From 3e4fa1e2022970dee003bea0932ea0c10f8744ba Mon Sep 17 00:00:00 2001 From: Andrei Zeliankou Date: Thu, 25 May 2023 14:26:12 +0100 Subject: Tests: removed unused variables. --- test/test_go_isolation.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/test_go_isolation.py') diff --git a/test/test_go_isolation.py b/test/test_go_isolation.py index f063f987..2f631692 100644 --- a/test/test_go_isolation.py +++ b/test/test_go_isolation.py @@ -12,7 +12,7 @@ class TestGoIsolation(TestApplicationGo): prerequisites = {'modules': {'go': 'any'}, 'features': ['isolation']} @pytest.fixture(autouse=True) - def setup_method_fixture(self, request, skip_alert): + def setup_method_fixture(self, skip_alert): skip_alert(r'\[unit\] close\(\d+\) failed: Bad file descriptor') def unpriv_creds(self): -- cgit From b034bf67034c4f0e966ebd207ba2f407f6f15fa8 Mon Sep 17 00:00:00 2001 From: Andrei Zeliankou Date: Thu, 25 May 2023 16:56:14 +0100 Subject: Tests: assertion related fixes. --- test/test_go_isolation.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'test/test_go_isolation.py') diff --git a/test/test_go_isolation.py b/test/test_go_isolation.py index 2f631692..8216a6fe 100644 --- a/test/test_go_isolation.py +++ b/test/test_go_isolation.py @@ -289,10 +289,10 @@ class TestGoIsolation(TestApplicationGo): obj = self.getjson(url='/?file=/go/app')['body'] - assert obj['FileExists'] == True, 'app relative to rootfs' + assert obj['FileExists'], 'app relative to rootfs' obj = self.getjson(url='/?file=/bin/sh')['body'] - assert obj['FileExists'] == False, 'file should not exists' + assert not obj['FileExists'], 'file should not exists' def test_go_isolation_rootfs_container_priv(self, is_su, temp_dir): if not is_su: @@ -310,10 +310,10 @@ class TestGoIsolation(TestApplicationGo): obj = self.getjson(url='/?file=/go/app')['body'] - assert obj['FileExists'] == True, 'app relative to rootfs' + assert obj['FileExists'], 'app relative to rootfs' obj = self.getjson(url='/?file=/bin/sh')['body'] - assert obj['FileExists'] == False, 'file should not exists' + assert not obj['FileExists'], 'file should not exists' def test_go_isolation_rootfs_automount_tmpfs(self, is_su, temp_dir): try: -- cgit From ce2405ec3dd97e8bdf8f63312e3c6ce59ef562d4 Mon Sep 17 00:00:00 2001 From: Andrei Zeliankou Date: Mon, 12 Jun 2023 14:16:59 +0100 Subject: Tests: prerequisites checking reworked. Prerequisites check moved to the module level to simplify class structure. Discovery and prerequisites checks functions moved to the separate files. Introduced "require" fixture to provide per-test requirements check. --- test/test_go_isolation.py | 121 +++++++++++++++++++++++----------------------- 1 file changed, 60 insertions(+), 61 deletions(-) (limited to 'test/test_go_isolation.py') diff --git a/test/test_go_isolation.py b/test/test_go_isolation.py index 8216a6fe..ba997fd3 100644 --- a/test/test_go_isolation.py +++ b/test/test_go_isolation.py @@ -7,10 +7,10 @@ from unit.applications.lang.go import TestApplicationGo from unit.option import option from unit.utils import getns +prerequisites = {'modules': {'go': 'any'}, 'features': {'isolation': True}} -class TestGoIsolation(TestApplicationGo): - prerequisites = {'modules': {'go': 'any'}, 'features': ['isolation']} +class TestGoIsolation(TestApplicationGo): @pytest.fixture(autouse=True) def setup_method_fixture(self, skip_alert): skip_alert(r'\[unit\] close\(\d+\) failed: Bad file descriptor') @@ -27,9 +27,6 @@ class TestGoIsolation(TestApplicationGo): return (nobody_uid, nogroup_gid, nogroup) - def isolation_key(self, key): - return key in option.available['features']['isolation'].keys() - def