Add mounts Cloud Build test

This tests the allowed mount points for tmpfs mounts and /dev/shm size.
google · Jun 26, 2024 · 29195f6 · 29195f6
1 parent 3defcf1
commit 29195f6
Show file tree

Hide file tree

Showing 4 changed files with 126 additions and 4 deletions.
diff --git a/launcher/cloudbuild.yaml b/launcher/cloudbuild.yaml
@@ -244,6 +244,20 @@ steps:
     gcloud builds submit --config=test_oda_with_signed_container.yaml --region us-west1 \
       --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
     exit
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: MountTests
+  waitFor: ['HardenedImageBuild']
+  env:
+  - 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX'
+  - 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX'
+  - 'PROJECT_ID=$PROJECT_ID'
+  script: |
+    #!/usr/bin/env bash
+    cd launcher/image/test
+    echo "running memory monitoring tests on ${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX}"
+    gcloud builds submit --config=test_mounts.yaml --region us-west1 \
+      --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
+    exit
 options:
   pool:
     name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc'
diff --git a/launcher/image/test/test_mounts.yaml b/launcher/image/test/test_mounts.yaml
@@ -0,0 +1,107 @@
+substitutions:
+  '_HARDENED_IMAGE_NAME': 'confidential-space-debug-0-presubmit-1ab0604'
+  '_IMAGE_PROJECT': 'confidential-space-images-dev'
+  '_CLEANUP': 'false'
+  '_VM_NAME_PREFIX': 'cs-mounts-test'
+  '_ZONE': 'us-central1-a'
+  '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/mounts_workload:latest'
+
+steps:
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMWithMountsAllowed
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', '^~^tee-image-reference=${_WORKLOAD_IMAGE}~tee-container-log-redirect=true~tee-mount=type=tmpfs,source=tmpfs,destination=/tmp/sized,size=222000~tee-dev-shm-size=128000',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-allowed',
+          '-z', '${_ZONE}',
+        ]
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMWithMountsDenied
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', '^~^tee-image-reference=${_WORKLOAD_IMAGE}~tee-container-log-redirect=true~tee-mount=type=tmpfs,source=tmpfs,destination=/disallowed',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-denied',
+          '-z', '${_ZONE}',
+        ]
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckMountsAllowed
+  env:
+  - '_VM_NAME_PREFIX=$_VM_NAME_PREFIX'
+  - 'BUILD_ID=$BUILD_ID'
+  - '_ZONE=$_ZONE'
+  script: |
+    #!/bin/bash
+    set -euo pipefail
+    source util/read_serial.sh
+
+    sleep 45
+    SERIAL_OUTPUT=$(read_serial ${_VM_NAME_PREFIX}-${BUILD_ID}-allowed ${_ZONE})
+    echo $SERIAL_OUTPUT
+    if echo $SERIAL_OUTPUT | grep -q "tmpfs.*220.*/tmp/sized"
+    then
+        echo "- Mount launch policy verified"
+    else
+        echo "FAILED: Mount launch policy verification for sized tmpfs"
+        echo 'TEST FAILED' > /workspace/status.txt
+        echo $SERIAL_OUTPUT
+    fi
+    if echo $SERIAL_OUTPUT | grep -q "shm.*128000.*/dev/shm"
+    then
+        echo "- Mount launch policy verified"
+    else
+        echo "FAILED: Mount launch policy verification /dev/shm size"
+        echo 'TEST FAILED' > /workspace/status.txt
+        echo $SERIAL_OUTPUT
+    fi
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckMountsDenied
+  env:
+  - '_VM_NAME_PREFIX=$_VM_NAME_PREFIX'
+  - 'BUILD_ID=$BUILD_ID'
+  - '_ZONE=$_ZONE'
+  script: |
+    #!/bin/bash
+    set -euo pipefail
+    source util/read_serial.sh
+
+    sleep 45
+    SERIAL_OUTPUT=$(read_serial ${_VM_NAME_PREFIX}-${BUILD_ID}-denied ${_ZONE})
+    if echo $SERIAL_OUTPUT | grep -q "policy only allows mounts in the following paths"
+    then
+        echo "- Mount launch policy verified"
+    else
+        echo "FAILED: Mount launch policy verification for disallowed mounts"
+        echo 'TEST FAILED' > /workspace/status.txt
+        echo $SERIAL_OUTPUT
+    fi
+
+  waitFor: ['CreateVMWithMountsDenied']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMWithMountsAllowed
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-allowed', '${_ZONE}']
+  waitFor: ['CheckMountsAllowed']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMWithMountsDenied
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-denied', '${_ZONE}']
+  waitFor: ['CheckMountsDenied']
+
+# Must come after cleanup.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckFailure
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['check_failure.sh']
diff --git a/launcher/image/testworkloads/mounts/Dockerfile b/launcher/image/testworkloads/mounts/Dockerfile
@@ -5,6 +5,7 @@ FROM alpine
 COPY print_mounts.sh /
 
 LABEL "tee.launch_policy.log_redirect"="always"
+LABEL "tee.launch_policy.allow_mount_destinations"="/run/tmp:/var/tmp:/tmp"
 
 ENTRYPOINT ["/print_mounts.sh"]
 
diff --git a/launcher/image/testworkloads/mounts/print_mounts.sh b/launcher/image/testworkloads/mounts/print_mounts.sh
@@ -1,9 +1,9 @@
 #!/bin/sh
 
 df -h
+df
 
 ls -lathr /
-
-ls -lathr /my-new-disk
-
-mkdir /my-new-disk/sldifj
+ls -lathr /run/tmp
+ls -lathr /var/tmp
+ls -lathr /tmp