e2e tests: Add test root readonly (#2976)

* add test root readonly true

Signed-off-by: sat0ken <[email protected]>

* fix test group name

Signed-off-by: sat0ken <[email protected]>

* fix format

Signed-off-by: sat0ken <[email protected]>

* remove blank line

Signed-off-by: sat0ken <[email protected]>

* remove unused import

Signed-off-by: sat0ken <[email protected]>

* fix format err

Signed-off-by: sat0ken <[email protected]>

* remove unnecessary return

Signed-off-by: sat0ken <[email protected]>

* separate test root readonly true and false

Signed-off-by: sat0ken <[email protected]>

* fix format err

Signed-off-by: sat0ken <[email protected]>

* change test_dir_write_access to pub fn to use test

Signed-off-by: sat0ken <[email protected]>

* check root readonly to use test_dir_write_access

Signed-off-by: sat0ken <[email protected]>

* fix format err

Signed-off-by: sat0ken <[email protected]>

* fix format err

Signed-off-by: sat0ken <[email protected]>

* remove blank line

Signed-off-by: sat0ken <[email protected]>

* separate two tests to root_readonly_true and root_readonly_false

Signed-off-by: sat0ken <[email protected]>

* change test_dir_read_access to pub fn to use test

Signed-off-by: sat0ken <[email protected]>

* fix debug message and add check read access

Signed-off-by: sat0ken <[email protected]>

* fix format err

Signed-off-by: sat0ken <[email protected]>

* add root_readonly test to main

Signed-off-by: sat0ken <[email protected]>

* add read access test when root readonly is false

Signed-off-by: sat0ken <[email protected]>

* fox type err

Signed-off-by: sat0ken <[email protected]>

* remove code err to raw os err

Signed-off-by: sat0ken <[email protected]>

* add CreateOptions

Signed-off-by: sat0ken <[email protected]>

---------

Signed-off-by: sat0ken <[email protected]>

tests/contest/contest/src/main.rs

@@ -26,6 +26,7 @@ use crate::tests::process_oom_score_adj::get_process_oom_score_adj_test;
 use crate::tests::process_rlimits::get_process_rlimits_test;
 use crate::tests::process_user::get_process_user_test;
 use crate::tests::readonly_paths::get_ro_paths_test;
+use crate::tests::root_readonly_true::get_root_readonly_test;
 use crate::tests::scheduler::get_scheduler_test;
 use crate::tests::seccomp::get_seccomp_test;
 use crate::tests::seccomp_notify::get_seccomp_notify_test;
@@ -118,6 +119,7 @@ fn main() -> Result<()> {
     let scheduler = get_scheduler_test();
     let io_priority_test = get_io_priority_test();
     let devices = get_devices_test();
+    let root_readonly = get_root_readonly_test();
     let process = get_process_test();
     let process_user = get_process_user_test();
     let process_rlimtis = get_process_rlimits_test();
@@ -146,6 +148,7 @@ fn main() -> Result<()> {
     tm.add_test_group(Box::new(sysctl));
     tm.add_test_group(Box::new(scheduler));
     tm.add_test_group(Box::new(devices));
+    tm.add_test_group(Box::new(root_readonly));
     tm.add_test_group(Box::new(process));
     tm.add_test_group(Box::new(process_user));
     tm.add_test_group(Box::new(process_rlimtis));

tests/contest/contest/src/tests/mod.rs

@@ -16,6 +16,7 @@ pub mod process_oom_score_adj;
 pub mod process_rlimits;
 pub mod process_user;
 pub mod readonly_paths;
+pub mod root_readonly_true;
 pub mod scheduler;
 pub mod seccomp;
 pub mod seccomp_notify;

tests/contest/contest/src/tests/root_readonly_true/mod.rs

@@ -0,0 +1,2 @@
+mod root_readonly_tests;
+pub use root_readonly_tests::get_root_readonly_test;

