chaos/drone-runner-podman
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unit tests to check privileged mode

Browse Source
This commit is contained in:
Brad Rydzewski
2020-08-17 22:54:55 -04:00
parent e2dada588c
commit 8a8164e2de
2 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
engine/compiler/compiler.go
View File

@@ -6,6 +6,7 @@ package compiler
import ( import (
"context" "context"
"path/filepath"
"strings" "strings"
"github.com/drone-runners/drone-runner-docker/engine" "github.com/drone-runners/drone-runner-docker/engine"
@@ -462,6 +463,18 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
if len(step.Entrypoint) > 0 { if len(step.Entrypoint) > 0 {
return false return false
} }
for _, mount := range step.Volumes {
path, _ := filepath.Abs(mount.MountPath)
path = strings.ToLower(path)
switch {
case path == "/":
return false
case path == "/var":
return false
case strings.Contains(path, "/var/run"):
return false
}
}
// if the container image matches any image // if the container image matches any image
// in the whitelist, return true. // in the whitelist, return true.
for _, img := range c.Privileged { for _, img := range c.Privileged {

38
engine/compiler/compiler_test.go
View File

@@ -211,3 +211,41 @@ func dump(v interface{}) {
enc.SetIndent("", " ") enc.SetIndent("", " ")
enc.Encode(v) enc.Encode(v)
} }
// This test verifies that privileged whitelisting is disabled when
// certain attributes, such as the entrypoint, command or commands
// are configured.
func TestIsPrivileged(t *testing.T) {
c := new(Compiler)
c.Privileged = []string{"foo"}
if c.isPrivileged(&resource.Step{Image: "foo", Commands: []string{"echo hello", "echo world"}}) {
t.Errorf("Disable privileged mode if commands are specified")
}
if c.isPrivileged(&resource.Step{Image: "foo", Command: []string{"echo hello", "echo world"}}) {
t.Errorf("Disable privileged mode if the Docker command is specified")
}
if c.isPrivileged(&resource.Step{Image: "foo", Entrypoint: []string{"/bin/sh"}}) {
t.Errorf("Disable privileged mode if the Docker entrypoint is specified")
}
if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var/run/docker.sock"}}}) {
t.Errorf("Disable privileged mode if /var/run/docker.sock mounted")
}
if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var"}}}) {
t.Errorf("Disable privileged mode if /var mounted")
}
if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var/"}}}) {
t.Errorf("Disable privileged mode if /var mounted")
}
if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var//"}}}) {
t.Errorf("Disable privileged mode if /var mounted")
}
if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var/run"}}}) {
t.Errorf("Disable privileged mode if /var/run mounted")
}
if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/"}}}) {
t.Errorf("Disable privileged mode if / mounted")
}
if !c.isPrivileged(&resource.Step{Image: "foo"}) {
t.Errorf("Enable privileged mode for privileged image")
}
}