Deleted Added
1import grp
2import os
3import pwd
4
5import pytest
6
7from unit.applications.lang.go import TestApplicationGo
8from unit.feature.isolation import TestFeatureIsolation
9
10class TestGoIsolation(TestApplicationGo):
11 prerequisites = {'modules': {'go': 'any'}, 'features': ['isolation']}
12
13 isolation = TestFeatureIsolation()
14
15 @classmethod
16 def setup_class(cls, complete_check=True):
17 unit = super().setup_class(complete_check=False)
18
19 TestFeatureIsolation().check(cls.available, unit.temp_dir)
20
21 return unit if not complete_check else unit.complete()
22
23 def unpriv_creds(self):
24 nobody_uid = pwd.getpwnam('nobody').pw_uid
25
26 try:
27 nogroup_gid = grp.getgrnam('nogroup').gr_gid
28 nogroup = 'nogroup'
29 except:
30 nogroup_gid = grp.getgrnam('nobody').gr_gid
31 nogroup = 'nobody'
32
33 return (nobody_uid, nogroup_gid, nogroup)
34
35 def isolation_key(self, key):
36 return key in self.available['features']['isolation'].keys()
37
38 def test_isolation_values(self):
39 self.load('ns_inspect')
40
41 obj = self.getjson()['body']
42
43 for ns, ns_value in self.available['features']['isolation'].items():
44 if ns.upper() in obj['NS']:
45 assert obj['NS'][ns.upper()] == ns_value, '%s match' % ns
46
47 def test_isolation_unpriv_user(self, is_su):
48 if not self.isolation_key('unprivileged_userns_clone'):
49 pytest.skip('unprivileged clone is not available')
50
51 if is_su:

--- 141 unchanged lines hidden (view full) ---

193 self.load(
194 'ns_inspect',
195 isolation={'namespaces': {'mount': True, 'credential': True}},
196 )
197
198 obj = self.getjson()['body']
199
200 # all but user and mnt
201 allns = list(self.available['features']['isolation'].keys())
202 allns.remove('user')
203 allns.remove('mnt')
204
205 for ns in allns:
206 if ns.upper() in obj['NS']:
207 assert (
208 obj['NS'][ns.upper()]
209 == self.available['features']['isolation'][ns]
210 ), ('%s match' % ns)
211
212 assert obj['NS']['MNT'] != self.isolation.getns('mnt'), 'mnt set'
213 assert obj['NS']['USER'] != self.isolation.getns('user'), 'user set'
214
215 def test_isolation_pid(self, is_su):
216 if not self.isolation_key('pid'):
217 pytest.skip('pid namespace is not supported')

--- 7 unchanged lines hidden (view full) ---

225 )
226
227 obj = self.getjson()['body']
228
229 assert obj['PID'] == 1, 'pid of container is 1'
230
231 def test_isolation_namespace_false(self):
232 self.load('ns_inspect')
233 allns = list(self.available['features']['isolation'].keys())
234
235 remove_list = ['unprivileged_userns_clone', 'ipc', 'cgroup']
236 allns = [ns for ns in allns if ns not in remove_list]
237
238 namespaces = {}
239 for ns in allns:
240 if ns == 'user':
241 namespaces['credential'] = False

--- 9 unchanged lines hidden (view full) ---

251 self.load('ns_inspect', isolation={'namespaces': namespaces})
252
253 obj = self.getjson()['body']
254
255 for ns in allns:
256 if ns.upper() in obj['NS']:
257 assert (
258 obj['NS'][ns.upper()]
259 == self.available['features']['isolation'][ns]
260 ), ('%s match' % ns)
261
262 def test_go_isolation_rootfs_container(self):
263 if not self.isolation_key('unprivileged_userns_clone'):
264 pytest.skip('unprivileged clone is not available')
265
266 if not self.isolation_key('mnt'):
267 pytest.skip('mnt namespace is not supported')
268
269 isolation = {
270 'namespaces': {'mount': True, 'credential': True},
271 'rootfs': self.temp_dir,
272 }
273
274 self.load('ns_inspect', isolation=isolation)
275
276 obj = self.getjson(url='/?file=/go/app')['body']
277
278 assert obj['FileExists'] == True, 'app relative to rootfs'
279
280 obj = self.getjson(url='/?file=/bin/sh')['body']
281 assert obj['FileExists'] == False, 'file should not exists'
282
283 def test_go_isolation_rootfs_container_priv(self, is_su):
284 if not is_su:
285 pytest.skip('requires root')
286
287 if not self.isolation_key('mnt'):
288 pytest.skip('mnt namespace is not supported')
289
290 isolation = {
291 'namespaces': {'mount': True},
292 'rootfs': self.temp_dir,
293 }
294
295 self.load('ns_inspect', isolation=isolation)
296
297 obj = self.getjson(url='/?file=/go/app')['body']
298
299 assert obj['FileExists'] == True, 'app relative to rootfs'
300
301 obj = self.getjson(url='/?file=/bin/sh')['body']
302 assert obj['FileExists'] == False, 'file should not exists'
303
304 def test_go_isolation_rootfs_default_tmpfs(self):
305 if not self.isolation_key('unprivileged_userns_clone'):
306 pytest.skip('unprivileged clone is not available')
307
308 if not self.isolation_key('mnt'):
309 pytest.skip('mnt namespace is not supported')
310
311 isolation = {
312 'namespaces': {'mount': True, 'credential': True},
313 'rootfs': self.temp_dir,
314 }
315
316 self.load('ns_inspect', isolation=isolation)
317
318 obj = self.getjson(url='/?file=/tmp')['body']
319
320 assert obj['FileExists'] == True, 'app has /tmp'