Skip to content

Commit 23f4d31

Browse files
cypharcyphar
committed
tests: improve rootless_cg testing
This ensures that we don't hard-code the set of cgroups on the host, as well as making the permissions granted by rootless.sh much more restrictive (to improve the scope of testing). Signed-off-by: Aleksa Sarai <[email protected]>
1 parent ca4f427 commit 23f4d31

File tree

1 file changed

+25
-3
lines changed

1 file changed

+25
-3
lines changed

tests/rootless.sh

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -59,15 +59,37 @@ function disable_idmap() {
5959
# resource limits on condition that cgroupsPath is set to a path the
6060
# rootless user has permissions on.
6161

62+
# List of cgroups. We handle name= cgroups as well as combined
63+
# (comma-separated) cgroups and correctly split and/or strip them.
64+
ALL_CGROUPS=( $(cat /proc/self/cgroup | cut -d: -f2 | sed -E '{s/^name=//;s/,/\n/;/^$/D}') )
65+
CGROUP_MOUNT="/sys/fs/cgroup"
66+
CGROUP_PATH="/runc-cgroups-integration-test"
67+
6268
function enable_cgroup() {
6369
# Set up cgroups for use in rootless containers.
64-
mkdir -p /sys/fs/cgroup/{blkio,cpu,cpuacct,cpuset,devices,freezer,hugetlb,memory,net_cls,net_prio,openrc,perf_event,pids,systemd}/runc-cgroups-integration-test
65-
chown rootless:rootless -R /sys/fs/cgroup/*/runc-cgroups-integration-test
70+
for cg in "${ALL_CGROUPS[@]}"
71+
do
72+
mkdir -p "$CGROUP_MOUNT/$cg$CGROUP_PATH"
73+
# We only need to allow write access to {cgroup.procs,tasks} and the
74+
# directory. Rather than changing the owner entirely, we just change
75+
# the group and then allow write access to the group (in order to
76+
# further limit the possible DAC permissions that runc could use).
77+
chown root:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/"{,cgroup.procs,tasks}
78+
chmod g+rwx "$CGROUP_MOUNT/$cg$CGROUP_PATH/"{,cgroup.procs,tasks}
79+
# Due to cpuset's semantics we need to give extra permissions to allow
80+
# for runc to set up the hierarchy. XXX: This really shouldn't be
81+
# necessary, and might actually be a bug in our impl of cgroup
82+
# handling.
83+
[[ "$cg" == "cpuset" ]] && chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpuset."{cpus,mems}
84+
done
6685
}
6786

6887
function disable_cgroup() {
6988
# Remove cgroups used in rootless containers.
70-
[ -d /sys/fs/cgroup/devices/runc-cgroups-integration-test ] && rmdir /sys/fs/cgroup/*/runc-cgroups-integration-test
89+
for cg in "${ALL_CGROUPS[@]}"
90+
do
91+
[ -d "$CGROUP_MOUNT/$cg$CGROUP_PATH" ] && rmdir "$CGROUP_MOUNT/$cg$CGROUP_PATH"
92+
done
7193
}
7294

7395
# Create a powerset of $ALL_FEATURES (the set of all subsets of $ALL_FEATURES).

0 commit comments

Comments
 (0)