Add unit test for SetupLandlock

Signed-off-by: Kailun Qin <[email protected]>
opencontainers · Sep 3, 2021 · 14101a2 · 14101a2
1 parent 56fd371
commit 14101a2
Showing 1 changed file with 99 additions and 0 deletions.
diff --git a/libcontainer/specconv/spec_linux_test.go b/libcontainer/specconv/spec_linux_test.go
@@ -4,10 +4,12 @@ package specconv
 
 import (
  "os"
+ "reflect"
  "strings"
  "testing"
 
  dbus "github.com/godbus/dbus/v5"
+ ll "github.com/landlock-lsm/go-landlock/landlock"
  "github.com/opencontainers/runc/libcontainer/configs"
  "github.com/opencontainers/runc/libcontainer/configs/validate"
  "github.com/opencontainers/runc/libcontainer/devices"
@@ -141,6 +143,103 @@ func TestCreateHooks(t *testing.T) {
  }
 }
 
+func TestSetupLandlock(t *testing.T) {
+ conf := &specs.Landlock{
+ Ruleset: &specs.LandlockRuleset{
+ HandledAccessFS: []specs.LandlockFSAction{
+ specs.FSActExecute,
+ specs.FSActWriteFile,
+ specs.FSActReadFile,
+ specs.FSActReadDir,
+ specs.FSActRemoveDir,
+ specs.FSActRemoveFile,
+ specs.FSActMakeChar,
+ specs.FSActMakeDir,
+ specs.FSActMakeReg,
+ specs.FSActMakeSock,
+ specs.FSActMakeFifo,
+ specs.FSActMakeBlock,
+ specs.FSActMakeSym,
+ },
+ },
+ Rules: &specs.LandlockRules{
+ PathBeneath: []specs.LandlockRulePathBeneath{
+ {
+ AllowedAccess: []specs.LandlockFSAction{
+ specs.FSActExecute,
+ specs.FSActReadFile,
+ specs.FSActReadDir,
+ },
+ Paths: []string{
+ "/usr",
+ "/bin",
+ },
+ },
+ {
+ AllowedAccess: []specs.LandlockFSAction{
+ specs.FSActExecute,
+ specs.FSActWriteFile,
+ specs.FSActReadFile,
+ specs.FSActRemoveFile,
+ specs.FSActMakeChar,
+ specs.FSActMakeReg,
+ specs.FSActMakeSock,
+ specs.FSActMakeFifo,
+ specs.FSActMakeBlock,
+ specs.FSActMakeSym,
+ },
+ Paths: []string{
+ "/tmp",
+ },
+ },
+ },
+ },
+ DisableBestEffort: false,
+ }
+
+ landlock, err := SetupLandlock(conf)
+ if err != nil {
+ t.Errorf("Couldn't create Landlock config: %v", err)
+ }
+
+ // Execute | WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar |
+ // MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym
+ expectedRulesetAccess := ll.AccessFSSet(0x1FFF)
+ ruleset := landlock.Ruleset
+ if ruleset.HandledAccessFS != expectedRulesetAccess {
+ t.Errorf("Expected ruleset not found, expected %v, got: %v",
+ expectedRulesetAccess, ruleset.HandledAccessFS)
+ }
+
+ pathRules := landlock.Rules.PathBeneath
+
+ pathRulesLength := len(pathRules)
+ if pathRulesLength != 2 {
+ t.Errorf("Expected 2 path beneath rules, got :%d", pathRulesLength)
+ }
+
+ expectedPathRulesAccess := []configs.RulePathBeneath{
+ {
+ // Execute | ReadFile | ReadDir
+ AllowedAccess: 0xD,
+ Paths: []string{"/usr", "/bin"},
+ },
+ {
+ // Execute | WriteFile | ReadFile | RemoveFile | MakeChar | MakeReg | MakeSock | MakeFifo |
+ // MakeBlock | MakeSym
+ AllowedAccess: 0x1F67,
+ Paths: []string{"/tmp"},
+ },
+ }
+
+ for i, rule := range pathRules {
+ if !reflect.DeepEqual(*rule, expectedPathRulesAccess[i]) {
+ t.Errorf("Wrong rule conversion for the rule %d under test, expected %v, got: %v",
+ i, expectedPathRulesAccess[i], rule)
+ }
+ }
+}
+
 func TestSetupSeccomp(t *testing.T) {
  conf := &specs.LinuxSeccomp{
  DefaultAction: "SCMP_ACT_ERRNO",