Skip to content
This repository was archived by the owner on May 12, 2021. It is now read-only.

Commit f7493d7

Browse files
c3dfidencio
c3d
authored and
fidencio
committed
annotations: Correct unit tests to validate new protections
Add the verification of some basic protections, namely that: - EnableAnnotations is honored - Dangerous paths cannot be modified if no match - Errors are returned when expected Fixes: #3004 Signed-off-by: Christophe de Dinechin <[email protected]>
1 parent e3efe73 commit f7493d7

File tree

1 file changed

+82
-3
lines changed

1 file changed

+82
-3
lines changed

virtcontainers/pkg/oci/utils_test.go

Lines changed: 82 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -703,7 +703,20 @@ func TestAddAssetAnnotations(t *testing.T) {
703703
Console: consolePath,
704704
}
705705

706-
addAnnotations(ocispec, &config, runtimeConfig)
706+
// Try annotations without enabling them first
707+
err := addAnnotations(ocispec, &config, runtimeConfig)
708+
assert.Error(err)
709+
assert.Exactly(map[string]string{}, config.Annotations)
710+
711+
// Check if annotation not enabled correctly
712+
runtimeConfig.HypervisorConfig.EnableAnnotations = []string{"nonexistent"}
713+
err = addAnnotations(ocispec, &config, runtimeConfig)
714+
assert.Error(err)
715+
716+
// Check that it works if all annotation are enabled
717+
runtimeConfig.HypervisorConfig.EnableAnnotations = []string{".*"}
718+
err = addAnnotations(ocispec, &config, runtimeConfig)
719+
assert.NoError(err)
707720
assert.Exactly(expectedAnnotations, config.Annotations)
708721
}
709722

@@ -802,6 +815,9 @@ func TestAddHypervisorAnnotations(t *testing.T) {
802815
ShimType: vc.KataShimType,
803816
Console: consolePath,
804817
}
818+
runtimeConfig.HypervisorConfig.EnableAnnotations = []string{".*"}
819+
runtimeConfig.HypervisorConfig.FileBackedMemRootList = []string{"/dev/shm*"}
820+
runtimeConfig.HypervisorConfig.VirtioFSDaemonList = []string{"/bin/*ls*"}
805821

806822
ocispec.Annotations[vcAnnotations.KernelParams] = "vsyscall=emulate iommu=on"
807823
addHypervisorConfigOverrides(ocispec, &config, runtimeConfig)
@@ -824,7 +840,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
824840
ocispec.Annotations[vcAnnotations.BlockDeviceCacheDirect] = "true"
825841
ocispec.Annotations[vcAnnotations.BlockDeviceCacheNoflush] = "true"
826842
ocispec.Annotations[vcAnnotations.SharedFS] = "virtio-fs"
827-
ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/home/virtiofsd"
843+
ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/bin/false"
828844
ocispec.Annotations[vcAnnotations.VirtioFSCache] = "/home/cache"
829845
ocispec.Annotations[vcAnnotations.Msize9p] = "512"
830846
ocispec.Annotations[vcAnnotations.MachineType] = "q35"
@@ -855,7 +871,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
855871
assert.Equal(config.HypervisorConfig.BlockDeviceCacheDirect, true)
856872
assert.Equal(config.HypervisorConfig.BlockDeviceCacheNoflush, true)
857873
assert.Equal(config.HypervisorConfig.SharedFS, "virtio-fs")
858-
assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/home/virtiofsd")
874+
assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/bin/false")
859875
assert.Equal(config.HypervisorConfig.VirtioFSCache, "/home/cache")
860876
assert.Equal(config.HypervisorConfig.Msize9p, uint32(512))
861877
assert.Equal(config.HypervisorConfig.HypervisorMachineType, "q35")
@@ -886,6 +902,69 @@ func TestAddHypervisorAnnotations(t *testing.T) {
886902
assert.Error(err)
887903
}
888904

905+
func TestAddProtectedHypervisorAnnotations(t *testing.T) {
906+
assert := assert.New(t)
907+
908+
config := vc.SandboxConfig{
909+
Annotations: make(map[string]string),
910+
}
911+
912+
ocispec := specs.Spec{
913+
Annotations: make(map[string]string),
914+
}
915+
916+
runtimeConfig := RuntimeConfig{
917+
HypervisorType: vc.QemuHypervisor,
918+
AgentType: vc.KataContainersAgent,
919+
ProxyType: vc.KataProxyType,
920+
ShimType: vc.KataShimType,
921+
Console: consolePath,
922+
}
923+
ocispec.Annotations[vcAnnotations.KernelParams] = "vsyscall=emulate iommu=on"
924+
err := addAnnotations(ocispec, &config, runtimeConfig)
925+
assert.Error(err)
926+
assert.Exactly(vc.HypervisorConfig{}, config.HypervisorConfig)
927+
928+
// Enable annotations
929+
runtimeConfig.HypervisorConfig.EnableAnnotations = []string{".*"}
930+
931+
ocispec.Annotations[vcAnnotations.FileBackedMemRootDir] = "/dev/shm"
932+
ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/bin/false"
933+
934+
config.HypervisorConfig.FileBackedMemRootDir = "do-not-touch"
935+
config.HypervisorConfig.VirtioFSDaemon = "dangerous-daemon"
936+
937+
err = addAnnotations(ocispec, &config, runtimeConfig)
938+
assert.Error(err)
939+
assert.Equal(config.HypervisorConfig.FileBackedMemRootDir, "do-not-touch")
940+
assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "dangerous-daemon")
941+
942+
// Now enable them and check again
943+
runtimeConfig.HypervisorConfig.FileBackedMemRootList = []string{"/dev/*m"}
944+
runtimeConfig.HypervisorConfig.VirtioFSDaemonList = []string{"/bin/*ls*"}
945+
err = addAnnotations(ocispec, &config, runtimeConfig)
946+
assert.NoError(err)
947+
assert.Equal(config.HypervisorConfig.FileBackedMemRootDir, "/dev/shm")
948+
assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/bin/false")
949+
950+
// In case an absurd large value is provided, the config value if not over-ridden
951+
ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "655536"
952+
err = addAnnotations(ocispec, &config, runtimeConfig)
953+
assert.Error(err)
954+
955+
ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "-1"
956+
err = addAnnotations(ocispec, &config, runtimeConfig)
957+
assert.Error(err)
958+
959+
ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "1"
960+
ocispec.Annotations[vcAnnotations.DefaultMaxVCPUs] = "-1"
961+
err = addAnnotations(ocispec, &config, runtimeConfig)
962+
assert.Error(err)
963+
964+
ocispec.Annotations[vcAnnotations.DefaultMaxVCPUs] = "1"
965+
assert.Error(err)
966+
}
967+
889968
func TestAddRuntimeAnnotations(t *testing.T) {
890969
assert := assert.New(t)
891970

0 commit comments

Comments
 (0)