20373283300

Committed 19 Dec 2025 02:40PM UTC coverage: 79.822% (+51.2%) from 28.618%

Build # 20373283300

Build Type

Pull #84

github

Committed by

web-flow

Commit Message

Merge 3ab21c41c into 5b8b670d9

Pull Request Pull Request #84: NVRC complete code coverage

Run Details

67 of 85 new or added lines in 11 files covered. (78.82%)

4 existing lines in 4 files now uncovered.

269 of 337 relevant lines covered (79.82%)

1.53 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

65.38

/src/mount.rs

// SPDX-License-Identifier: Apache-2.0
// Copyright (c) NVIDIA CORPORATION

//! Filesystem setup for the minimal init environment.
//!
//! Coverage note: ~80% is the safe maximum. `setup()` mounts filesystems
//! and can only be tested in ephemeral VMs.

use crate::coreutils::{ln, mknod};
use anyhow::{Context, Result};
use nix::mount::{self, MsFlags};
use nix::sys::stat;
use std::fs;
use std::path::Path;

/// Check if path is mounted (exact match on mountpoint, not substring).
/// Uses exact field matching to avoid false positives like "/dev" matching "/dev/pts".
fn is_mounted_in(mounts: &str, path: &str) -> bool {
    mounts
        .lines()
        .any(|line| line.split_whitespace().nth(1) == Some(path))
}

/// Check if a filesystem type is available in the kernel.
/// Some filesystems (securityfs, efivarfs) may not be present in all kernels.
fn fs_available_in(filesystems: &str, fs: &str) -> bool {
    filesystems.lines().any(|line| line.contains(fs))
}

/// Mount filesystem only if not already mounted.
/// Idempotent: safe to call multiple times. Uses pre-read mounts snapshot
/// to avoid TOCTOU races between check and mount.
fn mount_cached(
    mounts: &str,
    source: &str,
    target: &str,
    fstype: &str,
    flags: MsFlags,
    data: Option<&str>,
) -> Result<()> {
    if !is_mounted_in(mounts, target) {
        mount::mount(Some(source), target, Some(fstype), flags, data)
            .with_context(|| format!("Failed to mount {source} on {target}"))?;
    }
    Ok(())
}

/// Remount a filesystem as read-only.
/// Security hardening: prevents writes to the root filesystem after init,
/// reducing attack surface in the confidential VM.
pub fn readonly(target: &str) -> Result<()> {
    let flags = MsFlags::MS_NOSUID | MsFlags::MS_NODEV | MsFlags::MS_RDONLY | MsFlags::MS_REMOUNT;
    mount::mount(None::<&str>, target, None::<&str>, flags, None::<&str>)
        .with_context(|| format!("Failed to remount {target} readonly"))
}

/// Mount filesystem only if the fstype is available AND the target exists.
/// Used for optional filesystems like securityfs and efivarfs that may not
/// be present on all systems or kernel configurations.
fn mount_if_cached(
    mounts: &str,
    filesystems: &str,
    fstype: &str,
    source: &str,
    target: &str,
    flags: MsFlags,
    data: Option<&str>,
) -> Result<()> {
    if fs_available_in(filesystems, fstype) && Path::new(target).exists() {
        mount_cached(mounts, source, target, fstype, flags, data)?;
    }
    Ok(())
}

/// Create /dev symlinks pointing to /proc entries.
/// Standard Unix convention: /dev/stdin, /dev/stdout, /dev/stderr should
/// exist for programs that expect them. /dev/fd provides access to open
/// file descriptors via /proc/self/fd.
fn proc_symlinks() -> Result<()> {
    for (src, dst) in [
        ("/proc/kcore", "/dev/core"),
        ("/proc/self/fd", "/dev/fd"),
        ("/proc/self/fd/0", "/dev/stdin"),
        ("/proc/self/fd/1", "/dev/stdout"),
        ("/proc/self/fd/2", "/dev/stderr"),
    ] {
        ln(src, dst)?;
    }
    Ok(())
}

/// Create essential /dev device nodes for basic I/O.
/// These character devices are fundamental Unix primitives:
/// - /dev/null: discard output, read returns EOF
/// - /dev/zero: infinite stream of zeros
/// - /dev/random, /dev/urandom: cryptographic randomness
fn device_nodes() -> Result<()> {
    for (path, minor) in [
        ("/dev/null", 3u64),
        ("/dev/zero", 5u64),
        ("/dev/random", 8u64),
        ("/dev/urandom", 9u64),
    ] {
        mknod(path, stat::SFlag::S_IFCHR, 1, minor)?; // major 1 = memory devices
    }
    Ok(())
}

