func TestLinuxCapabilitiesSETFCAP() string {
linuxspec, linuxruntimespec := setCapability("CAP_SETFCAP")
linuxspec.Spec.Process.Args = []string{"/sbin/setcap", "CAP_SETFCAP=eip", "/containerend/linuxcapabilities"}
capability := linuxspec.Linux.Capabilities
configFile := "./config.json"
runtimeFile := "./runtime.json"
err := configconvert.LinuxSpecToConfig(configFile, &linuxspec)
err = configconvert.LinuxRuntimeToConfig(runtimeFile, &linuxruntimespec)
out, err := adaptor.StartRunc(configFile, runtimeFile)
var result string
var errout error
if err != nil {
result = manager.UNSPPORTED
errout = errors.New(string(out) + err.Error())
} else if strings.EqualFold(strings.TrimSpace(string(out)), "") {
result = manager.PASSED
errout = nil
} else {
result = manager.FAILED
errout = errors.New("test Capabilities CAP_SETFCAP NOT does''t work")
}
var testResult manager.TestResult
testResult.Set("TestMountTmpfs", capability, errout, result)
return testResult.Marshal()
}
func testCgroupspath(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec) (string, error) {
configFile := "./config.json"
runtimeFile := "./runtime.json"
// check whether the container mounts Cgroup filesystem and get the mount point
hasCgFs := false
var cgmnt string
for k, v := range linuxRuntimeSpec.RuntimeSpec.Mounts {
if strings.EqualFold(v.Type, "cgroup") {
hasCgFs = true
for _, u := range linuxSpec.Spec.Mounts {
if strings.EqualFold(u.Name, k) {
cgmnt = u.Path
}
}
}
}
if hasCgFs == false {
return manager.UNSPPORTED, errors.New("Container doesn't support cgroup")
}
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "find " + cgmnt + "/ -name " + linuxRuntimeSpec.Linux.CgroupsPath}
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
out, err := adaptor.StartRunc(configFile, runtimeFile)
if err != nil {
return manager.UNKNOWNERR, errors.New("StartRunc error :" + out + "," + err.Error())
} else if strings.Contains(out, linuxRuntimeSpec.Linux.CgroupsPath) {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("may be NOT SUPPORT setting cgrouppath")
}
}
// Convert specs obj to json file, and start runc to have a test, return testresult
func testVersion(linuxSpec *specs.LinuxSpec, linuxRuntime *specs.LinuxRuntimeSpec, value bool) (string, error) {
// Convert LinuxSpec to config.json
configFile := "./config.json"
linuxSpec.Spec.Process.Args[0] = "/bin/ls"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
if err != nil {
return manager.UNKNOWNERR, err
}
// Convert LinuxRuntimeSpec to runtime.json
runtimeFile := "./runtime.json"
err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntime)
if err != nil {
return manager.UNKNOWNERR, err
}
// Start runc to have a test
out, err := adaptor.StartRunc(configFile, runtimeFile)
if err != nil {
if value {
return manager.FAILED, errors.New(string(out) + err.Error())
} else {
return manager.PASSED, nil
}
} else {
if value {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("Give wrong value to Version but runc works!")
}
}
}
func testIDmappings(linuxSpec *specs.LinuxSpec, isUid bool, failinfo string) (string, error) {
//test whether the usernamespace works
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
}
outarray := strings.Fields(strings.TrimSpace(out))
outcuid, _ := strconv.ParseInt(outarray[0], 10, 0)
outhuid, _ := strconv.ParseInt(outarray[1], 10, 0)
outsize, _ := strconv.ParseInt(outarray[2], 10, 0)
var incuid, inhuid, insize int32
if isUid {
incuid = linuxSpec.Linux.UIDMappings[0].ContainerID
inhuid = linuxSpec.Linux.UIDMappings[0].HostID
insize = linuxSpec.Linux.UIDMappings[0].Size
} else {
incuid = linuxSpec.Linux.GIDMappings[0].ContainerID
inhuid = linuxSpec.Linux.GIDMappings[0].HostID
insize = linuxSpec.Linux.GIDMappings[0].Size
}
if (int32(outcuid) == incuid) && (int32(outhuid) == inhuid) && (int32(outsize) == insize) {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("test failed because" + failinfo)
}
}
func testRoot(linuxSpec *specs.LinuxSpec, linuxRuntime *specs.LinuxRuntimeSpec, readonlyValue bool, pathValue string) (string, error) {
configFile := "./config.json"
linuxSpec.Spec.Process.Args[0] = "/bin/mount"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
if err != nil {
return manager.UNKNOWNERR, err
}
runtimeFile := "./runtime.json"
err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntime)
if err != nil {
return manager.UNKNOWNERR, err
}
out, err := adaptor.StartRunc(configFile, runtimeFile)
if err != nil {
if pathValue == testPathError {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New(string(out) + err.Error())
}
}
if pathValue == testPathCorrect {
if readonlyValue == true && strings.Contains(out, "(ro,") {
return manager.PASSED, nil
} else if readonlyValue == false && strings.Contains(out, "(rw,") {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("Start runc successful, but get the wrong right of root.")
