From 0390cb3a61051dd93e206d50591aff5759cf42fc Mon Sep 17 00:00:00 2001 From: Tiago Natel de Moura Date: Thu, 29 Oct 2020 20:30:53 +0000 Subject: Isolation: mounting of procfs by default when using "rootfs". --- test/test_go_isolation.py | 80 +++++++++++++++++++++++++----------- test/test_php_isolation.py | 62 +++++++++++++++++----------- test/test_python_isolation.py | 52 ++++++++++++++--------- test/test_python_isolation_chroot.py | 2 +- test/test_ruby_isolation.py | 27 +++++++----- test/unit/applications/lang/php.py | 14 +++++++ 6 files changed, 158 insertions(+), 79 deletions(-) (limited to 'test') diff --git a/test/test_go_isolation.py b/test/test_go_isolation.py index 9a84aa25..c68925b9 100644 --- a/test/test_go_isolation.py +++ b/test/test_go_isolation.py @@ -226,13 +226,23 @@ class TestGoIsolation(TestApplicationGo): if not self.isolation_key('pid'): pytest.skip('pid namespace is not supported') - if not (is_su or self.isolation_key('unprivileged_userns_clone')): - pytest.skip('requires root or unprivileged_userns_clone') + if not is_su: + if not self.isolation_key('unprivileged_userns_clone'): + pytest.skip('unprivileged clone is not available') - self.load( - 'ns_inspect', - isolation={'namespaces': {'pid': True, 'credential': True}}, - ) + if not self.isolation_key('user'): + pytest.skip('user namespace is not supported') + + if not self.isolation_key('mnt'): + pytest.skip('mnt namespace is not supported') + + isolation = {'namespaces': {'pid': True}} + + if not is_su: + isolation['namespaces']['mount'] = True + isolation['namespaces']['credential'] = True + + self.load('ns_inspect', isolation=isolation) obj = self.getjson()['body'] @@ -269,17 +279,28 @@ class TestGoIsolation(TestApplicationGo): == option.available['features']['isolation'][ns] ), ('%s match' % ns) - def test_go_isolation_rootfs_container(self, temp_dir): - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') + def test_go_isolation_rootfs_container(self, is_su, temp_dir): + if not is_su: + if not self.isolation_key('unprivileged_userns_clone'): + pytest.skip('unprivileged clone is not available') - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') + if not self.isolation_key('user'): + pytest.skip('user namespace is not supported') - isolation = { - 'namespaces': {'mount': True, 'credential': True}, - 'rootfs': temp_dir, - } + if not self.isolation_key('mnt'): + pytest.skip('mnt namespace is not supported') + + if not self.isolation_key('pid'): + pytest.skip('pid namespace is not supported') + + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } self.load('ns_inspect', isolation=isolation) @@ -311,17 +332,28 @@ class TestGoIsolation(TestApplicationGo): obj = self.getjson(url='/?file=/bin/sh')['body'] assert obj['FileExists'] == False, 'file should not exists' - def test_go_isolation_rootfs_default_tmpfs(self, temp_dir): - if not self.isolation_key('unprivileged_userns_clone'): - pytest.skip('unprivileged clone is not available') + def test_go_isolation_rootfs_default_tmpfs(self, is_su, temp_dir): + if not is_su: + if not self.isolation_key('unprivileged_userns_clone'): + pytest.skip('unprivileged clone is not available') - if not self.isolation_key('mnt'): - pytest.skip('mnt namespace is not supported') + if not self.isolation_key('user'): + pytest.skip('user namespace is not supported') - isolation = { - 'namespaces': {'mount': True, 'credential': True}, - 'rootfs': temp_dir, - } + if not self.isolation_key('mnt'): + pytest.skip('mnt namespace is not supported') + + if not self.isolation_key('pid'): + pytest.skip('pid namespace is not supported') + + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } self.load('ns_inspect', isolation=isolation) diff --git a/test/test_php_isolation.py b/test/test_php_isolation.py index ac6942c6..cc660e04 100644 --- a/test/test_php_isolation.py +++ b/test/test_php_isolation.py @@ -26,57 +26,71 @@ class TestPHPIsolation(TestApplicationPHP): return check if not complete_check else check() - def test_php_isolation_rootfs(self, is_su): + def test_php_isolation_rootfs(self, is_su, temp_dir): isolation_features = option.available['features']['isolation'].keys() - if 'mnt' not in isolation_features: - pytest.skip('requires mnt ns') - if not is_su: - if 'user' not in isolation_features: - pytest.skip('requires unprivileged userns or root') - if not 'unprivileged_userns_clone' in isolation_features: pytest.skip('requires unprivileged userns or root') - isolation = { - 'namespaces': {'credential': not is_su, 'mount': True}, - 'rootfs': option.test_dir, - } + if 'user' not in isolation_features: + pytest.skip('user namespace is not supported') + + if 'mnt' not in isolation_features: + pytest.skip('mnt namespace is not supported') + + if 'pid' not in isolation_features: + pytest.skip('pid namespace is not supported') + + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } self.load('phpinfo', isolation=isolation) assert 'success' in self.conf( - '"/php/phpinfo"', 'applications/phpinfo/root' + '"/app/php/phpinfo"', 'applications/phpinfo/root' ) assert 'success' in self.conf( - '"/php/phpinfo"', 'applications/phpinfo/working_directory' + '"/app/php/phpinfo"', 'applications/phpinfo/working_directory' ) assert self.get()['status'] == 200, 'empty rootfs' - def test_php_isolation_rootfs_extensions(self, is_su): + def test_php_isolation_rootfs_extensions(self, is_su, temp_dir): isolation_features = option.available['features']['isolation'].keys() if not is_su: - if 'user' not in isolation_features: - pytest.skip('requires unprivileged userns or root') - if not 'unprivileged_userns_clone' in isolation_features: pytest.skip('requires unprivileged userns or root') + if 'user' not in isolation_features: + pytest.skip('user namespace is not supported') + if 'mnt' not in isolation_features: - pytest.skip('requires mnt ns') + pytest.skip('mnt namespace is not supported') + + if 'pid' not in isolation_features: + pytest.skip('pid namespace is not supported') - isolation = { - 'rootfs': option.test_dir, - 'namespaces': {'credential': not is_su, 'mount': not is_su}, - } + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } self.load('list-extensions', isolation=isolation) assert 'success' in self.conf( - '"/php/list-extensions"', 'applications/list-extensions/root' + '"/app/php/list-extensions"', 'applications/list-extensions/root' ) assert 'success' in self.conf( @@ -85,7 +99,7 @@ class TestPHPIsolation(TestApplicationPHP): ) assert 'success' in self.conf( - '"/php/list-extensions"', + '"/app/php/list-extensions"', 'applications/list-extensions/working_directory', ) diff --git a/test/test_python_isolation.py b/test/test_python_isolation.py index 34abd1df..1a157528 100644 --- a/test/test_python_isolation.py +++ b/test/test_python_isolation.py @@ -29,24 +29,27 @@ class TestPythonIsolation(TestApplicationPython): def test_python_isolation_rootfs(self, is_su, temp_dir): isolation_features = option.available['features']['isolation'].keys() - if 'mnt' not in isolation_features: - pytest.skip('requires mnt ns') - if not is_su: - if 'user' not in isolation_features: - pytest.skip('requires unprivileged userns or root') - if not 'unprivileged_userns_clone' in isolation_features: pytest.skip('requires unprivileged userns or root') - isolation = { - 'namespaces': {'credential': not is_su, 'mount': True}, - 'rootfs': temp_dir, - } + if 'user' not in isolation_features: + pytest.skip('user namespace is not supported') - self.load('empty', isolation=isolation) + if 'mnt' not in isolation_features: + pytest.skip('mnt namespace is not supported') - assert self.get()['status'] == 200, 'python rootfs' + if 'pid' not in isolation_features: + pytest.skip('pid namespace is not supported') + + isolation = {'rootfs': temp_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } self.load('ns_inspect', isolation=isolation) @@ -57,7 +60,7 @@ class TestPythonIsolation(TestApplicationPython): assert ( self.getjson(url='/?path=/proc/self')['body']['FileExists'] - == False + == True ), 'no /proc/self' assert ( @@ -78,22 +81,31 @@ class TestPythonIsolation(TestApplicationPython): def test_python_isolation_rootfs_no_language_deps(self, is_su, temp_dir): isolation_features = option.available['features']['isolation'].keys() - if 'mnt' not in isolation_features: - pytest.skip('requires mnt ns') - if not is_su: - if 'user' not in isolation_features: - pytest.skip('requires unprivileged userns or root') - if not 'unprivileged_userns_clone' in isolation_features: pytest.skip('requires unprivileged userns or root') + if 'user' not in isolation_features: + pytest.skip('user namespace is not supported') + + if 'mnt' not in isolation_features: + pytest.skip('mnt namespace is not supported') + + if 'pid' not in isolation_features: + pytest.skip('pid namespace is not supported') + isolation = { - 'namespaces': {'credential': not is_su, 'mount': True}, 'rootfs': temp_dir, 'automount': {'language_deps': False} } + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } + self.load('empty', isolation=isolation) assert (self.get()['status'] != 200), 'disabled language_deps' diff --git a/test/test_python_isolation_chroot.py b/test/test_python_isolation_chroot.py index 6d178b2e..134d2b8a 100644 --- a/test/test_python_isolation_chroot.py +++ b/test/test_python_isolation_chroot.py @@ -28,7 +28,7 @@ class TestPythonIsolation(TestApplicationPython): assert ( self.getjson(url='/?path=/proc/self')['body']['FileExists'] - == False + == True ), 'no /proc/self' assert ( diff --git a/test/test_ruby_isolation.py b/test/test_ruby_isolation.py index 79c94ba2..69e25de9 100644 --- a/test/test_ruby_isolation.py +++ b/test/test_ruby_isolation.py @@ -29,20 +29,27 @@ class TestRubyIsolation(TestApplicationRuby): def test_ruby_isolation_rootfs_mount_namespace(self, is_su): isolation_features = option.available['features']['isolation'].keys() - if 'mnt' not in isolation_features: - pytest.skip('requires mnt ns') - if not is_su: - if 'user' not in isolation_features: - pytest.skip('requires unprivileged userns or root') - if not 'unprivileged_userns_clone' in isolation_features: pytest.skip('requires unprivileged userns or root') - isolation = { - 'namespaces': {'credential': not is_su, 'mount': True}, - 'rootfs': option.test_dir, - } + if 'user' not in isolation_features: + pytest.skip('user namespace is not supported') + + if 'mnt' not in isolation_features: + pytest.skip('mnt namespace is not supported') + + if 'pid' not in isolation_features: + pytest.skip('pid namespace is not supported') + + isolation = {'rootfs': option.test_dir} + + if not is_su: + isolation['namespaces'] = { + 'mount': True, + 'credential': True, + 'pid': True + } self.load('status_int', isolation=isolation) diff --git a/test/unit/applications/lang/php.py b/test/unit/applications/lang/php.py index 619dfc93..3dbb32f5 100644 --- a/test/unit/applications/lang/php.py +++ b/test/unit/applications/lang/php.py @@ -1,4 +1,7 @@ from conftest import option +import os +import shutil + from unit.applications.proto import TestApplicationProto @@ -8,6 +11,17 @@ class TestApplicationPHP(TestApplicationProto): def load(self, script, index='index.php', **kwargs): script_path = option.test_dir + '/php/' + script + if kwargs.get('isolation') and kwargs['isolation'].get('rootfs'): + rootfs = kwargs['isolation']['rootfs'] + + if not os.path.exists(rootfs + '/app/php/'): + os.makedirs(rootfs + '/app/php/') + + if not os.path.exists(rootfs + '/app/php/' + script): + shutil.copytree(script_path, rootfs + '/app/php/' + script) + + script_path = '/app/php/' + script + self._load_conf( { "listeners": {"*:7080": {"pass": "applications/" + script}}, -- cgit