test_isolation_values(self): self.load('ns_inspect') @@ -39,12 +36,13 @@ class TestGoIsolation(TestApplicationGo): if ns.upper() in obj['NS']: assert obj['NS'][ns.upper()] == ns_value, f'{ns} match' - def test_isolation_unpriv_user(self, is_su): - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') - - if is_su: - pytest.skip('privileged tests, skip this') + def test_isolation_unpriv_user(self, require): + require( + { + 'privileged_user': False, + 'features': {'isolation': ['unprivileged_userns_clone']}, + } + ) self.load('ns_inspect') obj = self.getjson()['body'] @@ -101,9 +99,8 @@ class TestGoIsolation(TestApplicationGo): assert obj['UID'] == 0, 'uid match uidmap' assert obj['GID'] == 0, 'gid match gidmap' - def test_isolation_priv_user(self, is_su): - if not is_su: - pytest.skip('unprivileged tests, skip this') + def test_isolation_priv_user(self, require): + require({'privileged_user': True}) self.load('ns_inspect') @@ -176,12 +173,12 @@ class TestGoIsolation(TestApplicationGo): assert obj['UID'] == nobody_uid, 'uid match uidmap user=nobody' assert obj['GID'] == nogroup_gid, 'gid match uidmap user=nobody' - def test_isolation_mnt(self): - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') - - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') + def test_isolation_mnt(self, require): + require( + { + 'features': {'isolation': ['unprivileged_userns_clone', 'mnt']}, + } + ) self.load( 'ns_inspect', @@ -205,19 +202,21 @@ class TestGoIsolation(TestApplicationGo): assert obj['NS']['MNT'] != getns('mnt'), 'mnt set' assert obj['NS']['USER'] != getns('user'), 'user set' - def test_isolation_pid(self, is_su): - if not self.isolation_key('pid'): - pytest.skip('pid namespace is not supported') + def test_isolation_pid(self, is_su, require): + require({'features': {'isolation': ['pid']}}) if not is_su: - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') - - if not self.isolation_key('user'): - pytest.skip('user namespace is not supported') - - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') + require( + { + 'features': { + 'isolation': [ + 'unprivileged_userns_clone', + 'user', + 'mnt', + ] + } + } + ) isolation = {'namespaces': {'pid': True}} @@ -262,19 +261,20 @@ class TestGoIsolation(TestApplicationGo): == option.available['features']['isolation'][ns] ), f'{ns} match' - def test_go_isolation_rootfs_container(self, is_su, temp_dir): + def test_go_isolation_rootfs_container(self, is_su, require, temp_dir): if not is_su: - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') - - if not self.isolation_key('user'): - pytest.skip('user namespace is not supported') - - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') - - if not self.isolation_key('pid'): - pytest.skip('pid namespace is not supported') + require( + { + 'features': { + 'isolation': [ + 'unprivileged_userns_clone', + 'user', + 'mnt', + 'pid', + ] + } + } + ) isolation = {'rootfs': temp_dir} @@ -294,12 +294,8 @@ class TestGoIsolation(TestApplicationGo): obj = self.getjson(url='/?file=/bin/sh')['body'] assert not obj['FileExists'], 'file should not exists' - def test_go_isolation_rootfs_container_priv(self, is_su, temp_dir): - if not is_su: - pytest.skip('requires root') - - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') + def test_go_isolation_rootfs_container_priv(self, require, temp_dir): + require({'privileged_user': True, 'features': {'isolation': ['mnt']}}) isolation = { 'namespaces': {'mount': True}, @@ -315,24 +311,27 @@ class TestGoIsolation(TestApplicationGo): obj = self.getjson(url='/?file=/bin/sh')['body'] assert not obj['FileExists'], 'file should not exists' - def