Merge pull request opencontainers#3416 from kinvolk/rata/seccomp-misc

tests: Improve seccomp-notify test names and description
thaJeztah · Mar 17, 2022 · 98b75be · 98b75be
2 parents 51e607f + a99f82a
commit 98b75be
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/tests/integration/seccomp-notify.bats b/tests/integration/seccomp-notify.bats
@@ -42,20 +42,23 @@ function scmp_act_notify_template() {
 # noNewPrivileges, for this reason many of the following cases are tested with
 # both values.
 
+# Test basic actions handled by the agent work fine. noNewPrivileges FALSE.
 @test "runc run [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges false)" {
 	scmp_act_notify_template "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" false '"mkdir"'
 
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
 
+# Test basic actions handled by the agent work fine. noNewPrivileges TRUE.
 @test "runc run [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges true)" {
 	scmp_act_notify_template "mkdir /dev/shm/foo && stat /dev/shm/foo-bar" true '"mkdir"'
 
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
 
+# Test actions not-handled by the agent work fine. noNewPrivileges FALSE.
 @test "runc exec [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges false)" {
 	requires root
 
@@ -68,6 +71,7 @@ function scmp_act_notify_template() {
 	[ "$status" -eq 0 ]
 }
 
+# Test actions not-handled by the agent work fine. noNewPrivileges TRUE.
 @test "runc exec [seccomp] (SCMP_ACT_NOTIFY noNewPrivileges true)" {
 	requires root
 
@@ -78,21 +82,24 @@ function scmp_act_notify_template() {
 	[ "$status" -eq 0 ]
 }
 
+# Test important syscalls (some might be executed by runc) work fine when handled by the agent. noNewPrivileges FALSE.
 @test "runc run [seccomp] (SCMP_ACT_NOTIFY important syscalls noNewPrivileges false)" {
 	scmp_act_notify_template "/bin/true" false '"execve","openat","open","read","close"'
 
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
 
+# Test important syscalls (some might be executed by runc) work fine when handled by the agent. noNewPrivileges TRUE.
 @test "runc run [seccomp] (SCMP_ACT_NOTIFY important syscalls noNewPrivileges true)" {
 	scmp_act_notify_template "/bin/true" true '"execve","openat","open","read","close"'
 
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
 
-@test "runc run [seccomp] (empty listener path)" {
+# Ignore listenerPath if the profile doesn't use seccomp notify actions.
+@test "runc run [seccomp] (ignore listener path if no notify act)" {
 	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo && stat /dev/shm/foo"]
 			| .linux.seccomp = {
 				"defaultAction":"SCMP_ACT_ALLOW",
@@ -104,14 +111,16 @@ function scmp_act_notify_template() {
 	[ "$status" -eq 0 ]
 }
 
-@test "runc run [seccomp] (SCMP_ACT_NOTIFY empty listener path)" {
+# Ensure listenerPath is present if the profile uses seccomp notify actions.
+@test "runc run [seccomp] (SCMP_ACT_NOTIFY empty listener path and notify act)" {
 	scmp_act_notify_template "/bin/true" false '"mkdir"'
 	update_config '.linux.seccomp.listenerPath = ""'
 
 	runc run test_busybox
 	[ "$status" -ne 0 ]
 }
 
+# Test using an invalid socket (none listening) as listenerPath fails.
 @test "runc run [seccomp] (SCMP_ACT_NOTIFY wrong listener path)" {
 	scmp_act_notify_template "/bin/true" false '"mkdir"'
 	update_config '.linux.seccomp.listenerPath = "/some-non-existing-listener-path.sock"'
@@ -120,7 +129,8 @@ function scmp_act_notify_template() {
 	[ "$status" -ne 0 ]
 }
 
-@test "runc run [seccomp] (SCMP_ACT_NOTIFY abstract listener path)" {
+# Test using an invalid abstract socket as listenerPath fails.
+@test "runc run [seccomp] (SCMP_ACT_NOTIFY wrong abstract listener path)" {
 	scmp_act_notify_template "/bin/true" false '"mkdir"'
 	update_config '.linux.seccomp.listenerPath = "@mysocketishere"'