test: add "runc run --no-pivot must not expose bare /proc"

For preventing regression like #2647 Signed-off-by: Akihiro Suda <[email protected]> Signed-off-by: Aleksa Sarai <[email protected]> Signed-off-by: Kir Kolyshkin <[email protected]>
opencontainers · Oct 22, 2020 · 918b7b8 · 918b7b8
1 parent 703b7b4
commit 918b7b8
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/tests/integration/no_pivot.bats b/tests/integration/no_pivot.bats
@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	teardown_busybox
+	setup_busybox
+}
+
+function teardown() {
+	teardown_busybox
+}
+
+@test "runc run --no-pivot must not expose bare /proc" {
+	requires root
+
+	update_config '.process.args |= ["unshare", "-mrpf", "sh", "-euxc", "mount -t proc none /proc && echo h > /proc/sysrq-trigger"]'
+
+	runc run --no-pivot test_no_pivot
+	[ "$status" -eq 1 ]
+	[[ "$output" == *"mount: permission denied"* ]]
+}