tests/test_confinement.sh

   1 #!/bin/bash
   2
   3 set -ex
   4
   5 UUID=$(uuidgen)
   6
   7 [ $(id -u) -eq 0 ]
   8
   9 d=$(mktemp -t -d tmp.XXX)
  10 d2=$(mktemp -t -d tmp.XXX)
  11
  12 pid=-1
  13 cleanup() {
  14         [ $pid -ne -1 ] && kill -9 $pid
  15         umount -l $d || true
  16         umount -l $d2 || true
  17         rm -rf $d $d2
  18 }
  19
  20 cmdline=$(realpath $0)
  21 dirname=$(dirname ${cmdline})
  22 topdir=$(dirname ${dirname})
  23
  24 trap cleanup EXIT HUP INT TERM
  25
  26 ${topdir}/lxcfs $d &
  27 pid=$!
  28
  29 # put ourselves into x1
  30 cgm movepidabs freezer / 1
  31 cgm create freezer x1
  32 cgm movepid freezer x1 1
  33
  34 mount -t cgroup -o freezer freezer $d2
  35 sudo rmdir $d2/${UUID}_a1/${UUID}_a2 || true
  36 sudo rmdir $d2/${UUID}_a1 || true
  37
  38 echo "Making sure root cannot mkdir"
  39 bad=0
  40 mkdir $d/cgroup/freezer/${UUID}_a1 && bad=1
  41 if [ "${bad}" -eq 1 ]; then
  42         false
  43 fi
  44
  45 echo "Making sure root cannot rmdir"
  46 mkdir $d2/${UUID}_a1
  47 mkdir $d2/${UUID}_a1/${UUID}_a2
  48 rmdir $d/cgroup/freezer/${UUID}_a1 && bad=1
  49 if [ "${bad}" -eq 1 ]; then
  50         false
  51 fi
  52 [ -d $d2/${UUID}_a1 ]
  53 rmdir $d/cgroup/freezer/${UUID}_a1/${UUID}_a2 && bad=1
  54 if [ "${bad}" -eq 1 ]; then
  55         false
  56 fi
  57 [ -d $d2/${UUID}_a1/${UUID}_a2 ]
  58
  59 echo "Making sure root cannot read/write"
  60 sleep 200 &
  61 p=$!
  62 echo $p > $d/cgroup/freezer/${UUID}_a1/tasks && bad=1
  63 if [ "${bad}" -eq 1 ]; then
  64         false
  65 fi
  66 cat $d/cgroup/freezer/${UUID}_a1/tasks && bad=1
  67 if [ "${bad}" -eq 1 ]; then
  68         false
  69 fi
  70 echo $p > $d/cgroup/freezer/${UUID}_a1/${UUID}_a2/tasks && bad=1
  71 if [ "${bad}" -eq 1 ]; then
  72         false
  73 fi
  74 cat $d/cgroup/freezer/${UUID}_a1/${UUID}_a2/tasks && bad=1
  75 if [ "${bad}" -eq 1 ]; then
  76         false
  77 fi
  78
  79 # make sure things like truncate and access don't leak info about
  80 # the /${UUID}_a1 cgroup which we shouldn't be able to reach
  81 echo "Testing other system calls"
  82 ${dirname}/test_syscalls $d/cgroup/freezer/${UUID}_a1
  83 ${dirname}/test_syscalls $d/cgroup/freezer/${UUID}_a1/${UUID}_a2
  84
  85 echo "Making sure root can act on descendents"
  86 mycg=$(cgm getpidcgroupabs freezer 1)
  87 newcg=${mycg}/${UUID}_a1
  88 rmdir $d2/$newcg || true  # cleanup previosu run
  89 mkdir $d/cgroup/freezer/$newcg
  90 echo $p > $d/cgroup/freezer/$newcg/tasks
  91 cat $d/cgroup/freezer/$newcg/tasks
  92 kill -9 $p
  93 while [ `wc -l $d/cgroup/freezer/$newcg/tasks | awk '{ print $1 }'` -ne 0 ]; do
  94         sleep 1
  95 done
  96 rmdir $d/cgroup/freezer/$newcg
  97
  98 echo "All tests passed!"