libcontainer: force apps to think fips is enabled/disabled for testing

The motivation behind this change is to provide a flexible mechanism for containers within a Kubernetes cluster to opt out of FIPS mode when necessary. This change enables apps to simulate FIPS mode being enabled or disabled for testing purposes. Users can control whether apps believe FIPS mode is on or off by manipulating `/proc/sys/crypto/fips_enabled`. Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
2025-07-30 17:43:06 +03:00 · 2024-04-10 18:15:40 -04:00
parent f2bd18480d
commit cde1d0908a
2 changed files with 16 additions and 0 deletions
--- a/libcontainer/rootfs_linux_test.go
+++ b/libcontainer/rootfs_linux_test.go
@ -134,6 +134,21 @@ func TestCheckMountDestNsLastPid(t *testing.T) {
 	}
 }

+func TestCheckCryptoFipsEnabled(t *testing.T) {
+	m := mountEntry{
+		Mount: &configs.Mount{
+			Destination: "/proc/sys/crypto/fips_enabled",
+			Source:      "tmpfs",
+			Device:      "tmpfs",
+		},
+	}
+	dest := "/rootfs/proc/sys/crypto/fips_enabled"
+	err := checkProcMount("/rootfs", dest, m)
+	if err != nil {
+		t.Fatalf("/proc/sys/crypto/fips_enabled should not return an error: %v", err)
+	}
+}
+
 func TestNeedsSetupDev(t *testing.T) {
 	config := &configs.Config{
 		Mounts: []*configs.Mount{