All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 2m19s
Test / Hakurei (push) Successful in 3m9s
Test / Hpkg (push) Successful in 3m53s
Test / Sandbox (race detector) (push) Successful in 4m2s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Flake checks (push) Successful in 1m23s
This package will also hold syscall lookup tables for seccomp. Signed-off-by: Ophestra <cat@gensokyo.uk>
2672 lines
164 KiB
Go
2672 lines
164 KiB
Go
package container
|
|
|
|
import (
|
|
"os"
|
|
"syscall"
|
|
"testing"
|
|
"time"
|
|
|
|
"hakurei.app/container/check"
|
|
"hakurei.app/container/comp"
|
|
"hakurei.app/container/seccomp"
|
|
"hakurei.app/container/stub"
|
|
)
|
|
|
|
func TestInitEntrypoint(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
checkSimple(t, "initEntrypoint", []simpleTestCase{
|
|
{"getpid", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1<<10, nil),
|
|
call("fatal", stub.ExpectArgs{[]any{"this process must run as pid 1"}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"receive bad fd", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, syscall.EBADF),
|
|
call("fatal", stub.ExpectArgs{[]any{"invalid setup descriptor"}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"receive not set", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, ErrReceiveEnv),
|
|
call("fatal", stub.ExpectArgs{[]any{"HAKUREI_SETUP not set"}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"receive payload decode", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, stub.UniqueError(80)),
|
|
call("fatalf", stub.ExpectArgs{"cannot decode init setup payload: %v", []any{stub.UniqueError(80)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"receive invalid params", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(79), nil),
|
|
call("fatal", stub.ExpectArgs{[]any{"invalid setup parameters"}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"setDumpable user", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(78), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, stub.UniqueError(77)),
|
|
call("fatalf", stub.ExpectArgs{"cannot set SUID_DUMP_USER: %v", []any{stub.UniqueError(77)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"writeFile uid_map", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(76), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, stub.UniqueError(75)),
|
|
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(75)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"writeFile setgroups", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(74), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, stub.UniqueError(73)),
|
|
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(73)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"writeFile gid_map", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(72), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, stub.UniqueError(71)),
|
|
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(71)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"setDumpable disable", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(70), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, stub.UniqueError(69)),
|
|
call("fatalf", stub.ExpectArgs{"cannot set SUID_DUMP_DISABLE: %v", []any{stub.UniqueError(69)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"sethostname", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(68), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, stub.UniqueError(67)),
|
|
call("fatalf", stub.ExpectArgs{"cannot set hostname: %v", []any{stub.UniqueError(67)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"mount rslave root", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(66), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, stub.UniqueError(65)),
|
|
call("fatalf", stub.ExpectArgs{"cannot make / rslave: %v", []any{stub.UniqueError(65)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"nil op", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(64), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"invalid op", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(nil, nil, comp.BindDevice),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(63), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"early unhandled error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(62), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", stub.UniqueError(61)),
|
|
call("fatalf", stub.ExpectArgs{"cannot prepare op at index %d: %v", []any{0, stub.UniqueError(61)}}, nil, nil),
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"early", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(60), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", &os.PathError{Op: "readlink", Path: "/", Err: stub.UniqueError(60)}),
|
|
call("fatal", stub.ExpectArgs{[]any{"cannot readlink /: unique error 60 injected by the test suite"}}, nil, nil),
|
|
/* end early */
|
|
},
|
|
}, nil},
|
|
|
|
{"mount ih", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(59), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, stub.UniqueError(58)),
|
|
call("fatalf", stub.ExpectArgs{"cannot mount intermediate root: %v", []any{stub.UniqueError(58)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir ih", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(57), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, stub.UniqueError(56)),
|
|
call("fatalf", stub.ExpectArgs{"cannot enter intermediate host path: %v", []any{stub.UniqueError(56)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"mkdir sysroot", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(55), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, stub.UniqueError(54)),
|
|
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(54)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"mount bind sysroot", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(53), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, stub.UniqueError(52)),
|
|
call("fatalf", stub.ExpectArgs{"cannot bind sysroot: %v", []any{stub.UniqueError(52)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"mkdir host", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(51), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, stub.UniqueError(50)),
|
|
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(50)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"pivotRoot ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(49), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, stub.UniqueError(48)),
|
|
call("fatalf", stub.ExpectArgs{"cannot pivot into intermediate root: %v", []any{stub.UniqueError(48)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(47), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, stub.UniqueError(46)),
|
|
call("fatalf", stub.ExpectArgs{"cannot enter intermediate root: %v", []any{stub.UniqueError(46)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"apply unhandled error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(45), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, stub.UniqueError(44)),
