std: rename from comp
All checks were successful
Test / Create distribution (push) Successful in 33s
Test / Sandbox (push) Successful in 2m12s
Test / Hakurei (push) Successful in 3m9s
Test / Hpkg (push) Successful in 3m59s
Test / Sandbox (race detector) (push) Successful in 4m10s
Test / Hakurei (race detector) (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m28s
All checks were successful
Test / Create distribution (push) Successful in 33s
Test / Sandbox (push) Successful in 2m12s
Test / Hakurei (push) Successful in 3m9s
Test / Hpkg (push) Successful in 3m59s
Test / Sandbox (race detector) (push) Successful in 4m10s
Test / Hakurei (race detector) (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m28s
Seccomp lookup tables are going to be relocated here, and PNR constants. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -6,7 +6,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"hakurei.app/container/check"
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/std"
|
||||
"hakurei.app/container/stub"
|
||||
"hakurei.app/message"
|
||||
)
|
||||
@@ -23,14 +23,14 @@ func TestAutoRootOp(t *testing.T) {
|
||||
checkOpBehaviour(t, []opBehaviourTestCase{
|
||||
{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, []stub.Call{
|
||||
call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
|
||||
}, stub.UniqueError(2), nil, nil},
|
||||
|
||||
{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, []stub.Call{
|
||||
call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
|
||||
"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
|
||||
@@ -39,7 +39,7 @@ func TestAutoRootOp(t *testing.T) {
|
||||
|
||||
{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, []stub.Call{
|
||||
call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
|
||||
"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
|
||||
@@ -60,7 +60,7 @@ func TestAutoRootOp(t *testing.T) {
|
||||
|
||||
{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, []stub.Call{
|
||||
call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
|
||||
"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
|
||||
@@ -127,10 +127,10 @@ func TestAutoRootOp(t *testing.T) {
|
||||
})
|
||||
|
||||
checkOpsBuilder(t, []opsBuilderTestCase{
|
||||
{"pd", new(Ops).Root(check.MustAbs("/"), comp.BindWritable), Ops{
|
||||
{"pd", new(Ops).Root(check.MustAbs("/"), std.BindWritable), Ops{
|
||||
&AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
},
|
||||
}},
|
||||
})
|
||||
@@ -140,42 +140,42 @@ func TestAutoRootOp(t *testing.T) {
|
||||
|
||||
{"internal ne", &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
resolved: []*BindMountOp{new(BindMountOp)},
|
||||
}, true},
|
||||
|
||||
{"flags differs", &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable | comp.BindDevice,
|
||||
Flags: std.BindWritable | std.BindDevice,
|
||||
}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, false},
|
||||
|
||||
{"host differs", &AutoRootOp{
|
||||
Host: check.MustAbs("/tmp/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, false},
|
||||
|
||||
{"equals", &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, true},
|
||||
})
|
||||
|
||||
checkOpMeta(t, []opMetaTestCase{
|
||||
{"root", &AutoRootOp{
|
||||
Host: check.MustAbs("/"),
|
||||
Flags: comp.BindWritable,
|
||||
Flags: std.BindWritable,
|
||||
}, "setting up", `auto root "/" flags 0x2`},
|
||||
})
|
||||
}
|
||||
|
||||
@@ -15,9 +15,9 @@ import (
|
||||
"time"
|
||||
|
||||
"hakurei.app/container/check"
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/fhs"
|
||||
"hakurei.app/container/seccomp"
|
||||
"hakurei.app/container/std"
|
||||
"hakurei.app/message"
|
||||
)
|
||||
|
||||
@@ -89,7 +89,7 @@ type (
|
||||
// Extra seccomp flags.
|
||||
SeccompFlags seccomp.ExportFlag
|
||||
// Seccomp presets. Has no effect unless SeccompRules is zero-length.
|
||||
SeccompPresets comp.FilterPreset
|
||||
SeccompPresets std.FilterPreset
|
||||
// Do not load seccomp program.
