proc: add pure-resolver sanity tests

cyphar · cyphar · commit 1a81a8a64e07 · 2025-06-19T09:53:06.000+10:00
These are somewhat adapted from the sanity tests for the libpathrs
resolver, but somewhat less extensive (the libpathrs resolver needs
to handle one-shot O_* flags, which we don't support in
filepath-securejoin).

Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/procfs_lookup_linux_test.go b/procfs_lookup_linux_test.go
@@ -0,0 +1,73 @@
+//go:build linux
+
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestProcfsLookupInRoot(t *testing.T) {
+	withWithoutOpenat2(t, true, func(t *testing.T) {
+		// NOTE: We don't actually need root for unsafeHostProcRoot, but we
+		// can't test for that because Go doesn't let you compare function
+		// pointers...
+		requireRoot(t)
+
+		// The openat2 and non-openat2 backends return different error
+		// messages for the breakout case (".." and suspected magic-links).
+		// The main issue is that openat2 just returns -EXDEV and returning
+		// errUnsafeProcfs in all cases of the fallback resolver (for
+		// consistency) doesn't make much sense.
+		breakoutErr := errPossibleBreakout
+		if hasOpenat2() {
+			breakoutErr = errUnsafeProcfs
+		}
+
+		for _, test := range []struct {
+			name          string
+			root, subpath string
+			expectedPath  string
+			expectedErr   error
+		}{
+			{"nonproc-xdev", "/", "proc", "", errUnsafeProcfs},
+			{"proc-nonroot", "/proc/tty", ".", "", errUnsafeProcfs},
+			{"proc-emptypath", "/proc", "", "/proc", nil},
+			{"proc-root-dotdot", "/proc", "1/../..", "", breakoutErr},
+			{"proc-root-dotdot-top", "/proc", "..", "", breakoutErr},
+			{"proc-abs-slash", "/proc", "/", "", breakoutErr},
+			{"proc-abs-path", "/proc", "/etc/passwd", "", breakoutErr},
+			// {"dotdot", "1/..", breakoutErr}, // only errors out for fallback resolver
+			{"proc-uptime", "/proc", "uptime", "/proc/uptime", nil},
+			{"proc-sys-kernel-arch", "/proc", "sys/kernel/arch", "/proc/sys/kernel/arch", nil},
+			{"proc-symlink-nofollow", "/proc", "self", "/proc/self", nil},
+			{"proc-symlink-follow", "/proc", "self/.", fmt.Sprintf("/proc/%d", os.Getpid()), nil},
+			{"proc-self-attr", "/proc", "self/attr/apparmor/exec", fmt.Sprintf("/proc/%d/attr/apparmor/exec", os.Getpid()), nil},
+			{"proc-magiclink-nofollow", "/proc", "self/exe", fmt.Sprintf("/proc/%d/exe", os.Getpid()), nil},
+			{"proc-magiclink-follow", "/proc", "self/cwd/.", "", breakoutErr},
+		} {
+			test := test // copy iterator
+			t.Run(test.name, func(t *testing.T) {
+				root, err := os.Open(test.root)
+				require.NoError(t, err, "open procfs resolver root")
+
+				handle, err := procfsLookupInRoot(root, test.subpath)
+				assert.ErrorIsf(t, err, test.expectedErr, "procfsLookupInRoot(%q)", test.subpath) //nolint:testifylint // this is an isolated operation so we can continue despite an error
+				if handle != nil {
+					handlePath, err := ProcSelfFdReadlink(handle)
+					require.NoError(t, err, "ProcSelfFdReadlink handle")
+					assert.Equal(t, test.expectedPath, handlePath, "ProcSelfFdReadlink of handle")
+					_ = handle.Close()
+				}
+			})
+		}
+	})
+}