test_go_isolation_rootfs_automount_tmpfs(self, is_su, temp_dir): + def test_go_isolation_rootfs_automount_tmpfs( + self, is_su, require, temp_dir + ): try: open("/proc/self/mountinfo") except: pytest.skip('The system lacks /proc/self/mountinfo file') if not is_su: - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') - - if not self.isolation_key('user'): - pytest.skip('user namespace is not supported') - - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') - - if not self.isolation_key('pid'): - pytest.skip('pid namespace is not supported') + require( + { + 'features': { + 'isolation': [ + 'unprivileged_userns_clone', + 'user', + 'mnt', + 'pid', + ] + } + } + ) isolation = {'rootfs': temp_dir} -- cgit From c6d05191a069ac150cc8eb2bece75cf79c0a465a Mon Sep 17 00:00:00 2001 From: Andrei Zeliankou Date: Mon, 12 Jun 2023 17:28:42 +0100 Subject: Tests: removed alert skip, unnecessary after 1a48ea61fec8. --- test/test_go_isolation.py | 4 ---- 1 file changed, 4 deletions(-) (limited to 'test/test_go_isolation.py') diff --git a/test/test_go_isolation.py b/test/test_go_isolation.py index ba997fd3..8d3a9025 100644 --- a/test/test_go_isolation.py +++ b/test/test_go_isolation.py @@ -11,10 +11,6 @@ prerequisites = {'modules': {'go': 'any'}, 'features': {'isolation': True}} class TestGoIsolation(TestApplicationGo): - @pytest.fixture(autouse=True) - def setup_method_fixture(self, skip_alert): - skip_alert(r'\[unit\] close\(\d+\) failed: Bad file descriptor') - def unpriv_creds(self): nobody_uid = pwd.getpwnam('nobody').pw_uid -- cgit From c183bd8749a19477390f8cb77efe5f6d223f0905 Mon Sep 17 00:00:00 2001 From: Andrei Zeliankou Date: Wed, 14 Jun 2023 18:20:09 +0100 Subject: Tests: get rid of classes in test files. Class usage came from the unittest framework and it was always redundant after migration to the pytest. This commit removes classes from files containing tests to make them more readable and understandable. --- test/test_go_isolation.py | 566 +++++++++++++++++++++++----------------------- 1 file changed, 287 insertions(+), 279 deletions(-) (limited to 'test/test_go_isolation.py') diff --git a/test/test_go_isolation.py b/test/test_go_isolation.py index 8d3a9025..ba3390ea 100644 --- a/test/test_go_isolation.py +++ b/test/test_go_isolation.py @@ -3,357 +3,365 @@ import os import pwd import pytest -from unit.applications.lang.go import TestApplicationGo +from unit.applications.lang.go import ApplicationGo from unit.option import option from unit.utils import getns prerequisites = {'modules': {'go': 'any'}, 'features': {'isolation': True}} +client = ApplicationGo() -class TestGoIsolation(TestApplicationGo): - def unpriv_creds(self): - nobody_uid = pwd.getpwnam('nobody').pw_uid - try: - nogroup_gid = grp.getgrnam('nogroup').gr_gid - nogroup = 'nogroup' - except KeyError: - nogroup_gid = grp.getgrnam('nobody').gr_gid - nogroup = 'nobody' +def unpriv_creds(): + nobody_uid = pwd.getpwnam('nobody').pw_uid - return (nobody_uid, nogroup_gid, nogroup) + try: + nogroup_gid = grp.getgrnam('nogroup').gr_gid + nogroup = 'nogroup' + except KeyError: + nogroup_gid = grp.getgrnam('nobody').gr_gid + nogroup = 'nobody' - def test_isolation_values(self): - self.load('ns_inspect') + return (nobody_uid, nogroup_gid, nogroup) - obj = self.getjson()['body'] - for ns, ns_value in option.available['features']['isolation'].items(): - if ns.upper() in obj['NS']: - assert obj['NS'][ns.upper()] == ns_value, f'{ns} match' +def test_isolation_values(): + client.load('ns_inspect') - def test_isolation_unpriv_user(self, require): - require( - { - 'privileged_user': False, - 'features': {'isolation': ['unprivileged_userns_clone']}, - } - ) + obj = client.getjson()['body'] - self.load('ns_inspect') - obj = self.getjson()['body'] + for ns, ns_value in option.available['features']['isolation'].items(): + if ns.upper() in obj['NS']: + assert obj['NS'][ns.upper()] == ns_value, f'{ns} match' - assert obj['UID'] == os.geteuid(), 'uid match' - assert obj['GID'] == os.getegid(), 'gid match' - self.load('ns_inspect', isolation={'namespaces': {'credential': True}}) +def test_isolation_unpriv_user(require): + require( + { + 'privileged_user': False, + 'features': {'isolation': ['unprivileged_userns_clone']}, + } + ) - obj = self.getjson()['body'] + client.load('ns_inspect') + obj = client.getjson()['body'] - nobody_uid, nogroup_gid, nogroup = self.unpriv_creds() + assert obj['UID'] == os.geteuid(), 'uid match' + assert obj['GID'] == os.getegid(), 'gid match' - # unprivileged unit map itself to nobody in the container by default - assert obj['UID'] == nobody_uid, 'uid of nobody' - assert obj['GID'] == nogroup_gid, f'gid of {nogroup}' + client.load('ns_inspect', isolation={'namespaces': {'credential': True}}) - self.load( - 'ns_inspect', - user='root', - isolation={'namespaces': {'credential': True}}, - ) + obj = client.getjson()['body'] - obj = self.getjson()['body'] + nobody_uid, nogroup_gid, nogroup = unpriv_creds() - assert obj['UID'] == 0, 'uid match user=root' - assert obj['GID'] == 0, 'gid match user=root' + # unprivileged unit map itself to nobody in the container by default + assert obj['UID'] == nobody_uid, 'uid of nobody' + assert obj['GID'] == nogroup_gid, f'gid of {nogroup}' - self.load( - 'ns_inspect', - user='root', - group=nogroup, - isolation={'namespaces': {'credential': True}}, - ) + client.load( + 'ns_inspect', + user='root', + isolation={'namespaces': {'credential': True}}, + ) - obj = self.getjson()['body'] + obj = client.getjson()['body'] - assert obj['UID'] == 0, 'uid match user=root group=nogroup' - assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup' + assert obj['UID'] == 0, 'uid match user=root' + assert obj['GID'] == 0, 'gid match user=root' - self.load( - 'ns_inspect', - user='root', - group='root', - isolation={ - 'namespaces': {'credential': True}, - 'uidmap': [{'container': 0, 'host': os.geteuid(), 'size': 1}], - 'gidmap': [{'container': 0, 'host': os.getegid(), 'size': 1}], - }, - ) + client.load( + 'ns_inspect', + user='root', + group=nogroup, + isolation={'namespaces': {'credential': True}}, + ) - obj = self.getjson()['body'] + obj = client.getjson()['body'] - assert obj['UID'] == 0, 'uid match uidmap' - assert obj['GID'] == 0, 'gid match gidmap' + assert obj['UID'] == 0, 'uid match user=root group=nogroup' + assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup' - def test_isolation_priv_user(self, require): - require({'privileged_user': True}) + client.load( + 'ns_inspect', + user='root', + group='root', + isolation={ + 'namespaces': {'credential': True}, + 'uidmap': [{'container': 0, 'host': os.geteuid(), 'size': 1}], + 'gidmap': [{'container': 0, 'host': os.getegid(), 'size': 1}], + }, + ) - self.load('ns_inspect') + obj = client.getjson()['body'] - nobody_uid, nogroup_gid, nogroup = self.unpriv_creds() + assert obj['UID'] == 0, 'uid match uidmap' + assert obj['GID'] == 0, 'gid match gidmap' - obj = self.getjson()['body'] - assert obj['UID'] == nobody_uid, 'uid match' - assert obj['GID'] == nogroup_gid, 'gid match' +def test_isolation_priv_user(require): + require({'privileged_user': True}) - self.load('ns_inspect', isolation={'namespaces': {'credential': True}}) + client.load('ns_inspect') - obj = self.getjson()['body'] + nobody_uid, nogroup_gid, nogroup = unpriv_creds() - # privileged unit map app creds in the container by default - assert obj['UID'] == nobody_uid, 'uid nobody' - assert obj['GID'] == nogroup_gid, 'gid nobody' + obj = client.getjson()['body'] - self.load( - 'ns_inspect', - user='root', - isolation={'namespaces': {'credential': True}}, - ) + assert obj['UID'] == nobody_uid, 'uid match' + assert obj['GID'] == nogroup_gid, 'gid match' - obj = self.getjson()['body'] + client.load('ns_inspect', isolation={'namespaces': {'credential': True}}) - assert obj['UID'] == 0, 'uid nobody user=root' - assert obj['GID'] == 0, 'gid nobody user=root' + obj = client.getjson()['body'] - self.load( - 'ns_inspect', - user='root', - group=nogroup, - isolation={'namespaces': {'credential': True}}, - ) + # privileged unit map app creds in the container by default + assert obj['UID'] == nobody_uid, 'uid nobody' + assert obj['GID'] == nogroup_gid, 'gid nobody' - obj = self.getjson()['body'] + client.load( + 'ns_inspect', + user='root', + isolation={'namespaces': {'credential': True}}, + ) - assert obj['UID'] == 0, 'uid match user=root group=nogroup' - assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup' + obj = client.getjson()['body'] - self.load( - 'ns_inspect', - user='root', - group='root', - isolation={ - 'namespaces': {'credential': True}, - 'uidmap': [{'container': 0, 'host': 0, 'size': 1}], - 'gidmap': [{'container': 0, 'host': 0, 'size': 1}], - }, - ) + assert obj['UID'] == 0, 'uid nobody user=root' + assert obj['GID'] == 0, 'gid nobody user=root' - obj = self.getjson()['body'] + client.load( + 'ns_inspect', + user='root', + group=nogroup, + isolation={'namespaces': {'credential': True}}, + ) - assert obj['UID'] == 0, 'uid match uidmap user=root' - assert obj['GID'] == 0, 'gid match gidmap user=root' + obj = client.getjson()['body'] - # map 65535 uids - self.load( - 'ns_inspect', - user='nobody', - isolation={ - 'namespaces': {'credential': True}, - 'uidmap': [{'container': 0, 'host': 0, 'size': nobody_uid + 1}], - }, - ) + assert obj['UID'] == 0, 'uid match user=root group=nogroup' + assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup' + + client.load( + 'ns_inspect', + user='root', + group='root', + isolation={ + 'namespaces': {'credential': True}, + 'uidmap': [{'container': 0, 'host': 0, 'size': 1}], + 'gidmap': [{'container': 0, 'host': 0, 'size': 1}], + }, + ) + + obj = client.getjson()['body'] + + assert obj['UID'] == 0, 'uid match uidmap user=root' + assert obj['GID'] == 0, 'gid match gidmap user=root' + + # map 65535 uids + client.load( + 'ns_inspect', + user='nobody', + isolation={ + 'namespaces': {'credential': True}, + 'uidmap': [{'container': 0, 'host': 0, 'size': nobody_uid + 1}], + }, + ) - obj = self.getjson()['body'] + obj = client.getjson()['body'] - assert obj['UID'] == nobody_uid, 'uid match uidmap user=nobody' - assert obj['GID'] == nogroup_gid, 'gid match uidmap user=nobody' + assert obj['UID'] == nobody_uid, 'uid match uidmap user=nobody' + assert obj['GID'] == nogroup_gid, 'gid match uidmap user=nobody' - def test_isolation_mnt(self, require): + +def test_isolation_mnt(require): + require( + { + 'features': {'isolation': ['unprivileged_userns_clone', 'mnt']}, + } + ) + + client.load( + 'ns_inspect', + isolation={'namespaces': {'mount': True, 'credential': True}}, + ) + + obj = client.getjson()['body'] + + # all but user and mnt + allns = list(option.available['features']['isolation'].keys()) + allns.remove('user') + allns.remove('mnt') + + for ns in allns: + if ns.upper() in obj['NS']: + assert ( + obj['NS'][ns.upper()] + == option.available['features']['isolation'][ns] + ), f'{ns} match' + + assert