Merge pull request #4257 from sohankunkerkar/release-1.1

[1.1] libcontainer: force apps to think fips is enabled/disabled for testing
opencontainers · Apr 26, 2024 · e8bb71e · e8bb71e
2 parents 5bfff6a + 6379b58
commit e8bb71e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -602,6 +602,7 @@ func checkProcMount(rootfs, dest, source string) error {
 		"/proc/slabinfo",
 		"/proc/net/dev",
 		"/proc/sys/kernel/ns_last_pid",
+		"/proc/sys/crypto/fips_enabled",
 	}
 	for _, valid := range validProcMounts {
 		path, err := filepath.Rel(filepath.Join(rootfs, valid), dest)

diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
@@ -46,6 +46,14 @@ func TestCheckMountDestNsLastPid(t *testing.T) {
 	}
 }
 
+func TestCheckCryptoFipsEnabled(t *testing.T) {
+	dest := "/rootfs/proc/sys/crypto/fips_enabled"
+	err := checkProcMount("/rootfs", dest, "/proc")
+	if err != nil {
+		t.Fatalf("/proc/sys/crypto/fips_enabled should not return an error: %v", err)
+	}
+}
+
 func TestNeedsSetupDev(t *testing.T) {
 	config := &configs.Config{
 		Mounts: []*configs.Mount{