|
||||
SeccompDisable bool
|
||||
|
||||
@@ -177,7 +177,7 @@ func (p *Container) Start() error {
|
||||
}
|
||||
|
||||
if !p.RetainSession {
|
||||
p.SeccompPresets |= comp.PresetDenyTTY
|
||||
p.SeccompPresets |= std.PresetDenyTTY
|
||||
}
|
||||
|
||||
if p.AdoptWaitDelay == 0 {
|
||||
|
||||
@@ -21,8 +21,8 @@ import (
|
||||
"hakurei.app/command"
|
||||
"hakurei.app/container"
|
||||
"hakurei.app/container/check"
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/seccomp"
|
||||
"hakurei.app/container/std"
|
||||
"hakurei.app/container/vfs"
|
||||
"hakurei.app/hst"
|
||||
"hakurei.app/ldd"
|
||||
@@ -206,20 +206,20 @@ var containerTestCases = []struct {
|
||||
|
||||
rules []seccomp.NativeRule
|
||||
flags seccomp.ExportFlag
|
||||
presets comp.FilterPreset
|
||||
presets std.FilterPreset
|
||||
}{
|
||||
{"minimal", true, false, false, true,
|
||||
emptyOps, emptyMnt,
|
||||
1000, 100, nil, 0, comp.PresetStrict},
|
||||
1000, 100, nil, 0, std.PresetStrict},
|
||||
{"allow", true, true, true, false,
|
||||
emptyOps, emptyMnt,
|
||||
1000, 100, nil, 0, comp.PresetExt | comp.PresetDenyDevel},
|
||||
1000, 100, nil, 0, std.PresetExt | std.PresetDenyDevel},
|
||||
{"no filter", false, true, true, true,
|
||||
emptyOps, emptyMnt,
|
||||
1000, 100, nil, 0, comp.PresetExt},
|
||||
1000, 100, nil, 0, std.PresetExt},
|
||||
{"custom rules", true, true, true, false,
|
||||
emptyOps, emptyMnt,
|
||||
1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, comp.PresetExt},
|
||||
1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
|
||||
|
||||
{"tmpfs", true, false, false, true,
|
||||
earlyOps(new(container.Ops).
|
||||
@@ -228,7 +228,7 @@ var containerTestCases = []struct {
|
||||
earlyMnt(
|
||||
ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
|
||||
),
|
||||
9, 9, nil, 0, comp.PresetStrict},
|
||||
9, 9, nil, 0, std.PresetStrict},
|
||||
|
||||
{"dev", true, true /* go test output is not a tty */, false, false,
|
||||
earlyOps(new(container.Ops).
|
||||
@@ -246,7 +246,7 @@ var containerTestCases = []struct {
|
||||
ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
|
||||
ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
|
||||
),
|
||||
1971, 100, nil, 0, comp.PresetStrict},
|
||||
1971, 100, nil, 0, std.PresetStrict},
|
||||
|
||||
{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
|
||||
earlyOps(new(container.Ops).
