From 9aa75d4e2e4e431f11f001c81e706e30bade7662 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Mon, 13 Feb 2023 17:27:12 -0800
Subject: [PATCH] tests/int: test for CAP_DAC_OVERRIDE

This is a test case for issue reported as #3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Since the upstream golang is also broken (see [1]), let's skip this test
for Go 1.20 and 1.20.1 (as it's fixed in Go 1.20.2 as per [2]).

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 tests/integration/start_hello.bats | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/integration/start_hello.bats b/tests/integration/start_hello.bats
index 77398c951f2..64df54b309d 100644
--- a/tests/integration/start_hello.bats
+++ b/tests/integration/start_hello.bats
@@ -37,6 +37,36 @@ function teardown() {
 	[[ "${output}" == *"Hello"* ]]
 }
 
+# https://github.com/opencontainers/runc/issues/3715, https://go.dev/issue/58552
+@test "runc run as user with no exec bit but CAP_DAC_OVERRIDE set" {
+	requires root # Can't chown/chmod otherwise.
+	case "$(__runc --version | grep '^go:')" in
+	"go: go1.20" | "go: go1.20.1")
+		skip "go 1.20[.1] is broken; see https://go.dev/issue/58552"
+		;;
+	esac
+
+	# Remove exec perm for everyone but owner (root).
+	chown 0 rootfs/bin/echo
+	chmod go-x rootfs/bin/echo
+
+	# Replace "uid": 0 with "uid": 1000 and do a similar thing for gid.
+	update_config '	  (.. | select(.uid? == 0)) .uid |= 1000
+			| (.. | select(.gid? == 0)) .gid |= 100'
+
+	# Sanity check: make sure we can't run the container w/o CAP_DAC_OVERRIDE.
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+
+	# Enable CAP_DAC_OVERRIDE.
+	update_config '	  .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"]
+			| .process.capabilities.effective += ["CAP_DAC_OVERRIDE"]
+			| .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]'
+
+	runc run test_busybox
+	[ "$status" -eq 0 ]
+}
+
 @test "runc run with rootfs set to ." {
 	cp config.json rootfs/.
 	rm config.json