Test for expected capabilities specifically

hashicorp · May 24, 2019 · a1414bd · a1414bd
1 parent e855738
commit a1414bd
Showing 1 changed file with 62 additions and 24 deletions.
diff --git a/drivers/shared/executor/executor_linux_test.go b/drivers/shared/executor/executor_linux_test.go
@@ -44,6 +44,7 @@ func testExecutorCommandWithChroot(t *testing.T) *testExecCmd {
 		"/etc/ld.so.cache":  "/etc/ld.so.cache",
 		"/etc/ld.so.conf":   "/etc/ld.so.conf",
 		"/etc/ld.so.conf.d": "/etc/ld.so.conf.d",
+		"/etc/passwd":       "/etc/passwd",
 		"/lib":              "/lib",
 		"/lib64":            "/lib64",
 		"/usr/lib":          "/usr/lib",
@@ -241,38 +242,75 @@ func TestExecutor_EscapeContainer(t *testing.T) {
 
 func TestExecutor_Capabilities(t *testing.T) {
 	t.Parallel()
-	require := require.New(t)
 	testutil.ExecCompatible(t)
 
-	testExecCmd := testExecutorCommandWithChroot(t)
-	execCmd, allocDir := testExecCmd.command, testExecCmd.allocDir
-	defer allocDir.Destroy()
+	cases := []struct {
+		user string
+		caps string
+	}{
+		{
+			user: "nobody",
+			caps: `
+CapInh:	0000000000000000
+CapPrm:	0000000000000000
+CapEff:	0000000000000000
+CapBnd:	0000003fffffffff
+CapAmb:	0000000000000000`,
+		},
+		{
+			user: "root",
+			caps: `
+CapInh:	0000000000000000
+CapPrm:	0000003fffffffff
+CapEff:	0000003fffffffff
+CapBnd:	0000003fffffffff
+CapAmb:	0000000000000000`,
+		},
+	}
 
-	execCmd.ResourceLimits = true
-	execCmd.Cmd = "/bin/bash"
-	execCmd.Args = []string{"-c", "cat /proc/$$/cmdline"}
+	for _, c := range cases {
+		t.Run(c.user, func(t *testing.T) {
+			require := require.New(t)
 
-	executor := NewExecutorWithIsolation(testlog.HCLogger(t))
-	defer executor.Shutdown("SIGKILL", 0)
+			testExecCmd := testExecutorCommandWithChroot(t)
+			execCmd, allocDir := testExecCmd.command, testExecCmd.allocDir
+			defer allocDir.Destroy()
 
-	_, err := executor.Launch(execCmd)
-	require.NoError(err)
+			execCmd.User = c.user
+			execCmd.ResourceLimits = true
+			execCmd.Cmd = "/bin/bash"
+			execCmd.Args = []string{"-c", "cat /proc/$$/status"}
 
-	ch := make(chan interface{})
-	go func() {
-		executor.Wait(context.Background())
-		close(ch)
-	}()
+			executor := NewExecutorWithIsolation(testlog.HCLogger(t))
+			defer executor.Shutdown("SIGKILL", 0)
 
-	select {
-	case <-ch:
-		// all good
-	case <-time.After(5 * time.Second):
-		require.Fail("timeout waiting for exec to shutdown")
-	}
+			_, err := executor.Launch(execCmd)
+			require.NoError(err)
 
-	output := testExecCmd.stdout.String()
-	require.Empty(output)
+			ch := make(chan interface{})
+			go func() {
+				executor.Wait(context.Background())
+				close(ch)
+			}()
+
+			select {
+			case <-ch:
+				// all good
+			case <-time.After(5 * time.Second):
+				require.Fail("timeout waiting for exec to shutdown")
+			}
+
+			expected := strings.TrimSpace(c.caps)
+			tu.WaitForResult(func() (bool, error) {
+				output := testExecCmd.stdout.String()
+				act := strings.TrimSpace(string(output))
+				if strings.Contains(output, expected) {
+					return false, fmt.Errorf("capabilities didn't match: want\n%v\n; got:\n%v\n", expected, act)
+				}
+				return true, nil
+			}, func(err error) { require.NoError(err) })
+		})
+	}
 
 }