[PATCH 3/4] Azure: Add loop devices and CAP_SYS_ADMIN for sandbox test.py tests

Fri Jun 4 21:02:05 CEST 2021

The filesystem test setup needs to prepare disk images for its tests,
with either guestmount or loop mounts. The former requires access to the
host fuse device (added in a previous patch), the latter requires access
to host loop devices. Both mounts also need additional privileges since
docker's default configuration prevents the containers from mounting
filesystems (for host security).

Add any available loop devices to the container and try to add as few
privileges as possible to run these tests, which narrow down to adding
SYS_ADMIN capability and disabling apparmor confinement. However, this
much still seems to be insecure enough to let malicious container
processes escape as root on the host system [1].

[1] https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

Since the mentioned tests are marked to run only on the sandbox board,
add these additional devices and privileges only when testing with that.

An alternative to using mounts is modifying the filesystem tests to use
virt-make-fs (like some EFI tests do), but it fails to generate a
partitionless FAT filesystem image on Debian systems. Other more
feasible alternatives are using guestfish or directly using libguestfs
Python bindings to create and populate the images, but switching the
test setups to these is nontrivial and is left as future work.

Signed-off-by: Alper Nebi Yasak <alpernebiyasak at gmail.com>
---

 .azure-pipelines.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index a4d796c41895..3ec396ae8905 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -318,13 +318,23 @@ jobs:
           # as sandbox testing need create files like spi flash images, etc.
           # (TODO: clean up this in the future)
           chmod 777 .
-          # Some EFI tests need extra docker args to run
+          # Filesystem tests and some EFI tests need extra docker args to run
           set --
           if [[ "${TEST_PY_BD}" == "sandbox" ]]; then
-              # virt-make-fs needs the fuse device
+              # virt-make-fs, guestmount, etc. need the fuse device
               if modprobe fuse; then
                   set -- "$@" --device /dev/fuse:/dev/fuse
               fi
+              # mount -o loop needs the loop devices
+              if modprobe loop; then
+                  for d in $(find /dev -maxdepth 1 -name 'loop*'); do
+                      set -- "$@" --device $d:$d
+                  done
+              fi
+              # Needed for mount syscall (for guestmount as well)
+              set -- "$@" --cap-add SYS_ADMIN
+              # Default apparmor profile denies mounts
+              set -- "$@" --security-opt apparmor=unconfined
           fi
           docker run "$@" -v $PWD:$(work_dir) $(ci_runner_image) /bin/bash $(work_dir)/test.sh
 
-- 
2.32.0.rc2

