Ophestra
2baa2d7063
All checks were successful
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 2m12s
Test / Hakurei (push) Successful in 3m17s
Test / Hpkg (push) Successful in 4m13s
Test / Sandbox (race detector) (push) Successful in 4m33s
Test / Hakurei (race detector) (push) Successful in 5m8s
Test / Flake checks (push) Successful in 1m25s
This used to be entirely done via integration tests, with almost no hope of error injection and coverage profile. These tests significantly increase confidence of future work in this area. Signed-off-by: Ophestra <cat@gensokyo.uk>
2540 lines
141 KiB
Go
2540 lines
141 KiB
Go
package container
|
|
|
|
import (
|
|
"os"
|
|
"syscall"
|
|
"testing"
|
|
"time"
|
|
|
|
"hakurei.app/container/seccomp"
|
|
)
|
|
|
|
func TestInitEntrypoint(t *testing.T) {
|
|
assertPrefix := func(prefix string) {
|
|
if prefix != "init" {
|
|
t.Fatalf("prepareLogger: prefix = %q", prefix)
|
|
}
|
|
}
|
|
|
|
assertVerboseFalse := func(verbose bool) {
|
|
if verbose {
|
|
t.Fatal("setVerbose: verbose = true, want false")
|
|
}
|
|
}
|
|
assertVerboseTrue := func(verbose bool) {
|
|
if !verbose {
|
|
t.Fatal("setVerbose: verbose = false, want true")
|
|
}
|
|
}
|
|
|
|
checkSimple(t, "initEntrypoint", []simpleTestCase{
|
|
{"getpid", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1 << 10, nil},
|
|
{"fatal", expectArgs{[]any{"this process must run as pid 1"}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"receive bad fd", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, syscall.EBADF},
|
|
{"fatal", expectArgs{[]any{"invalid setup descriptor"}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"receive not set", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, ErrNotSet},
|
|
{"fatal", expectArgs{[]any{"HAKUREI_SETUP not set"}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"receive payload decode", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot decode init setup payload: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"receive invalid params", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"fatal", expectArgs{[]any{"invalid setup parameters"}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"setDumpable user", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot set SUID_DUMP_USER: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"writeFile uid_map", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"%v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"writeFile setgroups", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"%v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"writeFile gid_map", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"%v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"setDumpable disable", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot set SUID_DUMP_DISABLE: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"sethostname", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot set hostname: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"mount rslave root", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot make / rslave: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"nil op", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"fatalf", expectArgs{"invalid op at index %d", []any{0}}, nil, nil},
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"invalid op", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(nil, nil, BindDevice),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"fatalf", expectArgs{"invalid op at index %d", []any{0}}, nil, nil},
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"apply", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", errUnique},
|
|
{"printBaseErr", expectArgs{wrapErrSelf(errUnique), "cannot prepare op at index 0:"}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{1}, nil, nil},
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"mount ih", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot mount intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir ih", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot enter intermediate host path: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"mkdir sysroot", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"%v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"mount bind sysroot", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot bind sysroot: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"mkdir host", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"%v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"pivotRoot ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot pivot into intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot enter intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"apply", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, errUnique},
|
|
{"printBaseErr", expectArgs{wrapErrSuffix(errUnique, `cannot mount proc on "/proc/":`), "cannot apply op at index 1:"}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{1}, nil, nil},
|
|
/* end apply */
|
|
},
|
|
}, nil},
|
|
|
|
{"mount rprivate host", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot make host root rprivate: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"unmount host", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot unmount host root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"open ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, errUnique},
|
|
{"fatalf", expectArgs{"cannot open intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir sysroot", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot enter sysroot: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"pivotRoot sysroot", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot pivot into sysroot: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"fchdir ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot re-enter intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"unmount ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot unmount intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot enter root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"close ir", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot close intermediate root: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"capAmbientClearAll", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot clear the ambient capability set: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"capBoundingSetDrop", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot drop capability from bounding set: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"capAmbientRaise", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x8)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x9)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xa)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xb)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xc)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xd)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xe)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xf)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x10)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x11)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x12)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x13)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x14)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x16)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x17)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x18)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x19)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1a)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1b)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1c)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1d)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1e)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1f)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x20)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x21)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x22)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x23)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x24)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x25)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x26)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x27)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x28)}, nil, nil},
