Merge pull request #1327 from elezar/add-nvidiascape-test

Add test when using LD_PRELOAD in a container

Author: elezar

tests/e2e/Makefile

@@ -36,7 +36,8 @@ test-preinstalled: test
 test-preinstalled: E2E_INSTALL_CTK = false
 test-preinstalled: E2E_SSH_HOST =
 
-
+GINKGO_VERSION = $(shell grep -Eo "github.com/onsi/ginkgo/v2.*$$" ./tests/go.mod | sed -e 's&github.com/onsi/ginkgo/v2[[:space:]]&&g')
+ginkgo: $(GINKGO_BIN)
 $(GINKGO_BIN):
 	mkdir -p $(CURDIR)/bin
-	GOBIN=$(CURDIR)/bin go install github.com/onsi/ginkgo/v2/ginkgo@latest
+	GOBIN=$(CURDIR)/bin go install github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION)

tests/e2e/nvidia-container-toolkit_test.go

@@ -444,4 +444,94 @@ EOF`)
 			Expect(stderr).To(ContainSubstring("nvidia-container-cli.real: mount error: path error:"))
 		})
 	})
+
+	When("Running a container with LD_PRELOAD", Ordered, func() {
+		BeforeAll(func(ctx context.Context) {
+			// Create the source for the poc.
+			_, _, err := runner.Run(`cat <<EOF > poc.c
+/**
+Code taken from https://youtu.be/56vcNIh35PA?si=gmh7Cx9P-lNTbl4L&t=328
+**/
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+__attribute__((constructor))
+void init() {
+// Ultra-minimal exploit just create a marker file
+int fd = open("/owned", O_CREAT | O_WRONLY, 0644);
+	if (fd >= 0) {
+		write(fd, "EXPLOITED\n", 10);
+		close(fd);
+	}
+}
+EOF`)
+			Expect(err).ToNot(HaveOccurred())
+
+			// Create the local Dockerfile
+			_, _, err = runner.Run(`cat <<EOF > Dockerfile.nvidiascape
+FROM ubuntu AS build
+RUN apt-get update && \
+	apt-get install -y gcc \
+	&& \
+	rm -rf /var/lib/apt/lists/*
+ADD poc.c .
+RUN gcc -shared -fPIC -o poc.so poc.c
+FROM ubuntu
+ENV LD_PRELOAD=/proc/self/cwd/poc.so
+COPY --from=build poc.so /
+EOF`)
+			Expect(err).ToNot(HaveOccurred())
+
+			// Build the test image.
+			_, _, err = runner.Run(`docker build -t nvidiascape-test -f Dockerfile.nvidiascape .`)
+			Expect(err).ToNot(HaveOccurred())
+
+			_, _, err = runner.Run("rm -f /owned")
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		AfterAll(func(ctx context.Context) {
+			_, _, err := runner.Run("rm -f poc.c")
+			Expect(err).ToNot(HaveOccurred())
+
+			_, _, err = runner.Run("rm -f Dockerfile.nvidiascape")
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		AfterEach(func(ctx context.Context) {
+			_, _, err := runner.Run("rm -f /owned")
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("should not escape when using CDI", func(ctx context.Context) {
+			_, _, err := runner.Run("docker run --rm --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=runtime.nvidia.com/gpu=all nvidiascape-test")
+			Expect(err).ToNot(HaveOccurred())
+
+			stdout, stderr, err := runner.Run(`cat /owned || echo "Unsuccessful"`)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(stderr).To(BeEmpty())
+			Expect(strings.TrimSpace(stdout)).To(Equal("Unsuccessful"))
+		})
+
+		It("should not escape when using the nvidia-container-runtime", func(ctx context.Context) {
+			_, _, err := runner.Run("docker run --rm --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=all -e NVIDIA_DRIVER_CAPABILITIES=all nvidiascape-test")
+			Expect(err).ToNot(HaveOccurred())
+
+			stdout, stderr, err := runner.Run(`cat /owned || echo "Unsuccessful"`)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(stderr).To(BeEmpty())
+			Expect(strings.TrimSpace(stdout)).To(Equal("Unsuccessful"))
+		})
+
+		It("should not escape when using the nvidia-container-runtime-hook", Label("legacy"), func(ctx context.Context) {
+			_, _, err := runner.Run("docker run --rm --runtime=runc --gpus=all nvidiascape-test")
+			Expect(err).ToNot(HaveOccurred())
+
+			stdout, stderr, err := runner.Run(`cat /owned || echo "Unsuccessful"`)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(stderr).To(BeEmpty())
+			Expect(strings.TrimSpace(stdout)).To(Equal("Unsuccessful"))
+		})
+	})
 })