}
} else {
return manager.UNKNOWNERR, nil
}
}
func testProcessEnv(linuxspec *specs.LinuxSpec, linuxruntime *specs.LinuxRuntimeSpec, supported bool) (string, error) {
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, linuxspec)
if err != nil {
return manager.UNKNOWNERR, errors.New("Got unexpected err when LinuxSpecConfig, plz report to OCT project with a issuse")
}
rFile := "runtime.json"
err = configconvert.LinuxRuntimeToConfig(rFile, linuxruntime)
if err != nil {
return manager.UNKNOWNERR, errors.New("Got unexpected err when LinuxRuntimeToConfig, plz report to OCT project with a issuse")
}
output, err := adaptor.StartRunc(configFile, rFile)
if err != nil {
if supported {
return manager.UNKNOWNERR, errors.New("Can not start runc, maybe runc is not support the specs with these input" + string(output) + "----" + err.Error())
} else {
return manager.PASSED, nil
}
}
value := linuxspec.Spec.Process.Env
res := checkOutEnv(output, value)
if res {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("Input is not compliant with the specs or not supported by runc" + "----" + string(output))
}
}
func testPlatform(linuxSpec *specs.LinuxSpec, linuxRuntime *specs.LinuxRuntimeSpec, osValue string, archValue string) (string, error) {
configFile := "./config.json"
linuxSpec.Spec.Process.Args[0] = "/bin/ls"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
if err != nil {
return manager.UNKNOWNERR, errors.New("Met unexpected LinuxSpecToConfig err, plz report to OCT project with a issuse")
}
rFile := "runtime.json"
err = configconvert.LinuxRuntimeToConfig(rFile, linuxRuntime)
if err != nil {
return manager.UNKNOWNERR, errors.New("Met unexpected LinuxRuntimeToConfig err, plz report to OCT project with a issuse")
}
out, err := adaptor.StartRunc(configFile, rFile)
if err != nil {
if osValue != runtime.GOOS || archValue != runtime.GOARCH {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New(string(out) + err.Error())
}
}
if osValue == runtime.GOOS && archValue == runtime.GOARCH {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("Err: Gived err value to platform, but runc ran well")
}
}
func testRootfsPropagationHost(linuxSpec *specs.LinuxSpec, guestfilename string) (string, error) {
//
configFile := "./config.json"
propagationmode := linuxSpec.Linux.RootfsPropagation
cmd := exec.Command("bash", "-c", "touch rootfs/fspropagationtest/fromhost.txt")
_, err := cmd.Output()
if err != nil {
log.Fatalf("[Specstest] linux rootfs propagation test : touch test file in host error, %v", err)
}
// set the config parameters relative to this case
result := os.Getenv("GOPATH")
if result == "" {
log.Fatalf("utils.setBind error GOPATH == nil")
}
resource := result + "/src/github.com/huawei-openlab/oct/tools/runtimeValidator/containerend"
utils.SetRight(resource, linuxSpec.Process.User.UID, linuxSpec.Process.User.GID)
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "/testtool/" + guestfilename}
testtoolfolder := specs.Mount{"bind", resource, "/testtool", "bind"}
linuxSpec.Spec.Mounts = append(linuxSpec.Spec.Mounts, testtoolfolder)
linuxSpec.Linux.Capabilities = []string{"AUDIT_WRITE", "KILL", "NET_BIND_SERVICE", "SYS_ADMIN"}
linuxSpec.Spec.Root.Readonly = false
err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out_container, err := adaptor.StartRunc(configFile)
cmd = exec.Command("/bin/bash", "-c", "ls rootfs/fspropagationtest")
out_host, err := cmd.Output()
if err != nil {
log.Fatalf("[Specstest] linux rootfs propagation test : read test file from container (in host) error, %v", err)
return manager.UNKNOWNERR, err
}
var flag_container, flag_host bool
if strings.Contains(strings.TrimSpace(out_container), "fromhost.txt") {
flag_container = true
} else {
flag_container = false
}
if strings.Contains(strings.TrimSpace(string(out_host)), "fromcontainer.txt") {
flag_host = true
} else {
flag_container = false
}
switch propagationmode {
case "slave":
if flag_container == true && flag_host == false {
return manager.PASSED, nil
}
case "private":
if flag_container == false && flag_host == false {
return manager.PASSED, nil
}
case "share":
if flag_container && flag_host {
return manager.PASSED, nil
}
}
return manager.FAILED, errors.New("RootfsPropagationmode:" + propagationmode + "failed")
}
