linux_mount_label integration test

Signed-off-by: Hiroyuki Moriya <[email protected]>
containers · Feb 25, 2024 · 1d77cf7 · 1d77cf7
1 parent 2681f9c
commit 1d77cf7
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 0 deletions.
diff --git a/tests/contest/contest/src/main.rs b/tests/contest/contest/src/main.rs
@@ -8,6 +8,7 @@ use crate::tests::hostname::get_hostname_test;
 use crate::tests::intel_rdt::get_intel_rdt_test;
 use crate::tests::io_priority::get_io_priority_test;
 use crate::tests::lifecycle::{ContainerCreate, ContainerLifecycle};
+use crate::tests::linux_mount_label::get_linux_mount_label_test;
 use crate::tests::linux_ns_itype::get_ns_itype_tests;
 use crate::tests::mounts_recursive::get_mounts_recursive_test;
 use crate::tests::pidfile::get_pidfile_test;
@@ -109,6 +110,7 @@ fn main() -> Result<()> {
     let sysctl = get_sysctl_test();
     let scheduler = get_scheduler_test();
     let io_priority_test = get_io_priority_test();
+    let linux_mount_label = get_linux_mount_label_test();
 
     tm.add_test_group(Box::new(cl));
     tm.add_test_group(Box::new(cc));
@@ -126,6 +128,7 @@ fn main() -> Result<()> {
     tm.add_test_group(Box::new(seccomp_notify));
     tm.add_test_group(Box::new(ro_paths));
     tm.add_test_group(Box::new(hostname));
+    tm.add_test_group(Box::new(linux_mount_label));
     tm.add_test_group(Box::new(mounts_recursive));
     tm.add_test_group(Box::new(domainname));
     tm.add_test_group(Box::new(intel_rdt));

diff --git a/tests/contest/contest/src/tests/linux_mount_label/linux_mount_label_test.rs b/tests/contest/contest/src/tests/linux_mount_label/linux_mount_label_test.rs
@@ -0,0 +1,44 @@
+use crate::utils::test_inside_container;
+use oci_spec::runtime::{LinuxBuilder, ProcessBuilder, Spec, SpecBuilder};
+use test_framework::{Test, TestGroup, TestResult};
+
+fn create_spec(linux_mount_label: String) -> Spec {
+    SpecBuilder::default()
+        .linux(
+            // Need to reset the read-only paths
+            LinuxBuilder::default()
+                .mount_label(linux_mount_label)
+                .masked_paths(vec![])
+                .build()
+                .expect("error in building linux config"),
+        )
+        .process(
+            ProcessBuilder::default()
+                .args(vec![
+                    "runtimetest".to_string(),
+                    "linux_mount_label".to_string(),
+                ])
+                .build()
+                .expect("error in creating process config"),
+        )
+        .build()
+        .unwrap()
+}
+
+// here we have to manually create and manage the container
+// as the test_inside container does not provide a way to set the pid file argument
+fn test_linux_mount_label() -> TestResult {
+    let spec = create_spec("system_u:object_r:svirt_sandbox_file_t:s0:c715,c811".to_string());
+    test_inside_container(spec, &|_| {
+        // As long as the container is created, we expect the mount label to be determined
+        // by the spec, so nothing to prepare prior.
+        Ok(())
+    })
+}
+
+pub fn get_linux_mount_label_test() -> TestGroup {
+    let linux_mount_label = Test::new("linux_mount_label", Box::new(test_linux_mount_label));
+    let mut tg = TestGroup::new("linux_mount_label");
+    tg.add(vec![Box::new(linux_mount_label)]);
+    tg
+}
diff --git a/tests/contest/contest/src/tests/linux_mount_label/mod.rs b/tests/contest/contest/src/tests/linux_mount_label/mod.rs
@@ -0,0 +1,2 @@
+mod linux_mount_label_test;
+pub use linux_mount_label_test::get_linux_mount_label_test;
diff --git a/tests/contest/contest/src/tests/mod.rs b/tests/contest/contest/src/tests/mod.rs
@@ -6,6 +6,7 @@ pub mod hostname;
 pub mod intel_rdt;
 pub mod io_priority;
 pub mod lifecycle;
+pub mod linux_mount_label;
 pub mod linux_ns_itype;
 pub mod mounts_recursive;
 pub mod pidfile;

diff --git a/tests/contest/runtimetest/src/main.rs b/tests/contest/runtimetest/src/main.rs
@@ -34,6 +34,7 @@ fn main() {
         "readonly_paths" => tests::validate_readonly_paths(&spec),
         "set_host_name" => tests::validate_hostname(&spec),
         "mounts_recursive" => tests::validate_mounts_recursive(&spec),
+        "linux_mount_label" => tests::validate_linux_mount_label(&spec),
         "domainname_test" => tests::validate_domainname(&spec),
         "seccomp" => tests::validate_seccomp(&spec),
         "sysctl" => tests::validate_sysctl(&spec),

diff --git a/tests/contest/runtimetest/src/tests.rs b/tests/contest/runtimetest/src/tests.rs
@@ -6,7 +6,9 @@ use oci_spec::runtime::{
     IOPriorityClass::{self, IoprioClassBe, IoprioClassIdle, IoprioClassRt},
     LinuxSchedulerPolicy, Spec,
 };
+use std::fs::File;
 use std::fs::{self, read_dir};
+use std::io::{self, BufRead};
 use std::mem;
 use std::path::Path;
 
@@ -332,6 +334,29 @@ pub fn validate_sysctl(spec: &Spec) {
     }
 }
 
+pub fn validate_linux_mount_label(spec: &Spec) {
+    let linux = spec.linux().as_ref().unwrap();
+    let target_mount_path = "Tmp/.tmp";
+    if let Some(_expected_mount_label) = linux.mount_label() {
+        let file = match File::open("/proc/self/mountinfo") {
+            Ok(file) => file,
+            Err(_e) => {
+                eprintln!("Error while opening mount file");
+                return;
+            }
+        };
+        let reader = io::BufReader::new(file);
+        for line in reader.lines().map_while(Result::ok) {
+            if line.contains(target_mount_path) {
+                // Because proc/self/mountinfo doesn't include mount_label, just checking target mount path only.
+                return;
+            }
+        }
+        return eprintln!("There are no directory including the path {target_mount_path}");
+    }
+    eprintln!("Failed to get expected_mount_label");
+}
+
 pub fn validate_scheduler_policy(spec: &Spec) {
     let proc = spec.process().as_ref().unwrap();
     let sc = proc.scheduler().as_ref().unwrap();