Skip to content
Python3 Integration Tests

stop sandbox from being able to modify and bind to host /etc #25

Sign in to view logs

stop sandbox from being able to modify and bind to host /etc

stop sandbox from being able to modify and bind to host /etc #25

Workflow file for this run

.github/workflows/python3-tests.yml at c8e889c
name: Python3 Integration Tests
on:
push:
branches:
- "**"
pull_request:
jobs:
test-filesystem-isolation:
name: "Security: Filesystem Isolation (File Privacy)"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run filesystem isolation subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^file privacy across request IDs$' ./...
test-disk-cleanup:
name: "Security: Disk Cleanup (Storage Exhaustion)"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run disk cleanup subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^disk spammer is terminated and data is reclaimed$' ./...
test-fork-bomb:
name: "Resource: Fork Bomb Containment"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run fork bomb subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^fork bomb does not poison subsequent requests$' ./...
test-network-isolation:
name: "Security: Network Namespace (Localhost Bridge)"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run network isolation subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^network namespace blocks localhost bridge$' ./...
test-memory-oom:
name: "Security: Memory Limit (Hard OOM)"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run memory OOM subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^memory hard limit triggers oom kill$' ./...
test-io-flood:
name: "Resilience: I/O Flood (Bounded Stderr)"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run I/O flood resilience subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^io flood is bounded and returns before timeout$' ./...
test-signal-trap:
name: "Resilience: Signal Trap Uses SIGKILL Timeout"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run signal trap resilience subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^signal trap cannot survive forced timeout$' ./...
test-orphan-reaping:
name: "Resilience: Orphan Grandchild Reaping"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run orphan reaping resilience subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^orphan grandchild is reaped after request exits$' ./...
test-inode-exhaustion:
name: "Resilience: Inode Exhaustion Safety"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run inode exhaustion resilience subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^inode bomb does not poison host temp filesystem$' ./...
test-privileged-syscall:
name: "Resilience: Privileged Syscall Denial"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install native dependencies
run: |
sudo apt-get update
sudo apt-get install -y gcc libc6-dev python3
- name: Run privileged syscall denial subtest
env:
ENABLE_QUEUE: "false"
run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$/^privileged reboot syscall is denied$' ./...