|
||||
@@ -263,7 +263,7 @@ var containerTestCases = []struct {
|
||||
ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
|
||||
ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
|
||||
),
|
||||
1971, 100, nil, 0, comp.PresetStrict},
|
||||
1971, 100, nil, 0, std.PresetStrict},
|
||||
|
||||
{"overlay", true, false, false, true,
|
||||
func(t *testing.T) (*container.Ops, context.Context) {
|
||||
@@ -300,7 +300,7 @@ var containerTestCases = []struct {
|
||||
",redirect_dir=nofollow,uuid=on,userxattr"),
|
||||
}
|
||||
},
|
||||
1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
|
||||
1 << 3, 1 << 14, nil, 0, std.PresetStrict},
|
||||
|
||||
{"overlay ephemeral", true, false, false, true,
|
||||
func(t *testing.T) (*container.Ops, context.Context) {
|
||||
@@ -324,7 +324,7 @@ var containerTestCases = []struct {
|
||||
ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore),
|
||||
}
|
||||
},
|
||||
1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
|
||||
1 << 3, 1 << 14, nil, 0, std.PresetStrict},
|
||||
|
||||
{"overlay readonly", true, false, false, true,
|
||||
func(t *testing.T) (*container.Ops, context.Context) {
|
||||
@@ -352,7 +352,7 @@ var containerTestCases = []struct {
|
||||
",redirect_dir=nofollow,userxattr"),
|
||||
}
|
||||
},
|
||||
1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
|
||||
1 << 3, 1 << 14, nil, 0, std.PresetStrict},
|
||||
}
|
||||
|
||||
func TestContainer(t *testing.T) {
|
||||
@@ -560,9 +560,9 @@ func TestContainerString(t *testing.T) {
|
||||
c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
|
||||
c.SeccompFlags |= seccomp.AllowMultiarch
|
||||
c.SeccompRules = seccomp.Preset(
|
||||
comp.PresetExt|comp.PresetDenyNS|comp.PresetDenyTTY,
|
||||
std.PresetExt|std.PresetDenyNS|std.PresetDenyTTY,
|
||||
c.SeccompFlags)
|
||||
c.SeccompPresets = comp.PresetStrict
|
||||
c.SeccompPresets = std.PresetStrict
|
||||
want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf`
|
||||
if got := c.String(); got != want {
|
||||
t.Errorf("String: %s, want %s", got, want)
|
||||
|
||||
@@ -7,8 +7,8 @@ import (
|
||||
"time"
|
||||
|
||||
"hakurei.app/container/check"
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/seccomp"
|
||||
"hakurei.app/container/std"
|
||||
"hakurei.app/container/stub"
|
||||
)
|
||||
|
||||
@@ -70,7 +70,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(79), nil),
|
||||
@@ -95,7 +95,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(78), nil),
|
||||
@@ -123,7 +123,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(76), nil),
|
||||
@@ -152,7 +152,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(74), nil),
|
||||
@@ -182,7 +182,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(72), nil),
|
||||
@@ -213,7 +213,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(70), nil),
|
||||
@@ -245,7 +245,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(68), nil),
|
||||
@@ -279,7 +279,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(66), nil),
|
||||
@@ -315,7 +315,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Hostname: "hakurei-check",
|
||||
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(64), nil),
|
||||
@@ -351,9 +351,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(nil, nil, comp.BindDevice),
|
||||
Ops: new(Ops).Bind(nil, nil, std.BindDevice),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(63), nil),
|
||||
@@ -389,9 +389,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(62), nil),
|
||||
@@ -428,9 +428,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(60), nil),
|
||||
@@ -467,9 +467,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(59), nil),
|
||||
@@ -507,9 +507,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(57), nil),
|
||||
@@ -548,9 +548,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(55), nil),
|
||||
@@ -590,9 +590,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(53), nil),
|
||||
@@ -633,9 +633,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(51), nil),
|
||||
@@ -677,9 +677,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(49), nil),
|
||||
@@ -722,9 +722,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(47), nil),
|
||||
@@ -768,9 +768,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(45), nil),
|
||||
@@ -823,9 +823,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(43), nil),
|
||||