|
|
call("fatalf", stub.ExpectArgs{"cannot apply op at index %d: %v", []any{1, stub.UniqueError(44)}}, nil, nil),
|
|
/* end apply */
|
|
},
|
|
}, nil},
|
|
|
|
{"apply", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(43), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, &MountError{"proc", "/sysroot/proc", "proc", uintptr(0xe), "", syscall.ENOTRECOVERABLE}),
|
|
call("fatal", stub.ExpectArgs{[]any{"cannot mount proc on /sysroot/proc: state not recoverable"}}, nil, nil),
|
|
/* end apply */
|
|
},
|
|
}, nil},
|
|
|
|
{"mount rprivate host", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(42), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, stub.UniqueError(41)),
|
|
call("fatalf", stub.ExpectArgs{"cannot make host root rprivate: %v", []any{stub.UniqueError(41)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"unmount host", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(40), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, stub.UniqueError(39)),
|
|
call("fatalf", stub.ExpectArgs{"cannot unmount host root: %v", []any{stub.UniqueError(39)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"open ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(38), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, stub.UniqueError(37)),
|
|
call("fatalf", stub.ExpectArgs{"cannot open intermediate root: %v", []any{stub.UniqueError(37)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir sysroot", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(36), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, stub.UniqueError(35)),
|
|
call("fatalf", stub.ExpectArgs{"cannot enter sysroot: %v", []any{stub.UniqueError(35)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"pivotRoot sysroot", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(34), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, stub.UniqueError(33)),
|
|
call("fatalf", stub.ExpectArgs{"cannot pivot into sysroot: %v", []any{stub.UniqueError(33)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"fchdir ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(32), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, stub.UniqueError(31)),
|
|
call("fatalf", stub.ExpectArgs{"cannot re-enter intermediate root: %v", []any{stub.UniqueError(31)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"unmount ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(30), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, stub.UniqueError(29)),
|
|
call("fatalf", stub.ExpectArgs{"cannot unmount intermediate root: %v", []any{stub.UniqueError(29)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"chdir ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(28), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, stub.UniqueError(27)),
|
|
call("fatalf", stub.ExpectArgs{"cannot enter root: %v", []any{stub.UniqueError(27)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"close ir", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(26), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, stub.UniqueError(25)),
|
|
call("fatalf", stub.ExpectArgs{"cannot close intermediate root: %v", []any{stub.UniqueError(25)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"capAmbientClearAll", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(24), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, stub.UniqueError(23)),
|
|
call("fatalf", stub.ExpectArgs{"cannot clear the ambient capability set: %v", []any{stub.UniqueError(23)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"capBoundingSetDrop", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(22), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, stub.UniqueError(21)),
|
|
call("fatalf", stub.ExpectArgs{"cannot drop capability from bounding set: %v", []any{stub.UniqueError(21)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"capAmbientRaise", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(20), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xc)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xd)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xe)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xf)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x10)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x11)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x12)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x13)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x14)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x16)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x17)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x18)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x19)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1a)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1b)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1c)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1d)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1e)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1f)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x20)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x21)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x22)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x23)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x24)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x25)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
|
call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, stub.UniqueError(19)),
|
|
call("fatalf", stub.ExpectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{stub.UniqueError(19)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"capset", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(18), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xc)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xd)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xe)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xf)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x10)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x11)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x12)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x13)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x14)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x16)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x17)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x18)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x19)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1a)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1b)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1c)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1d)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1e)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1f)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x20)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x21)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x22)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x23)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x24)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x25)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