obj['NS']['MNT'] != getns('mnt'), 'mnt set' + assert obj['NS']['USER'] != getns('user'), 'user set' + + +def test_isolation_pid(is_su, require): + require({'features': {'isolation': ['pid']}}) + + if not is_su: require( { - 'features': {'isolation': ['unprivileged_userns_clone', 'mnt']}, + 'features': { + 'isolation': [ + 'unprivileged_userns_clone', + 'user', + 'mnt', + ] + } } ) - self.load( - 'ns_inspect', - isolation={'namespaces': {'mount': True, 'credential': True}}, - ) + isolation = {'namespaces': {'pid': True}} - obj = self.getjson()['body'] - - # all but user and mnt - allns = list(option.available['features']['isolation'].keys()) - allns.remove('user') - allns.remove('mnt') - - for ns in allns: - if ns.upper() in obj['NS']: - assert ( - obj['NS'][ns.upper()] - == option.available['features']['isolation'][ns] - ), f'{ns} match' - - assert obj['NS']['MNT'] != getns('mnt'), 'mnt set' - assert obj['NS']['USER'] != getns('user'), 'user set' - - def test_isolation_pid(self, is_su, require): - require({'features': {'isolation': ['pid']}}) - - if not is_su: - require( - { - 'features': { - 'isolation': [ - 'unprivileged_userns_clone', - 'user', - 'mnt', - ] - } - } - ) - - isolation = {'namespaces': {'pid': True}} - - if not is_su: - isolation['namespaces']['mount'] = True - isolation['namespaces']['credential'] = True - - self.load('ns_inspect', isolation=isolation) - - obj = self.getjson()['body'] - - assert obj['PID'] == 2, 'pid of container is 2' - - def test_isolation_namespace_false(self): - self.load('ns_inspect') - allns = list(option.available['features']['isolation'].keys()) - - remove_list = ['unprivileged_userns_clone', 'ipc', 'cgroup'] - allns = [ns for ns in allns if ns not in remove_list] - - namespaces = {} - for ns in allns: - if ns == 'user': - namespaces['credential'] = False - elif ns == 'mnt': - namespaces['mount'] = False - elif ns == 'net': - namespaces['network'] = False - elif ns == 'uts': - namespaces['uname'] = False - else: - namespaces[ns] = False - - self.load('ns_inspect', isolation={'namespaces': namespaces}) - - obj = self.getjson()['body'] - - for ns in allns: - if ns.upper() in obj['NS']: - assert ( - obj['NS'][ns.upper()] - == option.available['features']['isolation'][ns] - ), f'{ns} match' - - def test_go_isolation_rootfs_container(self, is_su, require, temp_dir): - if not is_su: - require( - { - 'features': { - 'isolation': [ - 'unprivileged_userns_clone', - 'user', - 'mnt', - 'pid', - ] - } - } - ) + if not is_su: + isolation['namespaces']['mount'] = True + isolation['namespaces']['credential'] = True - isolation = {'rootfs': temp_dir} + client.load('ns_inspect', isolation=isolation) - if not is_su: - isolation['namespaces'] = { - 'mount': True, - 'credential': True, - 'pid': True, - } + obj = client.getjson()['body'] - self.load('ns_inspect', isolation=isolation) + assert obj['PID'] == 2, 'pid of container is 2' - obj = self.getjson(url='/?file=/go/app')['body'] - assert obj['FileExists'], 'app relative to rootfs' +def test_isolation_namespace_false(): + client.load('ns_inspect') + allns = list(option.available['features']['isolation'].keys()) - obj = self.getjson(url='/?file=/bin/sh')['body'] - assert not obj['FileExists'], 'file should not exists' + remove_list = ['unprivileged_userns_clone', 'ipc', 'cgroup'] + allns = [ns for ns in allns if ns not in remove_list] - def test_go_isolation_rootfs_container_priv(self, require, temp_dir): - require({'privileged_user': True, 'features': {'isolation': ['mnt']}}) + namespaces = {} + for ns in allns: + if ns == 'user': + namespaces['credential'] = False + elif ns == 