|
|
{"capAmbientRaise", expectArgs{uintptr(0x15)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"capset", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x8)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x9)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xa)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xb)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xc)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xd)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xe)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xf)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x10)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x11)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x12)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x13)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x14)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x16)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x17)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x18)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x19)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1a)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1b)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1c)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1d)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1e)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1f)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x20)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x21)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x22)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x23)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x24)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x25)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x26)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x27)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x28)}, nil, nil},
|
|
{"capAmbientRaise", expectArgs{uintptr(0x15)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot capset: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"seccompLoad", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x8)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x9)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xa)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xb)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xc)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xd)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xe)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xf)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x10)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x11)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x12)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x13)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x14)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x16)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x17)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x18)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x19)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1a)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1b)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1c)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1d)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1e)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1f)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x20)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x21)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x22)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x23)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x24)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x25)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x26)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x27)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x28)}, nil, nil},
|
|
{"capAmbientRaise", expectArgs{uintptr(0x15)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil},
|
|
{"verbosef", expectArgs{"resolving presets %#x", []any{seccomp.FilterPreset(0xf)}}, nil, nil},
|
|
{"seccompLoad", expectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, errUnique},
|
|
{"fatalf", expectArgs{"cannot load syscall filter: %v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"start", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseFalse); return nil }, [][]kexpect{
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, 0, errUnique},
|
|
{"verbosef", expectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{errUnique}}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei/nonexistent"),
|
|
Path: MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x8)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x9)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xa)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xb)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xc)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xd)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xe)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xf)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x10)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x11)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x12)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x13)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x14)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x15)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x16)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x17)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x18)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x19)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1a)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1b)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1c)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1d)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1e)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1f)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x20)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x21)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x22)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x23)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x24)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x25)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x26)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x27)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x28)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"syscall filter not configured"}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil},
|
|
{"start", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, nil, errUnique},
|
|
{"fatalf", expectArgs{"%v", []any{errUnique}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled cancel forward error", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseFalse); return nil }, [][]kexpect{
|
|
/* entrypoint */
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, 0, errUnique},
|
|
{"verbosef", expectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{errUnique}}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei/nonexistent"),
|
|
