1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
package e2e
import (
"bufio"
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
"testing"
)
// TestDNSMountLeak verifies that /etc/resolv.conf bind mounts are cleaned up
// after a profile is stopped.
func TestDNSMountLeak(t *testing.T) {
bin, err := GetBinaryPath()
if err != nil {
t.Fatal(err)
}
profile := "leak-test"
dnsServer := "8.8.8.8"
// Pre-create a dummy config for the profile
configDir := t.TempDir()
if err := os.MkdirAll(filepath.Join(configDir, "profiles"), 0755); err != nil {
t.Fatalf("failed to create profiles dir: %v", err)
}
configPath := filepath.Join(configDir, "profiles", profile+".conf")
if err := os.WriteFile(configPath, []byte("[Interface]\nAddress = 10.0.0.1/24\nPrivateKey = aAAA\n"), 0644); err != nil {
t.Fatalf("failed to write config file: %v", err)
}
// Run the binary with the custom config dir override.
// We use a short-lived command ('true') to trigger the deferred cleanup.
fullCmd := fmt.Sprintf("WG_WRAP_CONFIG_DIR=%s %s -profile %s -dns-server %s -- true", configDir, bin, profile, dnsServer)
cmd := exec.Command("bash", "-c", fullCmd)
if err := cmd.Run(); err != nil {
t.Logf("Command exited with error (might be normal in some test envs): %v", err)
}
// 2. Inspect /proc/self/mounts for any remnants of "resolvconf"
// Note: In a real scenario, we might need to inspect mounts from a privileged
// perspective or check the target's namespace mounts if we had a way to keep it open.
// But since we are checking the host's mount table for leaked bind mounts
// that weren't unmounted, we check /proc/self/mounts.
mounts, err := os.Open("/proc/self/mounts")
if err != nil {
t.Fatalf("failed to open /proc/self/mounts: %v", err)
}
defer func() {
if err := mounts.Close(); err != nil {
t.Errorf("failed to close mounts file: %v", err)
}
}()
scanner := bufio.NewScanner(mounts)
foundLeak := false
for scanner.Scan() {
line := scanner.Text()
if strings.Contains(line, "resolvconf") && strings.Contains(line, "/etc/resolv.conf") {
foundLeak = true
t.Errorf("Found leaking bind mount in /proc/self/mounts: %s", line)
}
}
if foundLeak {
t.Errorf("Detected a DNS resolv.conf mount leak after profile exit")
}
}
|