|
call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
|
|
call("fatalf", stub.ExpectArgs{"cannot capset: %v", []any{stub.UniqueError(17)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"seccompLoad", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(16), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xc)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xd)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xe)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xf)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x10)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x11)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x12)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x13)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x14)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x16)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x17)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x18)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x19)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1a)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1b)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1c)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1d)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1e)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1f)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x20)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x21)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x22)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x23)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x24)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x25)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
|
call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil),
|
|
call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
|
|
call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"start", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, 0, stub.UniqueError(14)),
|
|
call("verbosef", stub.ExpectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{stub.UniqueError(14)}}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei/nonexistent"),
|
|
Path: check.MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(13), nil),
|
|
call("swapVerbose", stub.ExpectArgs{false}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xc)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xd)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xe)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xf)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x10)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x11)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x12)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x13)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x14)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x16)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x17)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x18)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x19)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1a)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1b)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1c)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1d)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1e)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1f)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x20)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x21)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x22)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x23)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x24)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x25)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"syscall filter not configured"}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, nil, stub.UniqueError(12)),
|
|
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(12)}}, nil, nil),
|
|
},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled cancel forward error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
/* entrypoint */
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, 0, stub.UniqueError(11)),
|
|
call("verbosef", stub.ExpectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{stub.UniqueError(11)}}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei/nonexistent"),
|
|
Path: check.MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Nanosecond,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(10), nil),
|
|
call("swapVerbose", stub.ExpectArgs{false}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"syscall filter not configured"}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
|
|
call("suspend", stub.ExpectArgs{}, true, nil),
|
|
call("printf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(10)}}, nil, nil),
|
|
call("New", stub.ExpectArgs{}, nil, nil),
|
|
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, true, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s after process start", []any{"terminated"}}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"forwarding context cancellation"}}, nil, nil),
|
|
// magicWait4Signal as ret causes wait4 stub to unblock
|
|
call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", os.Interrupt}, magicWait4Signal, stub.UniqueError(9)),
|
|
call("printf", stub.ExpectArgs{"cannot forward cancellation: %v", []any{stub.UniqueError(9)}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, false, nil),
|
|
call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
|
|
call("printf", stub.ExpectArgs{"timeout exceeded waiting for lingering processes", ([]any)(nil)}, nil, nil),
|
|
call("beforeExit", stub.ExpectArgs{}, nil, nil),
|
|
call("exit", stub.ExpectArgs{0xce}, nil, nil),
|
|
},
|
|
|
|
/* wait4 */
|
|
Tracks: []stub.Expect{{Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
|
|
// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
|
|
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
|
|
}}},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled cancel", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
/* entrypoint */
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, 0, stub.UniqueError(8)),
|
|
call("verbosef", stub.ExpectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{stub.UniqueError(8)}}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei/nonexistent"),
|
|
Path: check.MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Nanosecond,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil),
|
|
