Merge pull request #4246 from sohankunkerkar/runc-fips

libcontainer: force apps to think fips is enabled/disabled for testing
opencontainers · Apr 12, 2024 · d0f803e · d0f803e
2 parents f2bd184 + cde1d09
commit d0f803e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -783,6 +783,7 @@ func checkProcMount(rootfs, dest string, m mountEntry) error {
  "/proc/slabinfo",
  "/proc/net/dev",
  "/proc/sys/kernel/ns_last_pid",
+ "/proc/sys/crypto/fips_enabled",
  }
  for _, valid := range validProcMounts {
  path, err := filepath.Rel(filepath.Join(rootfs, valid), dest)

diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
@@ -134,6 +134,21 @@ func TestCheckMountDestNsLastPid(t *testing.T) {
  }
 }
 
+func TestCheckCryptoFipsEnabled(t *testing.T) {
+ m := mountEntry{
+ Mount: &configs.Mount{
+ Destination: "/proc/sys/crypto/fips_enabled",
+ Source: "tmpfs",
+ Device: "tmpfs",
+ },
+ }
+ dest := "/rootfs/proc/sys/crypto/fips_enabled"
+ err := checkProcMount("/rootfs", dest, m)
+ if err != nil {
+ t.Fatalf("/proc/sys/crypto/fips_enabled should not return an error: %v", err)
+ }
+}
+
 func TestNeedsSetupDev(t *testing.T) {
  config := &configs.Config{
  Mounts: []*configs.Mount{