@@ -878,9 +878,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(42), nil),
|
||||
@@ -934,9 +934,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(40), nil),
|
||||
@@ -991,9 +991,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(38), nil),
|
||||
@@ -1050,9 +1050,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(36), nil),
|
||||
@@ -1110,9 +1110,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(34), nil),
|
||||
@@ -1171,9 +1171,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(32), nil),
|
||||
@@ -1233,9 +1233,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(30), nil),
|
||||
@@ -1296,9 +1296,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(28), nil),
|
||||
@@ -1360,9 +1360,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(26), nil),
|
||||
@@ -1425,9 +1425,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(24), nil),
|
||||
@@ -1491,9 +1491,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(22), nil),
|
||||
@@ -1565,9 +1565,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(20), nil),
|
||||
@@ -1672,9 +1672,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(18), nil),
|
||||
@@ -1780,9 +1780,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(16), nil),
|
||||
@@ -1869,7 +1869,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
||||
call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
||||
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
|
||||
call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil),
|
||||
call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
|
||||
call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
|
||||
call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
|
||||
},
|
||||
@@ -1890,7 +1890,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2004,7 +2004,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2102,7 +2102,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2200,7 +2200,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2291,7 +2291,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2384,7 +2384,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2484,7 +2484,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 24,
|
||||
Gid: 1 << 47,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompDisable: true,
|
||||
ParentPerm: 0750,
|
||||
@@ -2620,9 +2620,9 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
Uid: 1 << 32,
|
||||
Gid: 1 << 31,
|
||||
Hostname: "hakurei-check",
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
|
||||
SeccompRules: make([]seccomp.NativeRule, 0),
|
||||
SeccompPresets: comp.PresetStrict,
|
||||
SeccompPresets: std.PresetStrict,
|
||||
RetainSession: true,
|
||||
Privileged: true,
|
||||
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(0), nil),
|
||||
@@ -2709,7 +2709,7 @@ func TestInitEntrypoint(t *testing.T) {
|
||||
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
||||
call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
||||
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
|
||||
call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil),
|
||||
call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
|
||||
call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
|
||||
call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),
|
||||
call("newFile", stub.ExpectArgs{uintptr(10), "extra file 0"}, (*os.File)(nil), nil),
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"syscall"
|
||||
|
||||
"hakurei.app/container/check"
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/std"
|
||||
)
|
||||
|
||||
func init() { gob.Register(new(BindMountOp)) }
|
||||
@@ -29,18 +29,18 @@ type BindMountOp struct {
|
||||
func (b *BindMountOp) Valid() bool {
|
||||
return b != nil &&
|
||||
b.Source != nil && b.Target != nil &&
|
||||
b.Flags&(comp.BindOptional|comp.BindEnsure) != (comp.BindOptional|comp.BindEnsure)
|
||||
b.Flags&(std.BindOptional|std.BindEnsure) != (std.BindOptional|std.BindEnsure)
|
||||
}
|
||||
|
||||
func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
|
||||
if b.Flags&comp.BindEnsure != 0 {
|
||||
if b.Flags&std.BindEnsure != 0 {
|
||||
if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
|
||||
if os.IsNotExist(err) && b.Flags&comp.BindOptional != 0 {
|
||||
if os.IsNotExist(err) && b.Flags&std.BindOptional != 0 {
|
||||
// leave sourceFinal as nil
|
||||
return nil
|
||||
}
|
||||
@@ -53,7 +53,7 @@ func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