func testResources(linuxSpec *specs.LinuxSpec) (string, error) {
fmt.Println("enter test source")
configFile := "./config.json"
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "sleep 10s"}
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
} else {
return manager.PASSED, nil
}
}
func testRootfsPropagationHost(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec, guestfilename string) (string, error) {
configFile := "./config.json"
runtimeFile := "./runtime.json"
propagationmode := linuxRuntimeSpec.Linux.RootfsPropagation
cmd := exec.Command("bash", "-c", "touch rootfs/fspropagationtest/fromhost.txt")
_, err := cmd.Output()
if err != nil {
log.Fatalf("[Specstest] linux rootfs propagation test : touch test file in host error, %v", err)
}
// set the config parameters relative to this case
utils.SetBind(linuxRuntimeSpec, linuxSpec)
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "/containerend/" + guestfilename}
linuxSpec.Linux.Capabilities = []string{"CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE", "CAP_SYS_ADMIN"}
linuxSpec.Spec.Root.Readonly = false
err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
out_container, err := adaptor.StartRunc(configFile, runtimeFile)
cmd = exec.Command("/bin/bash", "-c", "ls rootfs/fspropagationtest")
out_host, err := cmd.Output()
if err != nil {
log.Fatalf("[Specstest] linux rootfs propagation test : read test file from container (in host) error, %v", err)
return manager.UNKNOWNERR, err
}
var flag_container, flag_host bool
if strings.Contains(strings.TrimSpace(out_container), "fromhost.txt") {
flag_container = true
} else {
flag_container = false
}
if strings.Contains(strings.TrimSpace(string(out_host)), "fromcontainer.txt") {
flag_host = true
} else {
flag_container = false
}
switch propagationmode {
case "slave":
if flag_container == true && flag_host == false {
return manager.PASSED, nil
}
case "private":
if flag_container == false && flag_host == false {
return manager.PASSED, nil
}
case "share":
if flag_container && flag_host {
return manager.PASSED, nil
}
}
return manager.FAILED, errors.New("RootfsPropagationmode:" + propagationmode + "failed")
}
func testVersion(linuxSpec *specs.LinuxSpec) (string, error) {
configFile := "./config.json"
linuxSpec.Spec.Process.Args[0] = "/bin/ls"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.FAILED, errors.New(string(out) + err.Error())
} else {
return manager.PASSED, nil
}
}
func testResources(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec) (string, error) {
configFile := "./config.json"
runtimeFile := "./runtime.json"
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "sleep 0.5s"}
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
out, err := adaptor.StartRunc(configFile, runtimeFile)
if err != nil {
return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
} else {
return manager.PASSED, nil
}
}
func testSeccomp(linuxSpec *specs.LinuxSpec, failinfo string) (string, error) {
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNKNOWNERR, errors.New("StartRunc error :" + out + "," + err.Error())
} else if strings.EqualFold(strings.TrimSpace(out), "Operation not permitted") {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("test failed because" + failinfo)
}
}
func testMount(linuxSpec *specs.LinuxSpec, failinfo string) (string, error) {
configFile := "./config.json"
linuxSpec.Spec.Process.Args[0] = "/bin/mount"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New(string(out) + err.Error())
} else if strings.Contains(out, "/mountTest") {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("test failed because" + failinfo)
}
}
func testHooks(linuxSpec *specs.LinuxSpec, compare string, failinfo string) (string, error) {
configFile := "./config.json"
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "ls"}
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New(string(out) + err.Error())
} else {
if strings.Contains(strings.TrimSpace(string(out)), compare) {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("test failed because" + failinfo)
}
}
}
func testApparmorProfile(linuxSpec *specs.LinuxSpec, linuxRuntimeSpec *specs.LinuxRuntimeSpec) (string, error) {
out, err := pretest()
configFile := "./config.json"
runtimeFile := "./runtime.json"
err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
