diff --git a/launcher/cloudbuild.yaml b/launcher/cloudbuild.yaml index 2f3ae3e5..5daed2d3 100644 --- a/launcher/cloudbuild.yaml +++ b/launcher/cloudbuild.yaml @@ -244,6 +244,20 @@ steps: gcloud builds submit --config=test_oda_with_signed_container.yaml --region us-west1 \ --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID} exit +- name: 'gcr.io/cloud-builders/gcloud' + id: MountTests + waitFor: ['HardenedImageBuild'] + env: + - 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX' + - 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX' + - 'PROJECT_ID=$PROJECT_ID' + script: | + #!/usr/bin/env bash + cd launcher/image/test + echo "running memory monitoring tests on ${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX}" + gcloud builds submit --config=test_mounts.yaml --region us-west1 \ + --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID} + exit options: pool: name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc' diff --git a/launcher/image/test/test_mounts.yaml b/launcher/image/test/test_mounts.yaml new file mode 100644 index 00000000..d60da282 --- /dev/null +++ b/launcher/image/test/test_mounts.yaml @@ -0,0 +1,107 @@ +substitutions: + '_IMAGE_NAME': '' + '_IMAGE_PROJECT': '' + '_CLEANUP': 'true' + '_VM_NAME_PREFIX': 'cs-mounts-test' + '_ZONE': 'us-central1-a' + '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/mounts_workload:latest' + +steps: +- name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMWithMountsAllowed + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', '^~^tee-image-reference=${_WORKLOAD_IMAGE}~tee-container-log-redirect=true~tee-mount=type=tmpfs,source=tmpfs,destination=/tmp/sized,size=222000~tee-dev-shm-size=128000', + '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-allowed', + '-z', '${_ZONE}', + ] +- name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMWithMountsDenied + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', '^~^tee-image-reference=${_WORKLOAD_IMAGE}~tee-container-log-redirect=true~tee-mount=type=tmpfs,source=tmpfs,destination=/disallowed', + '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-denied', + '-z', '${_ZONE}', + ] +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckMountsAllowed + env: + - '_VM_NAME_PREFIX=$_VM_NAME_PREFIX' + - 'BUILD_ID=$BUILD_ID' + - '_ZONE=$_ZONE' + script: | + #!/bin/bash + set -euo pipefail + source util/read_serial.sh + + sleep 45 + SERIAL_OUTPUT=$(read_serial ${_VM_NAME_PREFIX}-${BUILD_ID}-allowed ${_ZONE}) + echo $SERIAL_OUTPUT + if echo $SERIAL_OUTPUT | grep -q "tmpfs.*220.*/tmp/sized" + then + echo "- Mount launch policy verified" + else + echo "FAILED: Mount launch policy verification for sized tmpfs" + echo 'TEST FAILED' > /workspace/status.txt + echo $SERIAL_OUTPUT + fi + if echo $SERIAL_OUTPUT | grep -q "shm.*128000.*/dev/shm" + then + echo "- Mount launch policy verified" + else + echo "FAILED: Mount launch policy verification /dev/shm size" + echo 'TEST FAILED' > /workspace/status.txt + echo $SERIAL_OUTPUT + fi + +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckMountsDenied + env: + - '_VM_NAME_PREFIX=$_VM_NAME_PREFIX' + - 'BUILD_ID=$BUILD_ID' + - '_ZONE=$_ZONE' + script: | + #!/bin/bash + set -euo pipefail + source util/read_serial.sh + + sleep 45 + SERIAL_OUTPUT=$(read_serial ${_VM_NAME_PREFIX}-${BUILD_ID}-denied ${_ZONE}) + if echo $SERIAL_OUTPUT | grep -q "policy only allows mounts in the following paths" + then + echo "- Mount launch policy verified" + else + echo "FAILED: Mount launch policy verification for disallowed mounts" + echo 'TEST FAILED' > /workspace/status.txt + echo $SERIAL_OUTPUT + fi + + waitFor: ['CreateVMWithMountsDenied'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpVMWithMountsAllowed + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-allowed', '${_ZONE}'] + waitFor: ['CheckMountsAllowed'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpVMWithMountsDenied + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-denied', '${_ZONE}'] + waitFor: ['CheckMountsDenied'] + +# Must come after cleanup. +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckFailure + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['check_failure.sh'] diff --git a/launcher/image/testworkloads/mounts/Dockerfile b/launcher/image/testworkloads/mounts/Dockerfile index 2f5ca00a..3192d02b 100644 --- a/launcher/image/testworkloads/mounts/Dockerfile +++ b/launcher/image/testworkloads/mounts/Dockerfile @@ -5,6 +5,7 @@ FROM alpine COPY print_mounts.sh / LABEL "tee.launch_policy.log_redirect"="always" +LABEL "tee.launch_policy.allow_mount_destinations"="/run/tmp:/var/tmp:/tmp" ENTRYPOINT ["/print_mounts.sh"] diff --git a/launcher/image/testworkloads/mounts/print_mounts.sh b/launcher/image/testworkloads/mounts/print_mounts.sh index 3b3c75ad..7869e7f0 100755 --- a/launcher/image/testworkloads/mounts/print_mounts.sh +++ b/launcher/image/testworkloads/mounts/print_mounts.sh @@ -1,9 +1,9 @@ #!/bin/sh df -h +df ls -lathr / - -ls -lathr /my-new-disk - -mkdir /my-new-disk/sldifj \ No newline at end of file +ls -lathr /run/tmp +ls -lathr /var/tmp +ls -lathr /tmp