|
||||
|
||||
func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
|
||||
if b.sourceFinal == nil {
|
||||
if b.Flags&comp.BindOptional == 0 {
|
||||
if b.Flags&std.BindOptional == 0 {
|
||||
// unreachable
|
||||
return OpStateError("bind")
|
||||
}
|
||||
@@ -76,10 +76,10 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
|
||||
}
|
||||
|
||||
var flags uintptr = syscall.MS_REC
|
||||
if b.Flags&comp.BindWritable == 0 {
|
||||
if b.Flags&std.BindWritable == 0 {
|
||||
flags |= syscall.MS_RDONLY
|
||||
}
|
||||
if b.Flags&comp.BindDevice == 0 {
|
||||
if b.Flags&std.BindDevice == 0 {
|
||||
flags |= syscall.MS_NODEV
|
||||
}
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"hakurei.app/container/check"
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/std"
|
||||
"hakurei.app/container/stub"
|
||||
)
|
||||
|
||||
@@ -25,7 +25,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"skip optional", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/bin/"),
|
||||
Target: check.MustAbs("/bin/"),
|
||||
Flags: comp.BindOptional,
|
||||
Flags: std.BindOptional,
|
||||
}, []stub.Call{
|
||||
call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
|
||||
}, nil, nil, nil},
|
||||
@@ -33,7 +33,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"success optional", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/bin/"),
|
||||
Target: check.MustAbs("/bin/"),
|
||||
Flags: comp.BindOptional,
|
||||
Flags: std.BindOptional,
|
||||
}, []stub.Call{
|
||||
call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
|
||||
}, nil, []stub.Call{
|
||||
@@ -46,7 +46,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"ensureFile device", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/dev/null"),
|
||||
Target: check.MustAbs("/dev/null"),
|
||||
Flags: comp.BindWritable | comp.BindDevice,
|
||||
Flags: std.BindWritable | std.BindDevice,
|
||||
}, []stub.Call{
|
||||
call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
|
||||
}, nil, []stub.Call{
|
||||
@@ -57,7 +57,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"mkdirAll ensure", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/bin/"),
|
||||
Target: check.MustAbs("/bin/"),
|
||||
Flags: comp.BindEnsure,
|
||||
Flags: std.BindEnsure,
|
||||
}, []stub.Call{
|
||||
call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
|
||||
}, stub.UniqueError(4), nil, nil},
|
||||
@@ -65,7 +65,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"success ensure", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/bin/"),
|
||||
Target: check.MustAbs("/usr/bin/"),
|
||||
Flags: comp.BindEnsure,
|
||||
Flags: std.BindEnsure,
|
||||
}, []stub.Call{
|
||||
call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
|
||||
call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
|
||||
@@ -79,7 +79,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"success device ro", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/dev/null"),
|
||||
Target: check.MustAbs("/dev/null"),
|
||||
Flags: comp.BindDevice,
|
||||
Flags: std.BindDevice,
|
||||
}, []stub.Call{
|
||||
call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
|
||||
}, nil, []stub.Call{
|
||||
@@ -92,7 +92,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"success device", new(Params), &BindMountOp{
|
||||
Source: check.MustAbs("/dev/null"),
|
||||
Target: check.MustAbs("/dev/null"),
|
||||
Flags: comp.BindWritable | comp.BindDevice,
|
||||
Flags: std.BindWritable | std.BindDevice,
|
||||
}, []stub.Call{
|
||||
call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
|
||||
}, nil, []stub.Call{
|
||||
@@ -182,7 +182,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"zero", new(BindMountOp), false},
|
||||
{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
|
||||
{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
|
||||
{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: comp.BindOptional | comp.BindEnsure}, false},
|
||||
{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: std.BindOptional | std.BindEnsure}, false},
|
||||
{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
|
||||
})
|
||||
|
||||
@@ -217,7 +217,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
}, &BindMountOp{
|
||||
Source: check.MustAbs("/etc/"),
|
||||
Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
|
||||
Flags: comp.BindOptional,
|
||||
