1import grp
2import os
3import pwd
4import shutil
5
6import pytest
7
8from conftest import option

--- 212 unchanged lines hidden (view full) ---

221
222 assert obj['NS']['MNT'] != self.isolation.getns('mnt'), 'mnt set'
223 assert obj['NS']['USER'] != self.isolation.getns('user'), 'user set'
224
225 def test_isolation_pid(self, is_su):
226 if not self.isolation_key('pid'):
227 pytest.skip('pid namespace is not supported')
228
229 if not (is_su or self.isolation_key('unprivileged_userns_clone')):
230 pytest.skip('requires root or unprivileged_userns_clone')
229 if not is_su:
230 if not self.isolation_key('unprivileged_userns_clone'):
231 pytest.skip('unprivileged clone is not available')
232
232 self.load(
233 'ns_inspect',
234 isolation={'namespaces': {'pid': True, 'credential': True}},
235 )
233 if not self.isolation_key('user'):
234 pytest.skip('user namespace is not supported')
235
236 if not self.isolation_key('mnt'):
237 pytest.skip('mnt namespace is not supported')
238
239 isolation = {'namespaces': {'pid': True}}
240
241 if not is_su:
242 isolation['namespaces']['mount'] = True
243 isolation['namespaces']['credential'] = True
244
245 self.load('ns_inspect', isolation=isolation)
246
247 obj = self.getjson()['body']
248
249 assert obj['PID'] == 1, 'pid of container is 1'
250
251 def test_isolation_namespace_false(self):
252 self.load('ns_inspect')
253 allns = list(option.available['features']['isolation'].keys())
254

--- 19 unchanged lines hidden (view full) ---

274
275 for ns in allns:
276 if ns.upper() in obj['NS']:
277 assert (
278 obj['NS'][ns.upper()]
279 == option.available['features']['isolation'][ns]
280 ), ('%s match' % ns)
281
272 def test_go_isolation_rootfs_container(self, temp_dir):
273 if not self.isolation_key('unprivileged_userns_clone'):
274 pytest.skip('unprivileged clone is not available')
282 def test_go_isolation_rootfs_container(self, is_su, temp_dir):
283 if not is_su:
284 if not self.isolation_key('unprivileged_userns_clone'):
285 pytest.skip('unprivileged clone is not available')
286
276 if not self.isolation_key('mnt'):
277 pytest.skip('mnt namespace is not supported')
287 if not self.isolation_key('user'):
288 pytest.skip('user namespace is not supported')
289
279 isolation = {
280 'namespaces': {'mount': True, 'credential': True},
281 'rootfs': temp_dir,
282 }
290 if not self.isolation_key('mnt'):
291 pytest.skip('mnt namespace is not supported')
292
293 if not self.isolation_key('pid'):
294 pytest.skip('pid namespace is not supported')
295
296 isolation = {'rootfs': temp_dir}
297
298 if not is_su:
299 isolation['namespaces'] = {
300 'mount': True,
301 'credential': True,
302 'pid': True
303 }
304
305 self.load('ns_inspect', isolation=isolation)
306
307 obj = self.getjson(url='/?file=/go/app')['body']
308
309 assert obj['FileExists'] == True, 'app relative to rootfs'
310
311 obj = self.getjson(url='/?file=/bin/sh')['body']
312 assert obj['FileExists'] == False, 'file should not exists'

--- 14 unchanged lines hidden (view full) ---

327
328 obj = self.getjson(url='/?file=/go/app')['body']
329
330 assert obj['FileExists'] == True, 'app relative to rootfs'
331
332 obj = self.getjson(url='/?file=/bin/sh')['body']
333 assert obj['FileExists'] == False, 'file should not exists'
334
314 def test_go_isolation_rootfs_default_tmpfs(self, temp_dir):
315 if not self.isolation_key('unprivileged_userns_clone'):
316 pytest.skip('unprivileged clone is not available')
335 def test_go_isolation_rootfs_default_tmpfs(self, is_su, temp_dir):
336 if not is_su:
337 if not self.isolation_key('unprivileged_userns_clone'):
338 pytest.skip('unprivileged clone is not available')
339
318 if not self.isolation_key('mnt'):
319 pytest.skip('mnt namespace is not supported')
340 if not self.isolation_key('user'):
341 pytest.skip('user namespace is not supported')
342
321 isolation = {
322 'namespaces': {'mount': True, 'credential': True},
323 'rootfs': temp_dir,
324 }
343 if not self.isolation_key('mnt'):
344 pytest.skip('mnt namespace is not supported')
345
346 if not self.isolation_key('pid'):
347 pytest.skip('pid namespace is not supported')
348
349 isolation = {'rootfs': temp_dir}
350
351 if not is_su:
352 isolation['namespaces'] = {
353 'mount': True,
354 'credential': True,
355 'pid': True
356 }
357
358 self.load('ns_inspect', isolation=isolation)
359
360 obj = self.getjson(url='/?file=/tmp')['body']
361
362 assert obj['FileExists'] == True, 'app has /tmp'