Add testcase

Signed-off-by: Ruediger Pluem <[email protected]>
opencontainers · Apr 3, 2023 · e6c1d00 · e6c1d00
1 parent 17922e3
commit e6c1d00
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -134,6 +134,8 @@ task:
     cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
     cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
     chown -R rootless.rootless /home/rootless
+    # Allow rootless users to set allow_other as mount option on sshfs mounts
+    echo "user_allow_other" >> /etc/fuse.conf
     # set PATH
     echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
     # Setup ssh localhost for terminal emulation (script -e did not work)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -88,6 +88,8 @@ jobs:
         sudo cp $HOME/rootless.key /home/rootless/.ssh/id_ecdsa
         sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys
         sudo chown -R rootless.rootless /home/rootless
+        # Allow rootless users to set allow_other as mount option on sshfs mounts
+        sudo sh -c "echo user_allow_other >> /etc/fuse.conf"
 
     - name: integration test (fs driver)
       run: sudo -E PATH="$PATH" script -e -c 'make local${{ matrix.rootless }}integration'

diff --git a/Vagrantfile.fedora b/Vagrantfile.fedora
@@ -42,6 +42,9 @@ EOF
     cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
     chown -R rootless.rootless /home/rootless
 
+    # Allow rootless users to set allow_other as mount option on sshfs mounts
+    echo "user_allow_other" >> /etc/fuse.conf
+
     # Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
     mkdir -p /etc/systemd/system/[email protected]
     cat > /etc/systemd/system/[email protected]/delegate.conf << EOF

diff --git a/tests/integration/mounts_sshfs.bats b/tests/integration/mounts_sshfs.bats
@@ -7,16 +7,18 @@ function setup() {
 	local sshfs="sshfs
 		-o UserKnownHostsFile=/dev/null
 		-o StrictHostKeyChecking=no
-		-o PasswordAuthentication=no"
+		-o PasswordAuthentication=no
+		-o allow_other"
 
 	DIR="$BATS_RUN_TMPDIR/fuse-sshfs"
 	mkdir -p "$DIR"
 
-	if ! $sshfs -o ro rootless@localhost: "$DIR"; then
+	if ! $sshfs -o ro,nodev,nosuid,noexec rootless@localhost: "$DIR"; then
 		skip "test requires working sshfs mounts"
 	fi
 
 	setup_busybox
+	mkdir -p rootfs/{proc,sys,tmp,mnt}
 	update_config '.process.args = ["/bin/echo", "Hello World"]'
 }
 
@@ -28,13 +30,21 @@ function teardown() {
 	teardown_bundle
 }
 
-@test "runc run [rw bind mount of a ro fuse sshfs mount]" {
+@test "runc run [rw,dev,exec,suid bind mount of a ro,nodev,nosuid,noexec fuse sshfs mount]" {
+	# The "sync" option is used to trigger a remount with the below options.
+	# It serves no further purpose. Otherwise only a bind mount without
+	# applying the below options will be done.
 	update_config '	  .mounts += [{
 					type: "bind",
 					source: "'"$DIR"'",
 					destination: "/mnt",
-					options: ["rw", "rprivate", "nosuid", "nodev", "rbind"]
+					options: ["rw", "dev", "suid", "exec", "rprivate", "rbind", "sync"]
 				}]'
+	if [ $EUID -eq 0 ]; then
+		update_config '.linux.namespaces += [{type: "user"}]
+				| .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65534}]
+				| .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65534}]'
+	fi
 
 	runc run test_busybox
 	[ "$status" -eq 0 ]