'mnt': + namespaces['mount'] = False + elif ns == 'net': + namespaces['network'] = False + elif ns == 'uts': + namespaces['uname'] = False + else: + namespaces[ns] = False + + client.load('ns_inspect', isolation={'namespaces': namespaces}) + + obj = client.getjson()['body'] + + for ns in allns: + if ns.upper() in obj['NS']: + assert ( + obj['NS'][ns.upper()] + == option.available['features']['isolation'][ns] + ), f'{ns} match' - isolation = { - 'namespaces': {'mount': True}, - 'rootfs': temp_dir, - } - self.load('ns_inspect', isolation=isolation) - - obj = self.getjson(url='/?file=/go/app')['body'] - - assert obj['FileExists'], 'app relative to rootfs' - - obj = self.getjson(url='/?file=/bin/sh')['body'] - assert not obj['FileExists'], 'file should not exists' - - def test_go_isolation_rootfs_automount_tmpfs( - self, is_su, require, temp_dir - ): - try: - open("/proc/self/mountinfo") - except: - pytest.skip('The system lacks /proc/self/mountinfo file') - - if not is_su: - require( - { - 'features': { - 'isolation': [ - 'unprivileged_userns_clone', - 'user', - 'mnt', - 'pid', - ] - } +def test_go_isolation_rootfs_container(is_su, require, temp_dir): + if not is_su: + require( + { + 'features': { + 'isolation': [ + 'unprivileged_userns_clone', + 'user', + 'mnt', + 'pid', + ] } - ) + } + ) + + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True, + } + + client.load('ns_inspect', isolation=isolation) + + obj = client.getjson(url='/?file=/go/app')['body'] + + assert obj['FileExists'], 'app relative to rootfs' + + obj = client.getjson(url='/?file=/bin/sh')['body'] + assert not obj['FileExists'], 'file should not exists' - isolation = {'rootfs': temp_dir} - if not is_su: - isolation['namespaces'] = { - 'mount': True, - 'credential': True, - 'pid': True, +def test_go_isolation_rootfs_container_priv(require, temp_dir): + require({'privileged_user': True, 'features': {'isolation': ['mnt']}}) + + isolation = { + 'namespaces': {'mount': True}, + 'rootfs': temp_dir, + } + + client.load('ns_inspect', isolation=isolation) + + obj = client.getjson(url='/?file=/go/app')['body'] + + assert obj['FileExists'], 'app relative to rootfs' + + obj = client.getjson(url='/?file=/bin/sh')['body'] + assert not obj['FileExists'], 'file should not exists' + + +def test_go_isolation_rootfs_automount_tmpfs(is_su, require, temp_dir): + try: + open("/proc/self/mountinfo") + except: + pytest.skip('The system lacks /proc/self/mountinfo file') + + if not is_su: + require( + { + 'features': { + 'isolation': [ + 'unprivileged_userns_clone', + 'user', + 'mnt', + 'pid', + ] + } } + ) + + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True, + } - isolation['automount'] = {'tmpfs': False} + isolation['automount'] = {'tmpfs': False} - self.load('ns_inspect', isolation=isolation) + client.load('ns_inspect', isolation=isolation) - obj = self.getjson(url='/?mounts=true')['body'] + obj = client.getjson(url='/?mounts=true')['body'] - assert ( - "/ /tmp" not in obj['Mounts'] and "tmpfs" not in obj['Mounts'] - ), 'app has no /tmp mounted' + assert ( + "/ /tmp" not in obj['Mounts'] and "tmpfs" not in obj['Mounts'] + ), 'app has no /tmp mounted' - isolation['automount'] = {'tmpfs': True} + isolation['automount'] = {'tmpfs': True} - self.load('ns_inspect', isolation=isolation) + client.load('ns_inspect', isolation=isolation) - obj = self.getjson(url='/?mounts=true')['body'] + obj = client.getjson(url='/?mounts=true')['body'] - assert ( - "/ /tmp" in obj['Mounts'] and "tmpfs" in obj['Mounts'] - ), 'app has /tmp mounted on /' + assert ( + "/ /tmp" in obj['Mounts'] and "tmpfs" in obj['Mounts'] + ), 'app has /tmp mounted on /' -- cgit