test:cri: Add guest AppArmor support

ManaSugi · ManaSugi · commit 45b1abaa68d4 · 2023-08-20T18:59:15.000+09:00
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
diff --git a/integration/containerd/cri/integration-tests.sh b/integration/containerd/cri/integration-tests.sh
@@ -431,6 +431,84 @@ EOF
 	create_containerd_config "${containerd_runtime_test}"
 }
 
+build_install_apparmor_image() {
+    info "Build AppArmor guest image"
+    local rootfs_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder"
+    pushd "$rootfs_builder_dir"
+    sudo -E APPARMOR=yes USE_DOCKER=yes ./rootfs.sh ubuntu
+    popd
+
+    info "Install AppArmor guest image"
+    local rootfs_dir="${rootfs_builder_dir}/rootfs"
+    local image_builder_dir="${katacontainers_repo_dir}/tools/osbuilder/image-builder"
+    pushd "${image_builder_dir}"
+    sudo -E USE_DOCKER=yes ./image_builder.sh "${rootfs_dir}"
+    popd
+    apparmor_image="/opt/kata/share/kata-containers/kata-containers-apparmor.img"
+    sudo install -o root -g root -m 0640 -D "${image_builder_dir}/kata-containers.img" "${apparmor_image}"
+}
+
+TestContainerGuestApparmor() {
+    info "Test container guest AppArmor"
+
+    build_install_apparmor_image
+
+    original_image=$(sudo sed -n 's/^image = \(.*\)/\1/p' ${kata_config})
+    sudo sed -i "/image =/c image = "\"${apparmor_image}\""" "${kata_config}"
+    sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' "${kata_config}"
+    sudo sed -i 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${kata_config}"
+
+    local container_yaml="${REPORT_DIR}/container.yaml"
+    local image="busybox:latest"
+    cat << EOF > "${container_yaml}"
+metadata:
+  name: busybox-apparmor
+image:
+  image: "$image"
+command:
+- top
+EOF
+
+    testContainerStart 1
+
+    info "check kata-runtime exec"
+    aa_status=$(expect -c "
+    spawn -noecho kata-runtime exec $podid
+    expect "root@localhost:/#"
+    send \"aa-status\n\"
+    expect "root@localhost:/#"
+    send \"exit\n\"
+    expect eof
+    ")
+    echo "aa-status results:"
+    echo "${aa_status}"
+    ret=$(echo "$aa_status" | grep "/pause.*kata-default" || true)
+    [ -n "$ret" ] || die "not found /pause  kata-default profile"
+    ret=$(echo "$aa_status" | grep "/bin/top.*kata-default" || true)
+    [ -n "$ret" ] || die "not found /bin/top kata-default profile"
+
+    info "check crictl  exec"
+    sudo -E crictl exec $cid sleep 10 &
+
+    aa_status=$(expect -c "
+    spawn -noecho kata-runtime exec $podid
+    expect "root@localhost:/#"
+    send \"aa-status\n\"
+    expect "root@localhost:/#"
+    send \"exit\n\"
+    expect eof
+    ")
+    echo "aa-status results:"
+    echo "${aa_status}"
+    ret=$(echo "$aa_status" | grep "/bin/sleep.*kata-default" || true)
+    [ -n "$ret" ] || die "not found /bin/sleep kata-default profile"
+
+    testContainerStop
+
+    sudo sed -i '/^disable_guest_apparmor/ s/false/true/g' "${kata_config}"
+    sudo sed -i "/image =/c image = "\"${original_image}\""" "$kata_config"
+}
+
 # k8s may restart docker which will impact on containerd stop
 stop_containerd() {
 	local tmp=$(pgrep kubelet || true)
@@ -509,6 +587,8 @@ main() {
 		TestContainerMemoryUpdate 0
 	fi
 
+	TestContainerGuestApparmor
+
 	TestKilledVmmCleanup
 
 	popd
