123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 |
- package oci
- import (
- "testing"
- "github.com/opencontainers/runtime-spec/specs-go"
- "gotest.tools/v3/assert"
- )
- func TestAppendDevicePermissionsFromCgroupRules(t *testing.T) {
- ptr := func(i int64) *int64 { return &i }
- tests := []struct {
- doc string
- rule string
- expected specs.LinuxDeviceCgroup
- expectedErr string
- }{
- {
- doc: "empty rule",
- rule: "",
- expectedErr: `invalid device cgroup rule format: ''`,
- },
- {
- doc: "multiple spaces after first column",
- rule: "c 1:1 rwm",
- expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm'`,
- },
- {
- doc: "multiple spaces after second column",
- rule: "c 1:1 rwm",
- expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm'`,
- },
- {
- doc: "leading spaces",
- rule: " c 1:1 rwm",
- expectedErr: `invalid device cgroup rule format: ' c 1:1 rwm'`,
- },
- {
- doc: "trailing spaces",
- rule: "c 1:1 rwm ",
- expectedErr: `invalid device cgroup rule format: 'c 1:1 rwm '`,
- },
- {
- doc: "unknown device type",
- rule: "z 1:1 rwm",
- expectedErr: `invalid device cgroup rule format: 'z 1:1 rwm'`,
- },
- {
- doc: "invalid device type",
- rule: "zz 1:1 rwm",
- expectedErr: `invalid device cgroup rule format: 'zz 1:1 rwm'`,
- },
- {
- doc: "missing colon",
- rule: "c 11 rwm",
- expectedErr: `invalid device cgroup rule format: 'c 11 rwm'`,
- },
- {
- doc: "invalid device major-minor",
- rule: "c a:a rwm",
- expectedErr: `invalid device cgroup rule format: 'c a:a rwm'`,
- },
- {
- doc: "negative major device",
- rule: "c -1:1 rwm",
- expectedErr: `invalid device cgroup rule format: 'c -1:1 rwm'`,
- },
- {
- doc: "negative minor device",
- rule: "c 1:-1 rwm",
- expectedErr: `invalid device cgroup rule format: 'c 1:-1 rwm'`,
- },
- {
- doc: "missing permissions",
- rule: "c 1:1",
- expectedErr: `invalid device cgroup rule format: 'c 1:1'`,
- },
- {
- doc: "invalid permissions",
- rule: "c 1:1 x",
- expectedErr: `invalid device cgroup rule format: 'c 1:1 x'`,
- },
- {
- doc: "too many permissions",
- rule: "c 1:1 rwmrwm",
- expectedErr: `invalid device cgroup rule format: 'c 1:1 rwmrwm'`,
- },
- {
- doc: "major out of range",
- rule: "c 18446744073709551616:1 rwm",
- expectedErr: `invalid major value in device cgroup rule format: 'c 18446744073709551616:1 rwm'`,
- },
- {
- doc: "minor out of range",
- rule: "c 1:18446744073709551616 rwm",
- expectedErr: `invalid minor value in device cgroup rule format: 'c 1:18446744073709551616 rwm'`,
- },
- {
- doc: "all (a) devices",
- rule: "a 1:1 rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "a", Major: ptr(1), Minor: ptr(1), Access: "rwm"},
- },
- {
- doc: "char (c) devices",
- rule: "c 1:1 rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "rwm"},
- },
- {
- doc: "block (b) devices",
- rule: "b 1:1 rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "b", Major: ptr(1), Minor: ptr(1), Access: "rwm"},
- },
- {
- doc: "char device with rwm permissions",
- rule: "c 7:128 rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(7), Minor: ptr(128), Access: "rwm"},
- },
- {
- doc: "wildcard major",
- rule: "c *:1 rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(-1), Minor: ptr(1), Access: "rwm"},
- },
- {
- doc: "wildcard minor",
- rule: "c 1:* rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(-1), Access: "rwm"},
- },
- {
- doc: "wildcard major and minor",
- rule: "c *:* rwm",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(-1), Minor: ptr(-1), Access: "rwm"},
- },
- {
- doc: "read (r) permission",
- rule: "c 1:1 r",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "r"},
- },
- {
- doc: "write (w) permission",
- rule: "c 1:1 w",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "w"},
- },
- {
- doc: "mknod (m) permission",
- rule: "c 1:1 m",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "m"},
- },
- {
- doc: "mknod (m) and read (r) permission",
- rule: "c 1:1 mr",
- expected: specs.LinuxDeviceCgroup{Allow: true, Type: "c", Major: ptr(1), Minor: ptr(1), Access: "mr"},
- },
- }
- for _, tc := range tests {
- tc := tc
- t.Run(tc.doc, func(t *testing.T) {
- out, err := AppendDevicePermissionsFromCgroupRules([]specs.LinuxDeviceCgroup{}, []string{tc.rule})
- if tc.expectedErr != "" {
- assert.Error(t, err, tc.expectedErr)
- return
- }
- assert.NilError(t, err)
- assert.DeepEqual(t, out, []specs.LinuxDeviceCgroup{tc.expected})
- })
- }
- }
|