tests: Add support for running tests with namespace isolation

Signed-off-by: Matej Hrica <[email protected]>

Author: mtjhrc

tests/guest-agent/src/main.rs

@@ -8,7 +8,7 @@ fn run_guest_agent(test_name: &str) -> anyhow::Result<()> {
         .into_iter()
         .find(|t| t.name() == test_name)
         .context("No such test!")?;
-    let TestCase { test, name: _ } = test_case;
+    let TestCase { test, name: _, requires_namespace: _ } = test_case;
     test.in_guest();
     Ok(())
 }

tests/runner/Cargo.toml

@@ -5,7 +5,7 @@ edition = "2021"
 [dependencies]
 test_cases = { path = "../test_cases", features = ["host"] }
 anyhow = "1.0.95"
-nix = { version = "0.29.0", features = ["resource", "fs"] }
+nix = { version = "0.29.0", features = ["resource", "fs", "sched", "user", "process"] }
 macros = { path = "../macros" }
 clap = { version = "4.5.27", features = ["derive"] }
 tempdir = "0.3.7"

tests/runner/src/main.rs

@@ -32,12 +32,75 @@ fn start_vm(test_setup: TestSetup) -> anyhow::Result<()> {
     setrlimit(Resource::RLIMIT_NOFILE, hard_limit, hard_limit)
         .context("setrlimit RLIMIT_NOFILE")?;
 
-    let test = get_test(&test_setup.test_case)?;
-    test.start_vm(test_setup.clone())
-        .with_context(|| format!("testcase: {test_setup:?}"))?;
+    // Check if this test requires a namespace
+    let test_cases = test_cases();
+    let requires_namespace = test_cases
+        .into_iter()
+        .find(|t| t.name == test_setup.test_case)
+        .map(|t| t.requires_namespace)
+        .unwrap_or(false);
+
+    if requires_namespace {
+        setup_namespace_and_run(test_setup)?;
+    } else {
+        let test = get_test(&test_setup.test_case)?;
+        test.start_vm(test_setup.clone())
+            .with_context(|| format!("testcase: {test_setup:?}"))?;
+    }
     Ok(())
 }
 
+fn setup_namespace_and_run(test_setup: TestSetup) -> anyhow::Result<()> {
+    use nix::sched::{unshare, CloneFlags};
+    use nix::unistd::{fork, Gid, Uid, ForkResult};
+    use std::fs;
+
+    // Get our current uid/gid before entering the namespace
+    let uid = Uid::current();
+    let gid = Gid::current();
+
+    // Create a new user namespace, mount namespace, and PID namespace (rootless)
+    unshare(CloneFlags::CLONE_NEWUSER | CloneFlags::CLONE_NEWNS | CloneFlags::CLONE_NEWPID)
+        .context("Failed to unshare user+mount+pid namespace")?;
+
+    // Set up uid_map to map our uid to root (0) in the namespace
+    let uid_map = format!("0 {} 1", uid);
+    fs::write("/proc/self/uid_map", uid_map)
+        .context("Failed to write uid_map")?;
+
+    // Disable setgroups (required before writing gid_map as non-root)
+    fs::write("/proc/self/setgroups", "deny")
+        .context("Failed to write setgroups")?;
+
+    // Set up gid_map to map our gid to root (0) in the namespace
+    let gid_map = format!("0 {} 1", gid);
+    fs::write("/proc/self/gid_map", gid_map)
+        .context("Failed to write gid_map")?;
+
+    // Fork so the child becomes PID 1 in the new PID namespace
+    // This is necessary to be able to mount procfs
+    match unsafe { fork() }.context("Failed to fork")? {
+        ForkResult::Parent { child } => {
+            // Parent waits for child and exits
+            use nix::sys::wait::waitpid;
+            let status = waitpid(child, None).context("Failed to wait for child")?;
+            // Exit with the child's exit code
+            use nix::sys::wait::WaitStatus;
+            match status {
+                WaitStatus::Exited(_, code) => std::process::exit(code),
+                _ => std::process::exit(1),
+            }
+        }
+        ForkResult::Child => {
+            // Child continues - we are now PID 1 in the PID namespace
+            let test = get_test(&test_setup.test_case)?;
+            test.start_vm(test_setup.clone())
+                .with_context(|| format!("testcase: {test_setup:?}"))?;
+            Ok(())
+        }
+    }
+}
+
 fn run_single_test(
     test_case: &str,
     base_dir: &Path,
@@ -162,7 +225,7 @@ fn run_tests(
         let all_tests = test_cases();
         let max_name_len = all_tests.iter().map(|t| t.name.len()).max().unwrap_or(0);
 
-        for TestCase { name, test: _ } in all_tests {
+        for TestCase { name, test: _, requires_namespace: _ } in all_tests {
             results.push(run_single_test(name, &base_dir, keep_all, max_name_len).context(name)?);
         }
     } else {

tests/test_cases/Cargo.toml

@@ -12,6 +12,6 @@ name = "test_cases"
 [dependencies]
 krun-sys = { path = "../../krun-sys", optional = true }
 macros = { path = "../macros" }
-nix = { version = "0.29.0", features = ["socket"] }
+nix = { version = "0.29.0", features = ["socket", "sched", "user", "mount"] }
 anyhow = "1.0.95"
 tempdir = "0.3.7"

tests/test_cases/src/common.rs

@@ -11,6 +11,9 @@ use std::ptr::null;
 use crate::{krun_call, TestSetup};
 use krun_sys::*;
 
