
-			"destination": "/dev",
-			"type": "tmpfs",
-			"source": "tmpfs",
-			"options": [
-				"nosuid",
-				"strictatime",
-				"mode=755",
-				"size=65536k"
-			]
-		},
-		{
-			"destination": "/dev/pts",
-			"type": "devpts",
-			"source": "devpts",
-			"options": [
-				"nosuid",
-				"noexec",
-				"newinstance",
-				"ptmxmode=0666",
-				"mode=0620",
-				"gid=5"
-			]
-		},
-		{
-			"destination": "/dev/shm",
-			"type": "tmpfs",
-			"source": "shm",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev",
-				"mode=1777",
-				"size=65536k"
-			]
-		},
-		{
-			"destination": "/dev/mqueue",
-			"type": "mqueue",
-			"source": "mqueue",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev"
-			]
-		},
-		{
-			"destination": "/sys",
-			"type": "sysfs",
-			"source": "sysfs",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev",
-				"ro"
-			]
-		},
-		{
-			"destination": "/sys/fs/cgroup",
-			"type": "cgroup",
-			"source": "cgroup",
-			"options": [
-				"nosuid",
-				"noexec",
-				"nodev",
-				"relatime",
-				"ro"
-			]
-		}
-	],
-	"linux": {
-		"seccomp": {
-			"defaultAction": "SCMP_ACT_ALLOW",
-			"listenerPath": "/run/seccomp-agent.socket",
-			"listenerMetadata": "foo",
-			"architectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32" ],
-			"syscalls": [
-				{
-					"names": [ "chmod", "fchmod", "fchmodat", "mkdir" ],
-					"action": "SCMP_ACT_NOTIFY"
-				}
-			]
-		},
-		"resources": {
-			"devices": [
-				{
-					"allow": false,
-					"access": "rwm"
-				}
-			]
-		},
-		"namespaces": [
-			{
-				"type": "pid"
-			},
-			{
-				"type": "network"
-			},
-			{
-				"type": "ipc"
-			},
-			{
-				"type": "uts"
-			},
-			{
-				"type": "mount"
-			},
-			{
-				"type": "cgroup"
-			}
-		],
-		"maskedPaths": [
-			"/proc/acpi",
-			"/proc/asound",
-			"/proc/kcore",
-			"/proc/keys",
-			"/proc/latency_stats",
-			"/proc/timer_list",
-			"/proc/timer_stats",
-			"/proc/sched_debug",
-			"/sys/firmware",
-			"/proc/scsi"
-		],
-		"readonlyPaths": [
-			"/proc/bus",
-			"/proc/fs",
-			"/proc/irq",
-			"/proc/sys",
-			"/proc/sysrq-trigger"
-		]
-	}
-}
--- a/contrib/cmd/seccompagent/gen-seccomp-example-cfg.sh
+++ b/contrib/cmd/seccompagent/gen-seccomp-example-cfg.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Detect if we are running inside bats (i.e. inside integration tests) or just
+# called by an end-user
+# bats-core v1.2.1 defines BATS_RUN_TMPDIR
+if [ -z "$BATS_RUN_TMPDIR" ]; then
+	# When not running in bats, we create the config.json
+	set -e
+	runc spec
+fi
+
+# We can't source $(dirname $0)/../../../tests/integration/helpers.bash as that
+# exits when not running inside bats. We can do hacks, but just to redefine
+# update_config() seems clearer. We don't even really need to keep them in sync.
+function update_config() {
+        jq "$1" "./config.json" | awk 'BEGIN{RS="";getline<"-";print>ARGV[1]}' "./config.json"
+}
+
+update_config '.linux.seccomp = {
+                        "defaultAction": "SCMP_ACT_ALLOW",
+                        "listenerPath": "/run/seccomp-agent.socket",
+                        "listenerMetadata": "foo",
+                        "architectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_X86_64" ],
+                        "syscalls": [
+                                {
+                                        "names": [ "chmod", "fchmod", "fchmodat", "mkdir" ],
+                                        "action": "SCMP_ACT_NOTIFY"
+                                }
+			]
+		}'
+
+update_config '.process.args = [
+				"sh",
+				"-c",
+				"set -x; cd /dev/shm; mkdir test-dir; touch test-file; chmod 777 test-file; stat /dev/shm/test-dir-foo && ls -l /dev/shm && echo \"Note the agent added a suffix for the directory name and chmod fails\" "
+				]'
--- a/tests/integration/seccomp-notify.bats
+++ b/tests/integration/seccomp-notify.bats
@@ -198,3 +198,19 @@ function scmp_act_notify_template() {
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
+
+# Check that example config in the seccomp agent dir works.
+@test "runc run [seccomp] (SCMP_ACT_NOTIFY example config)" {
+	# Run the script used in the seccomp agent example.
+	# This takes a bare config.json and modifies it to run an example.
+	"${INTEGRATION_ROOT}/../../contrib/cmd/seccompagent/gen-seccomp-example-cfg.sh"
+
+	# The listenerPath the previous command uses is the default used by the
+	# seccomp agent. However, inside bats the socket is in a bats tmp dir.
+	update_config '.linux.seccomp.listenerPath = "'"$SECCCOMP_AGENT_SOCKET"'"'
+
+	runc run test_busybox
+
+	[ "$status" -eq 0 ]
+	[[ "$output" == *"chmod:"*"test-file"*"No medium found"* ]]
+}