err = configconvert.LinuxRuntimeToConfig(runtimeFile, linuxRuntimeSpec)
go adaptor.StartRunc(configFile, runtimeFile)
time.Sleep(time.Second * 1)
out, err = checkapparmorfilefromhost()
if err != nil {
return manager.UNKNOWNERR, errors.New(out + err.Error())
}
return out, err
}
func testPlatform(linuxSpec *specs.LinuxSpec, osValue string, archValue string) (string, error) {
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
linuxSpec.Spec.Process.Args[0] = "/bin/ls"
out, err := adaptor.StartRunc(configFile)
if err != nil {
if osValue == runtime.GOOS && archValue == runtime.GOARCH {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New(string(out) + err.Error())
}
}
if osValue == runtime.GOOS && archValue == runtime.GOARCH {
return manager.PASSED, nil
} else {
return manager.UNKNOWNERR, nil
}
}
func testProcessUser(linuxspec *specs.LinuxSpec, supported bool) (string, error) {
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, linuxspec)
output, err := adaptor.StartRunc(configFile)
if err != nil {
if supported {
return manager.UNKNOWNERR, errors.New("Can not start runc, maybe runc is not support the specs with this config.json" + err.Error())
} else {
return manager.PASSED, nil
}
}
res, errMsg := checkOutUser(output)
if res {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New(errMsg + " in runtime is not compliant with the specs")
}
}
func testProcessEnv(linuxspec *specs.LinuxSpec, supported bool) (string, error) {
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, linuxspec)
output, err := adaptor.StartRunc(configFile)
if err != nil {
if supported {
return manager.UNKNOWNERR, errors.New("Can not start runc, maybe runc is not support the specs with this config.json----" + string(output) + "----" + err.Error())
} else {
return manager.PASSED, nil
}
}
value := linuxSpec.Spec.Process.Env
res := checkOutEnv(output, value)
if res {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("Env in runtime is not compliant with the specs" + "----" + string(output))
}
}
func testSysctls(linuxSpec *specs.LinuxSpec, failinfo string) (string, error) {
configFile := "./config.json"
var key, value string
for k, v := range linuxSpec.Linux.Sysctl {
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "sysctl " + k}
key = k
value = v
}
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New(string(out) + err.Error())
} else {
if strings.EqualFold(strings.TrimSpace(out), key+" = "+value) {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("test failed because" + failinfo)
}
}
}
func testRlimits(linuxSpec *specs.LinuxSpec, rlimitItem string, value string, isSoftLimit bool) (string, error) {
configFile := "./config.json"
if isSoftLimit {
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "ulimit " + rlimitItem + " -S"}
} else {
linuxSpec.Spec.Process.Args = []string{"/bin/bash", "-c", "ulimit " + rlimitItem + " -H"}
}
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New(string(out) + err.Error())
} else {
if strings.EqualFold(strings.TrimSpace(string(out)), value) {
return manager.PASSED, nil
} else {
return manager.FAILED, nil
}
}
}
func TestSuiteLinuxDevicesFull() string {
// copy the testbin into container
var device specs.Device = specs.Device{
Type: 99,
Path: "/dev/full",
Major: 1,
Minor: 7,
Permissions: "rwm",
FileMode: 438,
UID: 0,
GID: 0,
}
linuxSpec = setDevices(device)
gopath := os.Getenv("GOPATH")
if gopath == "" {
log.Fatalf("utils.setBind error GOPATH == nil")
}
resource := gopath + "/src/github.com/huawei-openlab/oct/tools/runtimeValidator/containerend"
utils.SetRight(resource, linuxSpec.Process.User.UID, linuxSpec.Process.User.GID)
testtoolfolder := specs.Mount{"bind", resource, "/testtool", "bind"}
linuxSpec.Spec.Mounts = append(linuxSpec.Spec.Mounts, testtoolfolder)
linuxSpec.Spec.Process.Args[0] = "/testtool/linuxdevicesfull"
configFile := "./config.json"
err := configconvert.LinuxSpecToConfig(configFile, &linuxSpec)
out, err := adaptor.StartRunc(configFile)
var result string
var errout error
if err != nil {
result = manager.UNSPPORTED
errout = errors.New("StartRunc error :" + out + ", " + err.Error())
} else if strings.Contains(strings.TrimSpace(out), "echo: write error: No space left on device") {
result = manager.PASSED
errout = nil
} else {
