2019-10-22 21:36:22 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
Add support for parsing Linux Capabilities for older OCI specs
This was added to fix a regression with support for the default runc
shipped with CentOS 7.
The version of runc that is installed by default on CentOS 7 is
1.0.0-rc2 which uses OCI spec 1.0.0-rc2-dev.
This is a prerelease of the OCI spec, which defines the capabilities
section of a process configuration to be a flat list of capabilities
(e.g. SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc2/config.md#process-configuration
By the time the official 1.0.0 version of the OCI spec came out, the
capabilities section of a process configuration was expanded to include
embedded fields for effective, bounding, inheritable, permitted and
ambient (each of which can contain a flat list of capabilities of the
form SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#linux-process
Previously, we only inspected the capabilities section of a process
configuration assuming it was in the format of OCI spec 1.0.0.
This patch makes sure we can parse the capaibilites in either format.
Signed-off-by: Kevin Klues <kklues@nvidia.com>
2020-06-03 19:19:31 +00:00
|
|
|
"encoding/json"
|
2020-07-23 12:57:17 +00:00
|
|
|
"testing"
|
2021-06-07 11:31:41 +00:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2019-10-22 21:36:22 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestParseCudaVersionValid(t *testing.T) {
|
|
|
|
var tests = []struct {
|
|
|
|
version string
|
|
|
|
expected [3]uint32
|
|
|
|
}{
|
|
|
|
{"0", [3]uint32{0, 0, 0}},
|
|
|
|
{"8", [3]uint32{8, 0, 0}},
|
|
|
|
{"7.5", [3]uint32{7, 5, 0}},
|
|
|
|
{"9.0.116", [3]uint32{9, 0, 116}},
|
|
|
|
{"4294967295.4294967295.4294967295", [3]uint32{4294967295, 4294967295, 4294967295}},
|
|
|
|
}
|
2021-06-07 11:31:41 +00:00
|
|
|
for i, c := range tests {
|
2019-10-22 21:36:22 +00:00
|
|
|
vmaj, vmin, vpatch := parseCudaVersion(c.version)
|
|
|
|
|
2021-06-07 11:31:41 +00:00
|
|
|
version := [3]uint32{vmaj, vmin, vpatch}
|
2019-10-22 21:36:22 +00:00
|
|
|
|
2021-06-07 11:31:41 +00:00
|
|
|
require.Equal(t, c.expected, version, "%d: %v", i, c)
|
|
|
|
}
|
2019-10-22 21:36:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestParseCudaVersionInvalid(t *testing.T) {
|
|
|
|
var tests = []string{
|
|
|
|
"foo",
|
|
|
|
"foo.5.10",
|
|
|
|
"9.0.116.50",
|
|
|
|
"9.0.116foo",
|
|
|
|
"7.foo",
|
|
|
|
"9.0.bar",
|
|
|
|
"9.4294967296",
|
|
|
|
"9.0.116.",
|
|
|
|
"9..0",
|
|
|
|
"9.",
|
|
|
|
".5.10",
|
|
|
|
"-9",
|
|
|
|
"+9",
|
|
|
|
"-9.1.116",
|
|
|
|
"-9.-1.-116",
|
|
|
|
}
|
|
|
|
for _, c := range tests {
|
2021-06-07 11:31:41 +00:00
|
|
|
require.Panics(t, func() {
|
2019-10-22 21:36:22 +00:00
|
|
|
parseCudaVersion(c)
|
2021-06-07 11:31:41 +00:00
|
|
|
}, "parseCudaVersion(%v)", c)
|
2019-10-22 21:36:22 +00:00
|
|
|
}
|
|
|
|
}
|
Add support for parsing Linux Capabilities for older OCI specs
This was added to fix a regression with support for the default runc
shipped with CentOS 7.
The version of runc that is installed by default on CentOS 7 is
1.0.0-rc2 which uses OCI spec 1.0.0-rc2-dev.