tests/contest/contest/src/tests/root_readonly_true/root_readonly_tests.rs

@@ -0,0 +1,44 @@
+use anyhow::{Context, Ok, Result};
+use oci_spec::runtime::{ProcessBuilder, RootBuilder, Spec, SpecBuilder};
+use test_framework::{test_result, Test, TestGroup, TestResult};
+
+use crate::utils::test_inside_container;
+use crate::utils::test_utils::CreateOptions;
+
+fn create_spec(readonly: bool) -> Result<Spec> {
+    let spec = SpecBuilder::default()
+        .root(RootBuilder::default().readonly(readonly).build().unwrap())
+        .process(
+            ProcessBuilder::default()
+                .args(vec!["runtimetest".to_string(), "root_readonly".to_string()])
+                .build()
+                .expect("error in creating config"),
+        )
+        .build()
+        .context("failed to build spec")?;
+
+    Ok(spec)
+}
+
+fn root_readonly_true_test() -> TestResult {
+    let spec_true = test_result!(create_spec(true));
+    test_inside_container(spec_true, &CreateOptions::default(), &|_| Ok(()))
+}
+
+fn root_readonly_false_test() -> TestResult {
+    let spec_false = test_result!(create_spec(false));
+    test_inside_container(spec_false, &CreateOptions::default(), &|_| Ok(()))
+}
+
+pub fn get_root_readonly_test() -> TestGroup {
+    let mut root_readonly_test_group = TestGroup::new("root_readonly");
+
+    let test_true = Test::new("root_readonly_true_test", Box::new(root_readonly_true_test));
+    let test_false = Test::new(
+        "root_readonly_false_test",
+        Box::new(root_readonly_false_test),
+    );
+    root_readonly_test_group.add(vec![Box::new(test_true), Box::new(test_false)]);
+
+    root_readonly_test_group
+}

tests/contest/runtimetest/src/main.rs

@@ -44,6 +44,7 @@ fn main() {
         "io_priority_class_be" => tests::test_io_priority_class(&spec, IoprioClassBe),
         "io_priority_class_idle" => tests::test_io_priority_class(&spec, IoprioClassIdle),
         "devices" => tests::validate_devices(&spec),
+        "root_readonly" => tests::test_validate_root_readonly(&spec),
         "process" => tests::validate_process(&spec),
         "process_user" => tests::validate_process_user(&spec),
         "process_rlimits" => tests::validate_process_rlimits(&spec),

tests/contest/runtimetest/src/tests.rs

@@ -16,7 +16,9 @@ use oci_spec::runtime::{
     LinuxDevice, LinuxDeviceType, LinuxSchedulerPolicy, PosixRlimit, PosixRlimitType, Spec,
 };
 
-use crate::utils::{self, test_read_access, test_write_access};
+use crate::utils::{
+    self, test_dir_read_access, test_dir_write_access, test_read_access, test_write_access,
+};
 
 ////////// ANCHOR: example_hello_world
 pub fn hello_world(_spec: &Spec) {
@@ -551,6 +553,42 @@ pub fn test_io_priority_class(spec: &Spec, io_priority_class: IOPriorityClass) {
     }
 }
 
+pub fn test_validate_root_readonly(spec: &Spec) {
+    let root = spec.root().as_ref().unwrap();
+    if root.readonly().unwrap() {
+        if let Err(e) = test_dir_write_access("/") {
+            let errno = Errno::from_raw(e.raw_os_error().unwrap());
+            if errno == Errno::EROFS {
+                /* This is expected */
+            } else {
+                eprintln!(
+                    "readonly root filesystem, error in testing write access for path /, error: {}",
+                    errno
+                );
+            }
+        }
+        if let Err(e) = test_dir_read_access("/") {
+            eprintln!(
+                "readonly root filesystem, but error in testing read access for path /, error: {}",
+                e
+            );
+        }
+    } else {
+        if let Err(e) = test_dir_write_access("/") {
+            eprintln!(
+                "readonly root filesystem is false, but error in testing write access for path /, error: {}",
+                e
+            );
+        }
+        if let Err(e) = test_dir_read_access("/") {
+            eprintln!(
+                "readonly root filesystem is false, but error in testing read access for path /, error: {}",
+                e
+            );
+        }
+    }
+}
+
 pub fn validate_process(spec: &Spec) {
     let process = spec.process().as_ref().unwrap();
     let expected_cwd = process.cwd();

tests/contest/runtimetest/src/utils.rs

@@ -14,7 +14,7 @@ fn test_file_read_access(path: &str) -> Result<(), std::io::Error> {
     Ok(())
 }
 
-fn test_dir_read_access(path: &str) -> Result<(), std::io::Error> {
+pub fn test_dir_read_access(path: &str) -> Result<(), std::io::Error> {
     let _ = std::fs::read_dir(path)?;
     Ok(())
 }
@@ -51,7 +51,7 @@ fn test_file_write_access(path: &str) -> Result<(), std::io::Error> {
     Ok(())
 }
 
-fn test_dir_write_access(path: &str) -> Result<(), std::io::Error> {
+pub fn test_dir_write_access(path: &str) -> Result<(), std::io::Error> {
     let _ = std::fs::OpenOptions::new()
         .create(true)
         .truncate(true)