From c9c2bb6bfbe2060bdc6af53ca0d752572b21594d Mon Sep 17 00:00:00 2001 From: chengzrz Date: Fri, 29 Jul 2022 14:45:20 +0800 Subject: [PATCH 05/15] add a CI test case, checking seccomp option Signed-off-by: chengzrz --- CI/test_cases/container_cases/seccomp.sh | 76 +++++++++++++++++++ .../seccomp_profile_without_archmap.json | 11 +++ 2 files changed, 87 insertions(+) create mode 100755 CI/test_cases/container_cases/seccomp.sh create mode 100644 CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json diff --git a/CI/test_cases/container_cases/seccomp.sh b/CI/test_cases/container_cases/seccomp.sh new file mode 100755 index 00000000..9e886d10 --- /dev/null +++ b/CI/test_cases/container_cases/seccomp.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# +# attributes: isulad seccomp run +# concurrent: NO +# spend time: 4 + +####################################################################### +##- Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# - iSulad licensed under the Mulan PSL v2. +# - You can use this software according to the terms and conditions of the Mulan PSL v2. +# - You may obtain a copy of Mulan PSL v2 at: +# - http://license.coscl.org.cn/MulanPSL2 +# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# - PURPOSE. +# - See the Mulan PSL v2 for more details. +##- @Description:CI +##- @Author: chengzeruizhi +##- @Create: 2022-07-29 +####################################################################### + +curr_path=$(dirname $(readlink -f "$0")) +test_data_path=$(realpath $curr_path/test_data) +source ../helpers.sh + +function do_pre() { + local ret=0 + + isula rm -f $(isula ps -qa) + + check_valgrind_log + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) + + start_isulad_with_valgrind + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) + + return $ret +} + +function do_test() { + local ret=0 + + msg_info "this is $0 do_test" + + cid1=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json busybox sh) + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with the default seccomp profile" && ((ret++)) + + cid2=$(isula run -tid --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh) + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with a customized seccomp profile" && ((ret++)) + + cid3=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json \ + --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh) + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with multiple seccomp profiles" && ((ret++)) + + isula stop "${cid1}" "${cid2}" "${cid3}" + + isula rm -f $(isula ps -qa) + + msg_info "${test} finished with return ${ret}..." + return ${ret} +} + +function do_post() { + check_valgrind_log + start_isulad_with_valgrind +} + +declare -i ans=0 + +do_pre || ((ans++)) + +do_test || ((ans++)) + +do_post + +show_result ${ans} "${curr_path}/${0}" diff --git a/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json new file mode 100644 index 00000000..1fade163 --- /dev/null +++ b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json @@ -0,0 +1,11 @@ +{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "names": ["getcwd"], + "action": "SCMP_ACT_ERRNO", + "args": null + } + ] + +} -- 2.25.1