Flags: std.BindOptional,
|
||||
}, false},
|
||||
|
||||
{"source differs", &BindMountOp{
|
||||
@@ -256,7 +256,7 @@ func TestBindMountOp(t *testing.T) {
|
||||
{"hostdev", &BindMountOp{
|
||||
Source: check.MustAbs("/dev/"),
|
||||
Target: check.MustAbs("/dev/"),
|
||||
Flags: comp.BindWritable | comp.BindDevice,
|
||||
Flags: std.BindWritable | std.BindDevice,
|
||||
}, "mounting", `"/dev/" flags 0x6`},
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
package seccomp_test
|
||||
|
||||
import (
|
||||
. "hakurei.app/container/comp"
|
||||
. "hakurei.app/container/seccomp"
|
||||
. "hakurei.app/container/std"
|
||||
)
|
||||
|
||||
var bpfExpected = bpfLookup{
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
package seccomp_test
|
||||
|
||||
import (
|
||||
. "hakurei.app/container/comp"
|
||||
. "hakurei.app/container/seccomp"
|
||||
. "hakurei.app/container/std"
|
||||
)
|
||||
|
||||
var bpfExpected = bpfLookup{
|
||||
|
||||
@@ -4,14 +4,14 @@ import (
|
||||
"crypto/sha512"
|
||||
"encoding/hex"
|
||||
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/seccomp"
|
||||
"hakurei.app/container/std"
|
||||
)
|
||||
|
||||
type (
|
||||
bpfPreset = struct {
|
||||
seccomp.ExportFlag
|
||||
comp.FilterPreset
|
||||
std.FilterPreset
|
||||
}
|
||||
bpfLookup map[bpfPreset][sha512.Size]byte
|
||||
)
|
||||
|
||||
@@ -6,8 +6,8 @@ import (
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
. "hakurei.app/container/comp"
|
||||
. "hakurei.app/container/seccomp"
|
||||
. "hakurei.app/container/std"
|
||||
)
|
||||
|
||||
func TestLibraryError(t *testing.T) {
|
||||
|
||||
@@ -5,32 +5,32 @@ package seccomp
|
||||
import (
|
||||
. "syscall"
|
||||
|
||||
"hakurei.app/container/comp"
|
||||
"hakurei.app/container/std"
|
||||
)
|
||||
|
||||
func Preset(presets comp.FilterPreset, flags ExportFlag) (rules []NativeRule) {
|
||||
func Preset(presets std.FilterPreset, flags ExportFlag) (rules []NativeRule) {
|
||||
allowedPersonality := PersonaLinux
|
||||
if presets&comp.PresetLinux32 != 0 {
|
||||
if presets&std.PresetLinux32 != 0 {
|
||||
allowedPersonality = PersonaLinux32
|
||||
}
|
||||
presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))
|
||||
|
||||
l := len(presetCommon)
|
||||
if presets&comp.PresetDenyNS != 0 {
|
||||
if presets&std.PresetDenyNS != 0 {
|
||||
l += len(presetNamespace)
|
||||
}
|
||||
if presets&comp.PresetDenyTTY != 0 {
|
||||
if presets&std.PresetDenyTTY != 0 {
|
||||
l += len(presetTTY)
|
||||
}
|
||||
if presets&comp.PresetDenyDevel != 0 {
|
||||
if presets&std.PresetDenyDevel != 0 {
|
||||
l += len(presetDevelFinal)
|
||||
}
|
||||
if flags&AllowMultiarch == 0 {
|
||||
l += len(presetEmu)
|
||||
}
|
||||
if presets&comp.PresetExt != 0 {
|
||||
if presets&std.PresetExt != 0 {
|
||||
l += len(presetCommonExt)
|
||||
if presets&comp.PresetDenyNS != 0 {
|
||||
if presets&std.PresetDenyNS != 0 {
|
||||
l += len(presetNamespaceExt)
|
||||
}
|
||||
if flags&AllowMultiarch == 0 {
|
||||
@@ -40,21 +40,21 @@ func Preset(presets comp.FilterPreset, flags ExportFlag) (rules []NativeRule) {
|
||||
|
||||
rules = make([]NativeRule, 0, l)
|
||||
rules = append(rules, presetCommon...)
|
||||
if presets&comp.PresetDenyNS != 0 {
|
||||
if presets&std.PresetDenyNS != 0 {
|
||||
rules = append(rules, presetNamespace...)
|
||||
}
|
||||
if presets&comp.PresetDenyTTY != 0 {
|
||||
if presets&std.PresetDenyTTY != 0 {
|
||||
rules = append(rules, presetTTY...)
|
||||
}
|
||||
if presets&comp.PresetDenyDevel != 0 {
|
||||
if presets&std.PresetDenyDevel != 0 {
|
||||
rules = append(rules, presetDevelFinal...)
|
||||
}
|
||||
if flags&AllowMultiarch == 0 {
|
||||
rules = append(rules, presetEmu...)
|
||||
}
|
||||
if presets&comp.PresetExt != 0 {
|
||||
if presets&std.PresetExt != 0 {
|
||||
rules = append(rules, presetCommonExt...)
|
||||
if presets&comp.PresetDenyNS != 0 {
|
||||
if presets&std.PresetDenyNS != 0 {
|
||||
rules = append(rules, presetNamespaceExt...)
|
||||
}
|
||||
if flags&AllowMultiarch == 0 {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
// Package comp contains constants from container packages without depending on cgo.
|
||||
package comp
|
||||
// Package std contains constants from container packages without depending on cgo.
|
||||
package std
|
||||
|
||||
const (
|
||||
// BindOptional skips nonexistent host paths.
|
||||
Reference in New Issue
Block a user