Path: MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Nanosecond,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(4), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"syscall filter not configured"}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil},
|
|
{"start", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil},
|
|
{"suspend", expectArgs{}, nil, nil},
|
|
{"printf", expectArgs{"cannot close setup pipe: %v", []any{errUnique}}, nil, nil},
|
|
{"new", expectArgs{}, nil, nil},
|
|
{"notify", expectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil},
|
|
{"resume", expectArgs{}, true, nil},
|
|
{"verbosef", expectArgs{"%s after process start", []any{"terminated"}}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"forwarding context cancellation"}}, nil, nil},
|
|
{"signal", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", os.Interrupt}, nil, errUnique},
|
|
{"printf", expectArgs{"cannot forward cancellation: %v", []any{errUnique}}, nil, nil},
|
|
{"resume", expectArgs{}, false, nil},
|
|
{"verbosef", expectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil},
|
|
{"printf", expectArgs{"timeout exceeded waiting for lingering processes", ([]any)(nil)}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{0xce}, nil, nil},
|
|
},
|
|
|
|
/* wait4 */
|
|
{
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil},
|
|
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
|
|
{"wait4", expectArgs{-1, nil, 0, nil, 0xdeadbeef}, 0, syscall.ECHILD},
|
|
},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled cancel", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseFalse); return nil }, [][]kexpect{
|
|
/* entrypoint */
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, 0, errUnique},
|
|
{"verbosef", expectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{errUnique}}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei/nonexistent"),
|
|
Path: MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Nanosecond,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(4), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"syscall filter not configured"}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil},
|
|
{"start", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil},
|
|
{"suspend", expectArgs{}, nil, nil},
|
|
{"printf", expectArgs{"cannot close setup pipe: %v", []any{errUnique}}, nil, nil},
|
|
{"new", expectArgs{}, nil, nil},
|
|
{"notify", expectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil},
|
|
{"resume", expectArgs{}, false, nil},
|
|
{"verbosef", expectArgs{"got %s", []any{"interrupt"}}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{0}, nil, nil},
|
|
},
|
|
|
|
/* wait4 */
|
|
{
|
|
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
|
|
{"wait4", expectArgs{-1, nil, 0, nil, 0xdeadbeef}, 0, syscall.ECHILD},
|
|
},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled timeout", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseFalse); return nil }, [][]kexpect{
|
|
/* entrypoint */
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, 0, errUnique},
|
|
{"verbosef", expectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{errUnique}}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei/nonexistent"),
|
|
Path: MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Nanosecond,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(4), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"syscall filter not configured"}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil},
|
|
{"start", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil},
|
|
{"suspend", expectArgs{}, nil, nil},
|
|
{"printf", expectArgs{"cannot close setup pipe: %v", []any{errUnique}}, nil, nil},
|
|
{"new", expectArgs{}, nil, nil},
|
|
{"notify", expectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil},
|
|
{"resume", expectArgs{}, true, nil},
|
|
{"verbosef", expectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil},
|
|
{"printf", expectArgs{"timeout exceeded waiting for lingering processes", ([]any)(nil)}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{0xce}, nil, nil},
|
|
},
|
|
|
|
/* wait4 */
|
|
{
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil},
|
|
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
|
|
{"wait4", expectArgs{-1, nil, 0, nil, 0xdeadbeef}, 0, syscall.ECHILD},
|
|
},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseFalse); return nil }, [][]kexpect{
|
|
/* entrypoint */
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, 0, errUnique},
|
|
{"verbosef", expectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{errUnique}}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei/nonexistent"),
|
|
Path: MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(4), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"syscall filter not configured"}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil},
|
|
{"start", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil},
|
|
{"suspend", expectArgs{}, nil, nil},
|
|
{"printf", expectArgs{"cannot close setup pipe: %v", []any{errUnique}}, nil, nil},
|
|
{"new", expectArgs{}, nil, nil},
|
|
{"notify", expectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil},
|
|
{"resume", expectArgs{}, true, nil},
|
|
{"verbosef", expectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{0xce}, nil, nil},
|
|
},
|
|
|
|
/* wait4 */
|
|
{
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.ENOMEM},
|
|
{"printf", expectArgs{"unexpected wait4 response: %v", []any{syscall.ENOMEM}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"strangewait nopriv notty noseccomp yamafault", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseFalse); return nil }, [][]kexpect{
|
|
/* entrypoint */
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, 0, errUnique},
|
|
{"verbosef", expectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{errUnique}}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei/nonexistent"),
|
|
Path: MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x8)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x9)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xa)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xb)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xc)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xd)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xe)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xf)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x10)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x11)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x12)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x13)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x14)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x15)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x16)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x17)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x18)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x19)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1a)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1b)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1c)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1d)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1e)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1f)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x20)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x21)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x22)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x23)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x24)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x25)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x26)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x27)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x28)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil},