call("swapVerbose", stub.ExpectArgs{false}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"syscall filter not configured"}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
|
|
call("suspend", stub.ExpectArgs{}, true, nil),
|
|
call("printf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
|
|
call("New", stub.ExpectArgs{}, nil, nil),
|
|
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, false, nil),
|
|
call("verbosef", stub.ExpectArgs{"got %s", []any{"interrupt"}}, nil, nil),
|
|
call("beforeExit", stub.ExpectArgs{}, nil, nil),
|
|
call("exit", stub.ExpectArgs{0}, nil, nil),
|
|
},
|
|
|
|
/* wait4 */
|
|
Tracks: []stub.Expect{{Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
|
|
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
|
|
}}},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled timeout", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
/* entrypoint */
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, 0, stub.UniqueError(6)),
|
|
call("verbosef", stub.ExpectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{stub.UniqueError(6)}}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei/nonexistent"),
|
|
Path: check.MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Nanosecond,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(5), nil),
|
|
call("swapVerbose", stub.ExpectArgs{false}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"syscall filter not configured"}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
|
|
call("suspend", stub.ExpectArgs{}, true, nil),
|
|
call("printf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(5)}}, nil, nil),
|
|
call("New", stub.ExpectArgs{}, nil, nil),
|
|
call("notify", stub.ExpectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, true, nil),
|
|
call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
|
|
call("printf", stub.ExpectArgs{"timeout exceeded waiting for lingering processes", ([]any)(nil)}, nil, nil),
|
|
call("beforeExit", stub.ExpectArgs{}, nil, nil),
|
|
call("exit", stub.ExpectArgs{0xce}, nil, nil),
|
|
},
|
|
|
|
/* wait4 */
|
|
Tracks: []stub.Expect{{Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil),
|
|
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil, 0xdeadbeef}, 0, syscall.ECHILD),
|
|
}}},
|
|
}, nil},
|
|
|
|
{"lowlastcap signaled", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
/* entrypoint */
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, 0, stub.UniqueError(4)),
|
|
call("verbosef", stub.ExpectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{stub.UniqueError(4)}}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei/nonexistent"),
|
|
Path: check.MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(3), nil),
|
|
call("swapVerbose", stub.ExpectArgs{false}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"syscall filter not configured"}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
|
|
call("suspend", stub.ExpectArgs{}, true, nil),
|
|
call("printf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(3)}}, nil, nil),
|
|
call("New", stub.ExpectArgs{}, nil, nil),
|
|
call("notify", stub.ExpectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, true, nil),
|
|
call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
|
|
call("beforeExit", stub.ExpectArgs{}, nil, nil),
|
|
call("exit", stub.ExpectArgs{0xce}, nil, nil),
|
|
},
|
|
|
|
/* wait4 */
|
|
Tracks: []stub.Expect{{Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.ENOMEM),
|
|
call("printf", stub.ExpectArgs{"unexpected wait4 response: %v", []any{syscall.ENOMEM}}, nil, nil),
|
|
}}},
|
|
}, nil},
|
|
|
|
{"strangewait nopriv notty noseccomp yamafault", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
/* entrypoint */
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, 0, stub.UniqueError(2)),
|
|
call("verbosef", stub.ExpectArgs{"cannot enable ptrace protection via Yama LSM: %v", []any{stub.UniqueError(2)}}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei/nonexistent"),
|
|
Path: check.MustAbs("/run/current-system/sw/bin/bash"),
|
|
Args: []string{"bash", "-c", "false"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 24,
|
|
Gid: 1 << 47,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompDisable: true,
|
|
ParentPerm: 0750,
|
|
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(1), nil),
|
|
call("swapVerbose", stub.ExpectArgs{false}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("16777216 1971 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("140737488355328 127 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0750)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xc)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xd)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xe)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xf)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x10)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x11)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x12)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x13)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x14)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x16)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x17)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x18)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x19)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1a)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1b)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1c)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1d)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1e)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1f)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x20)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x21)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x22)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x23)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x24)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x25)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, new([2]capData)}, nil, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"syscall filter not configured"}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
|
|
call("suspend", stub.ExpectArgs{}, true, nil),
|
|
call("printf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(1)}}, nil, nil),
|
|
call("New", stub.ExpectArgs{}, nil, nil),
|
|
call("notify", stub.ExpectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, true, nil),
|
|
call("verbosef", stub.ExpectArgs{"initial process exited with code %d", []any{1}}, nil, nil),
|
|
call("beforeExit", stub.ExpectArgs{}, nil, nil),
|
|
call("exit", stub.ExpectArgs{1}, nil, nil),
|
|
},
|
|
|
|
/* wait4 */
|
|
Tracks: []stub.Expect{{Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade0100), 0, nil}, 0xbad, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.ENOMEM),
|
|
call("printf", stub.ExpectArgs{"unexpected wait4 response: %v", []any{syscall.ENOMEM}}, nil, nil),