+use nix::unistd::{chroot, chdir};
+use std::path::PathBuf;
+
 fn copy_guest_agent(dir: &Path) -> anyhow::Result<()> {
     let path = std::env::var_os("KRUN_TEST_GUEST_AGENT_PATH")
         .context("KRUN_TEST_GUEST_AGENT_PATH env variable not set")?;
@@ -50,3 +53,94 @@ pub fn setup_fs_and_enter(ctx: u32, test_setup: TestSetup) -> anyhow::Result<()>
     }
     unreachable!()
 }
+
+/// Like setup_fs_and_enter, but changes the host process's root to the guest's root
+/// before entering the VM. This is needed for Unix domain socket TSI tests where the
+/// host process needs to access socket paths in the guest filesystem.
+///
+/// This function:
+/// 1. Creates a new user namespace and mount namespace (unshare CLONE_NEWUSER | CLONE_NEWNS)
+/// 2. Sets up uid/gid mappings to become root in the namespace
+/// 3. Changes root to the guest's root directory (chroot)
+/// 4. Then calls krun_start_enter
+///
+/// The before_enter callback is called after chroot but before krun_start_enter, allowing
+/// setup of host-side resources (like Unix domain socket servers) that need to be accessible
+/// at the same paths as the guest will use.
+///
+/// Note: This uses rootless namespaces (user namespaces) so it doesn't require root.
+pub fn setup_fs_and_enter_with_namespace<F>(
+    ctx: u32,
+    test_setup: TestSetup,
+    before_enter: F,
+) -> anyhow::Result<()>
+where
+    F: FnOnce() -> anyhow::Result<()>,
+{
+    let root_dir = test_setup.tmp_dir.join("root");
+    create_dir(&root_dir).context("Failed to create root directory")?;
+
+    // Create necessary directories in the guest root
+    create_dir(root_dir.join("tmp")).context("Failed to create tmp directory")?;
+    create_dir(root_dir.join("dev")).context("Failed to create dev directory")?;
+    create_dir(root_dir.join("proc")).context("Failed to create proc directory")?;
+    create_dir(root_dir.join("sys")).context("Failed to create sys directory")?;
+
+    copy_guest_agent(&root_dir)?;
+
+    // The runner has already set up the namespace for us (user+mount+pid)
+    // We are now root in the user namespace and PID 1 in the PID namespace
+    // Make our mounts private so they don't affect the parent namespace
+    use nix::mount::{mount, MsFlags};
+    mount(
+        None::<&str>,
+        "/",
+        None::<&str>,
+        MsFlags::MS_REC | MsFlags::MS_PRIVATE,
+        None::<&str>,
+    ).context("Failed to make / private")?;
+
+    // Bind mount /dev into the guest root so /dev/kvm is accessible
+    // (we're root in the namespace now)
+    mount(
+        Some("/dev"),
+        root_dir.join("dev").as_path(),
+        None::<&str>,
+        MsFlags::MS_BIND | MsFlags::MS_REC,
+        None::<&str>,
+    ).context("Failed to bind mount /dev")?;
+
+    // Now we can chroot
+    let root_path = PathBuf::from(&root_dir);
+    chroot(&root_path).context("Failed to chroot to guest root")?;
+    chdir("/").context("Failed to chdir to /")?;
+
+    // Mount procfs after chroot with standard proc mount flags
+    mount(
+        Some("proc"),
+        "/proc",
+        Some("proc"),
+        MsFlags::MS_NOSUID | MsFlags::MS_NODEV | MsFlags::MS_NOEXEC,
+        None::<&str>,
+    ).context("Failed to mount procfs")?;
+
+    // Call the before_enter callback to set up host-side resources
+    before_enter().context("before_enter callback failed")?;
+
+    let path_str = CString::new("/").context("CString::new")?;
+    unsafe {
+        krun_call!(krun_set_root(ctx, path_str.as_ptr()))?;
+        krun_call!(krun_set_workdir(ctx, c"/".as_ptr()))?;
+        let test_case_cstr = CString::new(test_setup.test_case).context("CString::new")?;
+        let argv = [test_case_cstr.as_ptr(), null()];
+        let envp = [null()];
+        krun_call!(krun_set_exec(
+            ctx,
+            c"/guest-agent".as_ptr(),
+            argv.as_ptr(),
+            envp.as_ptr(),
+        ))?;
+        krun_call!(krun_start_enter(ctx))?;
+    }
+    unreachable!()
+}

tests/test_cases/src/lib.rs

@@ -91,13 +91,18 @@ pub trait Test {
 pub struct TestCase {
     pub name: &'static str,
     pub test: Box<dyn Test>,
+    pub requires_namespace: bool,
 }
 
 impl TestCase {
     // Your test can be parametrized, so you can add the same test multiple times constructed with
     // different parameters with and specify a different name here.
     pub fn new(name: &'static str, test: Box<dyn Test>) -> Self {
-        Self { name, test }
+        Self { name, test, requires_namespace: false }
+    }
+
+    pub fn new_with_namespace(name: &'static str, test: Box<dyn Test>) -> Self {
+        Self { name, test, requires_namespace: true }
     }
 
     #[allow(dead_code)]