blob: 05fa228eec5b2f980a70fc5641704b569500ba01 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
//go:build linux && integration
package wireguard
import (
"bufio"
"os"
"strings"
"testing"
)
// TestDNSMountLeak verifies that /etc/resolv.conf bind mounts are cleaned up
// after a tunnel is closed.
func TestDNSMountLeak(t *testing.T) {
dnsServer := "8.8.8.8"
// We call ConfigureResolvConf directly since that's the part causing the leak.
if err := ConfigureResolvConf(dnsServer); err != nil {
t.Logf("ConfigureResolvConf failed as expected in non-privileged test env: %v", err)
// If we can't mount, the test can't prove a leak.
// We skip if we lack permissions.
if strings.Contains(err.Error(), "operation not permitted") {
t.Skip("Insufficient privileges to perform bind mounts for leak test")
}
}
// Check for the leak
mounts, err := os.Open("/proc/self/mounts")
if err != nil {
t.Fatalf("failed to open /proc/self/mounts: %v", err)
}
defer mounts.Close()
scanner := bufio.NewScanner(mounts)
foundLeak := false
for scanner.Scan() {
line := scanner.Text()
if strings.Contains(line, "resolvconf") && strings.Contains(line, "/etc/resolv.conf") {
foundLeak = true
t.Errorf("Found leaking bind mount in /proc/self/mounts: %s", line)
}
}
if foundLeak {
t.Logf("Confirmed: DNS resolv.conf mount leaks after configuration")
} else {
t.Logf("No leak detected (perhaps mount failed)")
}
}
|