|
|
}}},
|
|
}, nil},
|
|
|
|
{"success", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
|
|
/* entrypoint */
|
|
Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
call("getpid", stub.ExpectArgs{}, 1, nil),
|
|
call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr), &initParams{Params{
|
|
Dir: check.MustAbs("/.hakurei"),
|
|
Env: []string{"DISPLAY=:0"},
|
|
Path: check.MustAbs("/bin/zsh"),
|
|
Args: []string{"zsh", "-c", "exec vim"},
|
|
ForwardCancel: true,
|
|
AdoptWaitDelay: 5 * time.Second,
|
|
Uid: 1 << 32,
|
|
Gid: 1 << 31,
|
|
Hostname: "hakurei-check",
|
|
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
|
|
SeccompRules: make([]seccomp.NativeRule, 0),
|
|
SeccompPresets: comp.PresetStrict,
|
|
RetainSession: true,
|
|
Privileged: true,
|
|
}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(0), nil),
|
|
call("swapVerbose", stub.ExpectArgs{true}, false, nil),
|
|
call("verbose", stub.ExpectArgs{[]any{"received setup parameters"}}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(1)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/uid_map", []byte("4294967296 1000 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/setgroups", []byte("deny\n"), os.FileMode(0)}, nil, nil),
|
|
call("writeFile", stub.ExpectArgs{"/proc/self/gid_map", []byte("2147483648 100 1\n"), os.FileMode(0)}, nil, nil),
|
|
call("setDumpable", stub.ExpectArgs{uintptr(0)}, nil, nil),
|
|
call("umask", stub.ExpectArgs{0}, 022, nil),
|
|
call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
|
|
call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
|
|
call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
|
|
/* begin early */
|
|
call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
|
|
/* end early */
|
|
call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
|
|
call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{"/proc/self/fd", "host"}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
/* begin apply */
|
|
call("stat", stub.ExpectArgs{"/host"}, isDirFi(true), nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0700)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot", uintptr(0x4001)}}, nil, nil),
|
|
call("bindMount", stub.ExpectArgs{"/host", "/sysroot", uintptr(0x4001), false}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%s %s", []any{"mounting", &MountProcOp{Target: check.MustAbs("/proc/")}}}, nil, nil),
|
|
call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, nil),
|
|
call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
|
|
/* end apply */
|
|
call("mount", stub.ExpectArgs{"host", "host", "", uintptr(0x4c000), ""}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{"host", 2}, nil, nil),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, syscall.EINTR),
|
|
call("open", stub.ExpectArgs{"/", syscall.O_DIRECTORY | syscall.O_RDONLY, uint32(0)}, 1<<35, nil),
|
|
call("chdir", stub.ExpectArgs{"/sysroot"}, nil, nil),
|
|
call("pivotRoot", stub.ExpectArgs{".", "."}, nil, nil),
|
|
call("fchdir", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("unmount", stub.ExpectArgs{".", 2}, nil, nil),
|
|
call("chdir", stub.ExpectArgs{"/"}, nil, nil),
|
|
call("close", stub.ExpectArgs{1 << 35}, nil, nil),
|
|
call("capAmbientClearAll", stub.ExpectArgs{}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x0)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x2)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x3)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x4)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xc)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xd)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xe)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xf)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x10)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x11)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x12)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x13)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x14)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x16)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x17)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x18)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x19)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1a)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1b)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1c)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1d)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1e)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x1f)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x20)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x21)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x22)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x23)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x24)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x25)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
|
|
call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
|
|
call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
|
|
call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil),
|
|
call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
|
|
call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(10), "extra file 0"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(11), "extra file 1"}, (*os.File)(nil), nil),
|
|
call("newFile", stub.ExpectArgs{uintptr(12), "extra file 2"}, (*os.File)(nil), nil),
|
|
call("umask", stub.ExpectArgs{022}, 0, nil),
|
|
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/bin/zsh")}}, nil, nil),
|
|
call("start", stub.ExpectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil),
|
|
call("suspend", stub.ExpectArgs{}, true, nil),
|
|
call("printf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(0)}}, nil, nil),
|
|
call("New", stub.ExpectArgs{}, nil, nil),
|
|
call("notify", stub.ExpectArgs{nil, []os.Signal{syscall.SIGINT, syscall.SIGTERM}}, nil, nil),
|
|
call("resume", stub.ExpectArgs{}, true, nil),
|
|
call("verbosef", stub.ExpectArgs{"initial process exited with status %#x", []any{syscall.WaitStatus(0xfade007f)}}, nil, nil),
|
|
call("beforeExit", stub.ExpectArgs{}, nil, nil),
|
|
call("exit", stub.ExpectArgs{0xff}, nil, nil),
|
|
},
|
|
|
|
/* wait4 */
|
|
Tracks: []stub.Expect{{Calls: []stub.Call{
|
|
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
|
|
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade007f), 0, nil}, 0xcafe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
|
|
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xdeaf), 0, nil}, 0xbabe, nil),
|
|
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.ECHILD),
|
|
}}},
|
|
}, nil},
|
|
})
|
|
}
|
|
|
|
func TestOpsGrow(t *testing.T) {
|
|
t.Parallel()
|
|
ops := new(Ops)
|
|
ops.Grow(1 << 4)
|
|
if got := cap(*ops); got == 0 {
|
|
t.Error("Grow: cap did not increase")
|
|
}
|
|
}
|