This is a prerelease of the OCI spec, which defines the capabilities
section of a process configuration to be a flat list of capabilities
(e.g. SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc2/config.md#process-configuration
By the time the official 1.0.0 version of the OCI spec came out, the
capabilities section of a process configuration was expanded to include
embedded fields for effective, bounding, inheritable, permitted and
ambient (each of which can contain a flat list of capabilities of the
form SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#linux-process
Previously, we only inspected the capabilities section of a process
configuration assuming it was in the format of OCI spec 1.0.0.
This patch makes sure we can parse the capaibilites in either format.
Signed-off-by: Kevin Klues <kklues@nvidia.com>
2020-06-03 19:19:31 +00:00
|
|
|
|
|
|
|
func TestIsPrivileged(t *testing.T) {
|
|
|
|
var tests = []struct {
|
|
|
|
spec string
|
|
|
|
expected bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"ociVersion": "1.0.0",
|
|
|
|
"process": {
|
|
|
|
"capabilities": {
|
|
|
|
"bounding": [ "CAP_SYS_ADMIN" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"ociVersion": "1.0.0",
|
|
|
|
"process": {
|
|
|
|
"capabilities": {
|
|
|
|
"bounding": [ "CAP_SYS_OTHER" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"ociVersion": "1.0.0",
|
|
|
|
"process": {}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"ociVersion": "1.0.0-rc2-dev",
|
|
|
|
"process": {
|
|
|
|
"capabilities": [ "CAP_SYS_ADMIN" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"ociVersion": "1.0.0-rc2-dev",
|
|
|
|
"process": {
|
|
|
|
"capabilities": [ "CAP_SYS_OTHER" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"ociVersion": "1.0.0-rc2-dev",
|
|
|
|
"process": {}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
false,
|
|
|
|
},
|
|
|
|
}
|
2021-06-07 11:31:41 +00:00
|
|
|
for i, tc := range tests {
|
Add support for parsing Linux Capabilities for older OCI specs
This was added to fix a regression with support for the default runc
shipped with CentOS 7.
The version of runc that is installed by default on CentOS 7 is
1.0.0-rc2 which uses OCI spec 1.0.0-rc2-dev.
This is a prerelease of the OCI spec, which defines the capabilities
section of a process configuration to be a flat list of capabilities
(e.g. SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc2/config.md#process-configuration
By the time the official 1.0.0 version of the OCI spec came out, the
capabilities section of a process configuration was expanded to include
embedded fields for effective, bounding, inheritable, permitted and
ambient (each of which can contain a flat list of capabilities of the
form SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#linux-process
Previously, we only inspected the capabilities section of a process
configuration assuming it was in the format of OCI spec 1.0.0.
This patch makes sure we can parse the capaibilites in either format.
Signed-off-by: Kevin Klues <kklues@nvidia.com>
2020-06-03 19:19:31 +00:00
|
|
|
var spec Spec
|
|
|
|
_ = json.Unmarshal([]byte(tc.spec), &spec)
|
|
|
|
privileged := isPrivileged(&spec)
|
2021-06-07 11:31:41 +00:00
|
|
|
|
|
|
|
require.Equal(t, tc.expected, privileged, "%d: %v", i, tc)
|
Add support for parsing Linux Capabilities for older OCI specs
This was added to fix a regression with support for the default runc
shipped with CentOS 7.
The version of runc that is installed by default on CentOS 7 is
1.0.0-rc2 which uses OCI spec 1.0.0-rc2-dev.
This is a prerelease of the OCI spec, which defines the capabilities
section of a process configuration to be a flat list of capabilities
(e.g. SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc2/config.md#process-configuration
By the time the official 1.0.0 version of the OCI spec came out, the
capabilities section of a process configuration was expanded to include
embedded fields for effective, bounding, inheritable, permitted and
ambient (each of which can contain a flat list of capabilities of the
form SYS_ADMIN, SYS_PTRACE, SYS_RAWIO, etc.)
https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#linux-process
Previously, we only inspected the capabilities section of a process
configuration assuming it was in the format of OCI spec 1.0.0.
This patch makes sure we can parse the capaibilites in either format.
Signed-off-by: Kevin Klues <kklues@nvidia.com>
2020-06-03 19:19:31 +00:00
|
|
|
}
|
|
|
|
}
|