|
|
{"verbose", expectArgs{[]any{"syscall filter not configured"}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil},
|
|
{"start", expectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil},
|
|
{"suspend", expectArgs{}, nil, nil},
|
|
{"printf", expectArgs{"cannot close setup pipe: %v", []any{errUnique}}, nil, nil},
|
|
{"new", expectArgs{}, nil, nil},
|
|
{"notify", expectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil},
|
|
{"resume", expectArgs{}, true, nil},
|
|
{"verbosef", expectArgs{"initial process exited with code %d", []any{1}}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{1}, nil, nil},
|
|
},
|
|
|
|
/* wait4 */
|
|
{
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xfade0100), 0, nil}, 0xbad, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.ENOMEM},
|
|
{"printf", expectArgs{"unexpected wait4 response: %v", []any{syscall.ENOMEM}}, nil, nil},
|
|
},
|
|
}, nil},
|
|
|
|
{"success", func(k syscallDispatcher) error { initEntrypoint(k, assertPrefix, assertVerboseTrue); return nil }, [][]kexpect{
|
|
/* entrypoint */
|
|
{
|
|
{"lockOSThread", expectArgs{}, nil, nil},
|
|
{"getpid", expectArgs{}, 1, nil},
|
|
{"setPtracer", expectArgs{uintptr(0)}, nil, nil},
|
|
{"receive", expectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(MustAbs("/"), MustAbs("/"), BindDevice).Proc(MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: seccomp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, errUnique, nil},
|
|
{"verbose", expectArgs{[]any{"received setup parameters"}}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(1)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil},
|
|
{"writeFile", expectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil},
|
|
{"setDumpable", expectArgs{uintptr(0)}, nil, nil},
|
|
{"umask", expectArgs{0}, 022, nil},
|
|
{"sethostname", expectArgs{[]byte("hakurei-check")}, nil, nil},
|
|
{"lastcap", expectArgs{}, uintptr(40), nil},
|
|
{"mount", expectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil},
|
|
/* begin early */
|
|
{"evalSymlinks", expectArgs{"/"}, "/", nil},
|
|
/* end early */
|
|
{"mount", expectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil},
|
|
{"chdir", expectArgs{"/proc/self/fd"}, nil, nil},
|
|
{"mkdir", expectArgs{"sysroot", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil},
|
|
{"mkdir", expectArgs{"host", os.FileMode(0755)}, nil, nil},
|
|
{"pivotRoot", expectArgs{"/proc/self/fd", "host"}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
/* begin apply */
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &BindMountOp{sourceFinal: MustAbs("/"), Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindDevice}}}, nil, nil},
|
|
{"stat", expectArgs{"/host"}, isDirFi(true), nil},
|
|
{"mkdirAll", expectArgs{"/sysroot", os.FileMode(0700)}, nil, nil},
|
|
{"bindMount", expectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil},
|
|
{"verbosef", expectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: MustAbs("/proc/")}}}, nil, nil},
|
|
{"mkdirAll", expectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil},
|
|
{"mount", expectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil},
|
|
/* end apply */
|
|
{"mount", expectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil},
|
|
{"unmount", expectArgs{"host", 2}, nil, nil},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, syscall.EINTR},
|
|
{"open", expectArgs{"/", 0x10000, uint32(0)}, 1 << 35, nil},
|
|
{"chdir", expectArgs{"/sysroot"}, nil, nil},
|
|
{"pivotRoot", expectArgs{".", "."}, nil, nil},
|
|
{"fchdir", expectArgs{1 << 35}, nil, nil},
|
|
{"unmount", expectArgs{".", 2}, nil, nil},
|
|
{"chdir", expectArgs{"/"}, nil, nil},
|
|
{"close", expectArgs{1 << 35}, nil, nil},
|
|
{"capAmbientClearAll", expectArgs{}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x0)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x2)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x3)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x4)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x5)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x6)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x7)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x8)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x9)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xa)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xb)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xc)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xd)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xe)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0xf)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x10)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x11)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x12)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x13)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x14)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x16)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x17)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x18)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x19)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1a)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1b)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1c)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1d)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1e)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x1f)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x20)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x21)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x22)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x23)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x24)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x25)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x26)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x27)}, nil, nil},
|
|
{"capBoundingSetDrop", expectArgs{uintptr(0x28)}, nil, nil},
|
|
{"capAmbientRaise", expectArgs{uintptr(0x15)}, nil, nil},
|
|
{"capset", expectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil},
|
|
{"verbosef", expectArgs{"resolving presets %#x", []any{seccomp.FilterPreset(0xf)}}, nil, nil},
|
|
{"seccompLoad", expectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil},
|
|
{"verbosef", expectArgs{"%d filter rules loaded", []any{73}}, nil, nil},
|
|
{"newFile", expectArgs{uintptr(10), "extra file 0"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(11), "extra file 1"}, (*os.File)(nil), nil},
|
|
{"newFile", expectArgs{uintptr(12), "extra file 2"}, (*os.File)(nil), nil},
|
|
{"umask", expectArgs{022}, 0, nil},
|
|
{"verbosef", expectArgs{"starting initial program %s", []any{MustAbs("/bin/zsh")}}, nil, nil},
|
|
{"start", expectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil},
|
|
{"suspend", expectArgs{}, nil, nil},
|
|
{"printf", expectArgs{"cannot close setup pipe: %v", []any{errUnique}}, nil, nil},
|
|
{"new", expectArgs{}, nil, nil},
|
|
{"notify", expectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil},
|
|
{"resume", expectArgs{}, true, nil},
|
|
{"verbosef", expectArgs{"initial process exited with status %#x", []any{syscall.WaitStatus(0xfade007f)}}, nil, nil},
|
|
{"beforeExit", expectArgs{}, nil, nil},
|
|
{"exit", expectArgs{0xff}, nil, nil},
|
|
},
|
|
|
|
/* wait4 */
|
|
{
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xfade007f), 0, nil}, 0xcafe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.EINTR},
|
|
{"wait4", expectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil},
|
|
{"wait4", expectArgs{-1, nil, 0, nil}, 0, syscall.ECHILD},
|
|
},
|
|
}, nil},
|
|
})
|
|
}
|
|
|
|
func TestOpsGrow(t *testing.T) {
|
|
ops := new(Ops)
|
|
ops.Grow(1 << 4)
|
|
if got := cap(*ops); got == 0 {
|
|
t.Error("Grow: cap did not increase")
|
|
}
|
|
}
|