result = manager.FAILED
errout = errors.New("device /dev/full is NOT effective")
}
var testResult manager.TestResult
testResult.Set("TestSuiteLinuxDevicesFull", device, errout, result)
return testResult.Marshal()
}
func testSElinuxLabel(linuxSpec *specs.LinuxSpec) (string, error) {
selinuxlable := linuxSpec.Linux.SelinuxProcessLabel
//test whether the host supports the selinux
cmdout, err := exec.Command("/bin/bash", "-c", "getenforce").Output()
if err != nil || strings.EqualFold(strings.TrimSpace(string(cmdout)), "Permissive") {
return manager.UNSPPORTED, errors.New("Host Machine doesn't support SElinux")
}
configFile := "./config.json"
linuxSpec.Process.Args = []string{"/bin/bash", "-c", "ps xZ|awk '{print $1}' |sed -n '2p' "}
err = configconvert.LinuxSpecToConfig(configFile, linuxSpec)
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNSPPORTED, errors.New("StartRunc error :" + out + "," + err.Error())
} else {
if strings.EqualFold(strings.TrimSpace(string(out)), label) {
return manager.PASSED, nil
} else {
return manager.FAILED, errors.New("test failed because selinux label is not effective")
}
}
}
func TestLinuxDevicesFull() string {
var device specs.Device = specs.Device{
Type: 99,
Path: "/dev/full",
Major: 1,
Minor: 7,
Permissions: "rwm",
FileMode: 438,
UID: 0,
GID: 0,
}
linuxspec, linuxruntimespec := setDevices(device)
utils.SetBind(&linuxruntimespec, &linuxspec)
linuxspec.Spec.Process.Args[0] = "/containerend/linuxdevicesfull"
configFile := "./config.json"
runtimeFile := "./runtime.json"
err := configconvert.LinuxSpecToConfig(configFile, &linuxspec)
err = configconvert.LinuxRuntimeToConfig(runtimeFile, &linuxruntimespec)
out, err := adaptor.StartRunc(configFile, runtimeFile)
var result string
var errout error
if err != nil {
result = manager.UNSPPORTED
errout = errors.New("StartRunc error :" + out + ", " + err.Error())
} else if strings.Contains(strings.TrimSpace(out), "echo: write error: No space left on device") {
result = manager.PASSED
errout = nil
} else {
result = manager.FAILED
errout = errors.New("device /dev/full is NOT effective")
}
var testResult manager.TestResult
testResult.Set("TestSuiteLinuxDevicesFull", device, errout, result)
return testResult.Marshal()
}
func testApparmorProfile(linuxSpec *specs.LinuxSpec) (string, error) {
configFile := "./config.json"
inputprofilename := linuxSpec.Linux.ApparmorProfile
err := configconvert.LinuxSpecToConfig(configFile, linuxSpec)
cmd := exec.Command("bash", "-c", "cp cases/linuxapparmorprofile/"+inputprofilename+" /etc/apparmor.d")
_, err = cmd.Output()
if err != nil {
log.Fatalf("[runtimeValidator] linux apparmor profile test : copy the apparmor file error, %v", err)
}
out, err := adaptor.StartRunc(configFile)
if err != nil {
return manager.UNKNOWNERR, errors.New(out + err.Error())
}
cmd = exec.Command("bash", "-c", " apparmor_status")
cmdout, err := cmd.Output()
if err != nil {
return manager.UNSPPORTED, errors.New("HOST Machine NOT Support Apparmor")
} else if strings.Contains(strings.TrimSpace(string(cmdout)), inputprofilename) {
return manager.PASSED, nil
} else {
return manager.FAILED, nil
}
}
/**
*container unreused namespace of host
*/
func TestPathEmpty(linuxSpec *specs.LinuxSpec, hostNamespacePath string) (string, error) {
//1. output json file for runc
configfile := "./config.json"
err := configconvert.LinuxSpecToConfig(configfile, linuxSpec)
if err != nil {
log.Fatalf("write config error, %v", err)
}
//2. get container's pid namespace after executing runc
out, err := adaptor.StartRunc(configfile)
if err != nil {
return manager.UNSPPORTED, errors.New(string(out) + err.Error())
//log.Fatalf("write config error, %v\n", errors.New(string(out)+err.Error()))
}
containerNs := strings.TrimSuffix(string(out), "\n")
containerNs = strings.TrimSpace(containerNs)
if containerNs == "" {
log.Fatalf("can not find namespace in container.")
}
//3. get host's all pid namespace
cmd := "readlink " + hostNamespacePath + "|sort -u"
hostNs, err := getHostNs(cmd)
if err != nil {
log.Fatalf("get host namespace error,%v\n", err)
}
//4. juge if the container's pid namespace is not in host namespaces
var result string
if strings.Contains(hostNs, containerNs) {
result = manager.FAILED
} else {
result = manager.PASSED
}
return result, nil
}