Add unit test for SetupLandlock

kailun-qin · kailun-qin · commit 6a698a60ac1c · 2021-09-09T09:45:16.000-04:00
Signed-off-by: Kailun Qin &lt;kailun.qin@intel.com&gt;
diff --git a/libcontainer/specconv/spec_linux_test.go b/libcontainer/specconv/spec_linux_test.go
@@ -2,10 +2,12 @@ package specconv
 
 import (
 	"os"
+	"reflect"
 	"strings"
 	"testing"
 
 	dbus "github.com/godbus/dbus/v5"
+	ll "github.com/landlock-lsm/go-landlock/landlock"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/configs/validate"
 	"github.com/opencontainers/runc/libcontainer/devices"
@@ -185,6 +187,103 @@ func TestSetupSeccompWrongArchitecture(t *testing.T) {
 	}
 }
 
+func TestSetupLandlock(t *testing.T) {
+	conf := &specs.Landlock{
+		Ruleset: &specs.LandlockRuleset{
+			HandledAccessFS: []specs.LandlockFSAction{
+				specs.FSActExecute,
+				specs.FSActWriteFile,
+				specs.FSActReadFile,
+				specs.FSActReadDir,
+				specs.FSActRemoveDir,
+				specs.FSActRemoveFile,
+				specs.FSActMakeChar,
+				specs.FSActMakeDir,
+				specs.FSActMakeReg,
+				specs.FSActMakeSock,
+				specs.FSActMakeFifo,
+				specs.FSActMakeBlock,
+				specs.FSActMakeSym,
+			},
+		},
+		Rules: &specs.LandlockRules{
+			PathBeneath: []specs.LandlockRulePathBeneath{
+				{
+					AllowedAccess: []specs.LandlockFSAction{
+						specs.FSActExecute,
+						specs.FSActReadFile,
+						specs.FSActReadDir,
+					},
+					Paths: []string{
+						"/usr",
+						"/bin",
+					},
+				},
+				{
+					AllowedAccess: []specs.LandlockFSAction{
+						specs.FSActExecute,
+						specs.FSActWriteFile,
+						specs.FSActReadFile,
+						specs.FSActRemoveFile,
+						specs.FSActMakeChar,
+						specs.FSActMakeReg,
+						specs.FSActMakeSock,
+						specs.FSActMakeFifo,
+						specs.FSActMakeBlock,
+						specs.FSActMakeSym,
+					},
+					Paths: []string{
+						"/tmp",
+					},
+				},
+			},
+		},
+		DisableBestEffort: false,
+	}
+
+	landlock, err := SetupLandlock(conf)
+	if err != nil {
+		t.Errorf("Couldn't create Landlock config: %v", err)
+	}
+
+	// Execute | WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar |
+	// MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym
+	expectedRulesetAccess := ll.AccessFSSet(0x1FFF)
+	ruleset := landlock.Ruleset
+	if ruleset.HandledAccessFS != expectedRulesetAccess {
+		t.Errorf("Expected ruleset not found, expected %v, got: %v",
+			expectedRulesetAccess, ruleset.HandledAccessFS)
+	}
+
+	pathRules := landlock.Rules.PathBeneath
+
+	pathRulesLength := len(pathRules)
+	if pathRulesLength != 2 {
+		t.Errorf("Expected 2 path beneath rules, got :%d", pathRulesLength)
+	}
+
+	expectedPathRulesAccess := []configs.RulePathBeneath{
+		{
+			// Execute | ReadFile | ReadDir
+			AllowedAccess: 0xD,
+			Paths:         []string{"/usr", "/bin"},
+		},
+		{
+			// Execute | WriteFile | ReadFile | RemoveFile | MakeChar | MakeReg | MakeSock | MakeFifo |
+			// MakeBlock | MakeSym
+			AllowedAccess: 0x1F67,
+			Paths:         []string{"/tmp"},
+		},
+	}
+
+	for i, rule := range pathRules {
+		if !reflect.DeepEqual(*rule, expectedPathRulesAccess[i]) {
+			t.Errorf("Wrong rule conversion for the rule %d under test, expected %v, got: %v",
+				i, expectedPathRulesAccess[i], rule)
+		}
+	}
+}
+
 func TestSetupSeccomp(t *testing.T) {
 	errnoRet := uint(55)
 	conf := &specs.LinuxSeccomp{
