Skip to content

Commit

Permalink
tests/int: test for CAP_DAC_OVERRIDE
Browse files Browse the repository at this point in the history
This is a test case for issue reported as opencontainers#3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Since the upstream golang is also broken (see [1]), let's skip this test
for Go 1.20 and 1.20.1 (as it's fixed in Go 1.20.2 as per [2]).

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
  • Loading branch information
kolyshkin committed Mar 16, 2023
1 parent e927deb commit 9aa75d4
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions tests/integration/start_hello.bats
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,36 @@ function teardown() {
[[ "${output}" == *"Hello"* ]]
}

# https://github.com/opencontainers/runc/issues/3715, https://go.dev/issue/58552
@test "runc run as user with no exec bit but CAP_DAC_OVERRIDE set" {
requires root # Can't chown/chmod otherwise.
case "$(__runc --version | grep '^go:')" in
"go: go1.20" | "go: go1.20.1")
skip "go 1.20[.1] is broken; see https://go.dev/issue/58552"
;;
esac

# Remove exec perm for everyone but owner (root).
chown 0 rootfs/bin/echo
chmod go-x rootfs/bin/echo

# Replace "uid": 0 with "uid": 1000 and do a similar thing for gid.
update_config ' (.. | select(.uid? == 0)) .uid |= 1000
| (.. | select(.gid? == 0)) .gid |= 100'

# Sanity check: make sure we can't run the container w/o CAP_DAC_OVERRIDE.
runc run test_busybox
[ "$status" -ne 0 ]

# Enable CAP_DAC_OVERRIDE.
update_config ' .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"]
| .process.capabilities.effective += ["CAP_DAC_OVERRIDE"]
| .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]'

runc run test_busybox
[ "$status" -eq 0 ]
}

@test "runc run with rootfs set to ." {
cp config.json rootfs/.
rm config.json
Expand Down

0 comments on commit 9aa75d4

Please sign in to comment.