Skip to content

Commit

Permalink
tests: Add rego cri-integration tests for plan9 mount policy.
Browse files Browse the repository at this point in the history
Signed-off-by: Maksim An <maksiman@microsoft.com>
  • Loading branch information
anmaxvl committed Feb 10, 2023
1 parent 2eda10d commit 487bc46
Showing 1 changed file with 72 additions and 1 deletion.
73 changes: 72 additions & 1 deletion test/cri-containerd/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ func alpineSecurityPolicy(t *testing.T, policyType string, allowEnvironmentVaria
}
}

containers := append(helpers.DefaultContainerConfigs(), alpineContainer)
containers := []securitypolicy.ContainerConfig{alpineContainer}
return policyFromOpts(
t,
policyType,
Expand Down Expand Up @@ -1333,3 +1333,74 @@ func Test_RunPodSandbox_Concurrently(t *testing.T) {
t.Fatalf("failed to run multiple pods concurrently: %s", err)
}
}

func Test_Plan9Mount_WithPolicy(t *testing.T) {
requireFeatures(t, featureLCOWIntegrity)

client := newTestRuntimeClient(t)
ctx, cancel := context.WithCancel(context.Background())
defer cancel()

p9MountConfigs := []securitypolicy.MountConfig{
{
HostPath: "plan9://",
ContainerPath: "/mounts/p9",
Readonly: false,
},
}

for _, allowed := range []bool{true, false} {
t.Run(fmt.Sprintf("Plan9Mount_Allowed_%t", allowed), func(t *testing.T) {
var opts []securitypolicy.ContainerConfigOpt
if allowed {
opts = append(opts, securitypolicy.WithMountConstraints(p9MountConfigs))
}
alpinePolicy := alpineSecurityPolicy(
t,
"rego",
false,
opts...,
)
sandboxRequest := sandboxRequestWithPolicy(t, alpinePolicy)
sandboxRequest.Config.Annotations[annotations.SecurityPolicyEnforcer] = "rego"

podID := runPodSandbox(t, client, ctx, sandboxRequest)
defer removePodSandbox(t, client, ctx, podID)
defer stopPodSandbox(t, client, ctx, podID)

containerRequest := getCreateContainerRequest(
podID,
"alpine-plan9",
imageLcowAlpine,
validPolicyAlpineCommand,
sandboxRequest.Config,
)
containerRequest.Config.Mounts = append(containerRequest.Config.Mounts, &runtime.Mount{
HostPath: t.TempDir(),
ContainerPath: "/mounts/p9",
Readonly: false,
})

containerID := createContainer(t, client, ctx, containerRequest)
defer removeContainer(t, client, ctx, containerID)

_, err := client.StartContainer(ctx, &runtime.StartContainerRequest{
ContainerId: containerID,
})
if err == nil {
defer stopContainer(t, client, ctx, containerID)
if !allowed {
t.Fatal("container start should have failed")
}
} else {
if allowed {
t.Fatalf("container creation should have succeeded: %s", err)
}
expectedErrStr := "invalid mount list: /mounts/p9"
if !strings.Contains(err.Error(), expectedErrStr) {
t.Fatalf("expected '%s' policy error, got: %s", expectedErrStr, err)
}
}
})
}
}

0 comments on commit 487bc46

Please sign in to comment.