tests: add functional tests for seccomp

Test KILL and ERRNO actions. Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
opencontainers · Feb 4, 2021 · 0a202ef · 0a202ef
1 parent 089c9d4
commit 0a202ef
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
@@ -22,3 +22,71 @@ function teardown() {
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
+
+# TODO:
+# - Test other actions like SCMP_ACT_TRAP, SCMP_ACT_TRACE, SCMP_ACT_LOG.
+# - Test args (index, value, valueTwo, etc).
+
+@test "runc run [seccomp] (SCMP_ACT_ERRNO default)" {
+	update_config '.process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] |
+		.process.noNewPrivileges = false |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"Operation not permitted"* ]]
+}
+
+@test "runc run [seccomp] (SCMP_ACT_ERRNO explicit errno)" {
+	update_config '.process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] |
+		.process.noNewPrivileges = false |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"Network is down"* ]]
+}
+
+@test "runc run [seccomp] (SCMP_ACT_KILL)" {
+	update_config '.process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] |
+		.process.noNewPrivileges = false |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+}
+
+# check that a startContainer hook is run with the seccomp filters applied
+@test "runc run [seccomp] (startContainer hook)" {
+	update_config '.process.args = ["/bin/true"] |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
+		} |
+		.hooks = {
+			"startContainer": [
+				{
+					"path": "/bin/sh",
+					"args": ["sh", "-c", "mkdir /dev/shm/foo"]
+				}
+			]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"error running hook"* ]]
+	[[ "$output" == *"bad system call"* ]]
+}