oci_test.go 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168
  1. package oci
  2. import (
  3. "testing"
  4. "github.com/opencontainers/runtime-spec/specs-go"
  5. "gotest.tools/v3/assert"
  6. )
  7. func TestAppendDevicePermissionsFromCgroupRules(t *testing.T) {
  8. ptr := func(i int64) *int64 { return &i }
  9. tests := []struct {
  10. doc string
  11. rule string
  12. expected specs.LinuxDeviceCgroup
  13. expectedErr string
  14. }{
  15. {
  16. doc: "empty rule",
  17. rule: "",
  18. expectedErr: `invalid device cgroup rule format: ''`,
  19. },
  20. {
  21. doc: "multiple spaces after first column",
  22. rule: "c 1:1 rwm",
  23. expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm'`,
  24. },
  25. {
  26. doc: "multiple spaces after second column",
  27. rule: "c 1:1 rwm",
  28. expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm'`,
  29. },
  30. {
  31. doc: "leading spaces",
  32. rule: " c 1:1 rwm",
  33. expectedErr: `invalid device cgroup rule format: ' c 1:1 rwm'`,
  34. },
  35. {
  36. doc: "trailing spaces",
  37. rule: "c 1:1 rwm ",
  38. expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm '`,
  39. },
  40. {
  41. doc: "unknown device type",
  42. rule: "z 1:1 rwm",
  43. expectedErr: `invalid device cgroup rule format: 'z 1:1 rwm'`,
  44. },
  45. {
  46. doc: "invalid device type",
  47. rule: "zz 1:1 rwm",
  48. expectedErr: `invalid device cgroup rule format: 'zz 1:1 rwm'`,
  49. },
  50. {
  51. doc: "missing colon",
  52. rule: "c 11 rwm",
  53. expectedErr: `invalid device cgroup rule format: 'c 11 rwm'`,
  54. },
  55. {
  56. doc: "invalid device major-minor",
  57. rule: "c a:a rwm",
  58. expectedErr: `invalid device cgroup rule format: 'c a:a rwm'`,
  59. },
  60. {
  61. doc: "negative major device",
  62. rule: "c -1:1 rwm",
  63. expectedErr: `invalid device cgroup rule format: 'c -1:1 rwm'`,
  64. },
  65. {
  66. doc: "negative minor device",
  67. rule: "c 1:-1 rwm",
  68. expectedErr: `invalid device cgroup rule format: 'c 1:-1 rwm'`,
  69. },
  70. {
  71. doc: "missing permissions",
  72. rule: "c 1:1",
  73. expectedErr: `invalid device cgroup rule format: 'c 1:1'`,
  74. },
  75. {
  76. doc: "invalid permissions",
  77. rule: "c 1:1 x",
  78. expectedErr: `invalid device cgroup rule format: 'c 1:1 x'`,
  79. },
  80. {
  81. doc: "too many permissions",
  82. rule: "c 1:1 rwmrwm",
  83. expectedErr: `invalid device cgroup rule format: 'c 1:1 rwmrwm'`,
  84. },
  85. {
  86. doc: "major out of range",
  87. rule: "c 18446744073709551616:1 rwm",
  88. expectedErr: `invalid major value in device cgroup rule format: 'c 18446744073709551616:1 rwm'`,
  89. },
  90. {
  91. doc: "minor out of range",
  92. rule: "c 1:18446744073709551616 rwm",
  93. expectedErr: `invalid minor value in device cgroup rule format: 'c 1:18446744073709551616 rwm'`,
  94. },
  95. {
  96. doc: "all (a) devices",
  97. rule: "a 1:1 rwm",
  98. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "a", Major: ptr(1), Minor: ptr(1), Access: "rwm"},
  99. },
  100. {
  101. doc: "char (c) devices",
  102. rule: "c 1:1 rwm",
  103. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "rwm"},
  104. },
  105. {
  106. doc: "block (b) devices",
  107. rule: "b 1:1 rwm",
  108. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "b", Major: ptr(1), Minor: ptr(1), Access: "rwm"},
  109. },
  110. {
  111. doc: "char device with rwm permissions",
  112. rule: "c 7:128 rwm",
  113. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(7), Minor: ptr(128), Access: "rwm"},
  114. },
  115. {
  116. doc: "wildcard major",
  117. rule: "c *:1 rwm",
  118. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(-1), Minor: ptr(1), Access: "rwm"},
  119. },
  120. {
  121. doc: "wildcard minor",
  122. rule: "c 1:* rwm",
  123. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(-1), Access: "rwm"},
  124. },
  125. {
  126. doc: "wildcard major and minor",
  127. rule: "c *:* rwm",
  128. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(-1), Minor: ptr(-1), Access: "rwm"},
  129. },
  130. {
  131. doc: "read (r) permission",
  132. rule: "c 1:1 r",
  133. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "r"},
  134. },
  135. {
  136. doc: "write (w) permission",
  137. rule: "c 1:1 w",
  138. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "w"},
  139. },
  140. {
  141. doc: "mknod (m) permission",
  142. rule: "c 1:1 m",
  143. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "m"},
  144. },
  145. {
  146. doc: "mknod (m) and read (r) permission",
  147. rule: "c 1:1 mr",
  148. expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "mr"},
  149. },
  150. }
  151. for _, tc := range tests {
  152. tc := tc
  153. t.Run(tc.doc, func(t *testing.T) {
  154. out, err := AppendDevicePermissionsFromCgroupRules([]specs.LinuxDeviceCgroup{}, []string{tc.rule})
  155. if tc.expectedErr != "" {
  156. assert.Error(t, err, tc.expectedErr)
  157. return
  158. }
  159. assert.NilError(t, err)
  160. assert.DeepEqual(t, out, []specs.LinuxDeviceCgroup{tc.expected})
  161. })
  162. }
  163. }