/// Set up the minimal filesystem hierarchy required for GPU initialization.
/// Creates /proc, /dev, /sys, /run, /tmp mounts and essential device nodes.
/// Snapshot-based: reads mount state once to avoid TOCTOU races.
pub fn setup() -> Result<()> {
    // Snapshot mount state once - consistent view, no TOCTOU
    let mounts = fs::read_to_string("/proc/mounts").unwrap_or_default();
    let filesystems = fs::read_to_string("/proc/filesystems").unwrap_or_default();

    let common = MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_NODEV | MsFlags::MS_RELATIME;
    mount_cached(&mounts, "proc", "/proc", "proc", common, None)?;
    let dev_flags = MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_RELATIME;
    mount_cached(
        &mounts,
        "dev",
        "/dev",
        "devtmpfs",
        dev_flags,
        Some("mode=0755"),
    )?;
    mount_cached(&mounts, "sysfs", "/sys", "sysfs", common, None)?;
    mount_cached(&mounts, "run", "/run", "tmpfs", common, Some("mode=0755"))?;
    let tmp_flags = MsFlags::MS_NOSUID | MsFlags::MS_NODEV | MsFlags::MS_RELATIME;
    mount_cached(&mounts, "tmpfs", "/tmp", "tmpfs", tmp_flags, None)?;
    mount_if_cached(
        &mounts,
        &filesystems,
        "securityfs",
        "securityfs",
        "/sys/kernel/security",
        common,
        None,
    )?;
    mount_if_cached(
        &mounts,
        &filesystems,
        "efivarfs",
        "efivarfs",
        "/sys/firmware/efi/efivars",
        common,
        None,
    )?;
    proc_symlinks()?;
    device_nodes()?;
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::test_utils::require_root;
    use std::fs;

    // === Safe parsing function tests ===

    #[test]
    fn test_is_mounted_in() {
        let mounts = fs::read_to_string("/proc/mounts").unwrap();
        assert!(is_mounted_in(&mounts, "/"));
        assert!(!is_mounted_in(&mounts, "/nonexistent"));
    }

    #[test]
    fn test_is_mounted_exact_match() {
        // /dev/pts mounted should NOT match /dev (substring matching bug fix)
        let mounts = "devpts /dev/pts devpts rw 0 0\ntmpfs /tmp tmpfs rw 0 0\n";
        assert!(!is_mounted_in(mounts, "/dev"));
        assert!(is_mounted_in(mounts, "/dev/pts"));
        assert!(is_mounted_in(mounts, "/tmp"));
    }

    #[test]
    fn test_is_mounted_empty() {
        assert!(!is_mounted_in("", "/"));
        assert!(!is_mounted_in("", "/dev"));
    }

    #[test]
    fn test_fs_available_in() {
        let filesystems = fs::read_to_string("/proc/filesystems").unwrap();
        assert!(fs_available_in(&filesystems, "proc"));
        assert!(fs_available_in(&filesystems, "sysfs"));
        assert!(!fs_available_in(&filesystems, "nonexistent_fs"));
    }

    #[test]
    fn test_fs_available_empty() {
        assert!(!fs_available_in("", "proc"));
    }

    // === mount_cached tests (safe: no-op when already mounted) ===

    #[test]
    fn test_mount_cached_already_mounted() {
        // When target is already in mounts, mount_cached is a no-op
        let mounts = "proc /proc proc rw 0 0\n";
        let result = mount_cached(mounts, "proc", "/proc", "proc", MsFlags::empty(), None);
        assert!(result.is_ok());
    }

    // === mount_if_cached tests (safe: no-op when conditions not met) ===

    #[test]
    fn test_mount_if_cached_fs_not_available() {
        // When filesystem is not available, should be no-op
        let mounts = "";
        let filesystems = "nodev tmpfs\n";
        let result = mount_if_cached(
            mounts,
            filesystems,
            "nonexistent_fs",
            "src",
            "/tmp", // exists but fs not available
            MsFlags::empty(),
            None,
        );
        assert!(result.is_ok());
    }

    #[test]
    fn test_mount_if_cached_target_not_exists() {
        // When target path doesn't exist, should be no-op
        let mounts = "";
        let filesystems = "nodev tmpfs\n";
        let result = mount_if_cached(
            mounts,
            filesystems,
            "tmpfs",
            "src",
            "/nonexistent/path",
            MsFlags::empty(),
            None,
        );
        assert!(result.is_ok());
    }

    #[test]
    fn test_mount_if_cached_already_mounted() {
        // When already mounted, should be no-op
        let mounts = "tmpfs /tmp tmpfs rw 0 0\n";
        let filesystems = "nodev tmpfs\n";
        let result = mount_if_cached(
            mounts,
            filesystems,
            "tmpfs",
            "tmpfs",
            "/tmp",
            MsFlags::empty(),
            None,
        );
        assert!(result.is_ok());
    }

    // === Error path tests (safe: mount fails, no changes made) ===

    #[test]
    fn test_mount_cached_fails_nonexistent_target() {
        // Trying to mount to nonexistent path should fail
        let mounts = "";
        let result = mount_cached(
            mounts,
            "tmpfs",
            "/nonexistent/mount/point",
            "tmpfs",
            MsFlags::empty(),
            None,
        );
        assert!(result.is_err());
    }

    #[test]
    fn test_readonly_fails_nonexistent() {
        // Trying to remount nonexistent path should fail
        let result = readonly("/nonexistent/path");
        assert!(result.is_err());
    }

    // === Functions that need root but are safe ===

    #[test]
    fn test_proc_symlinks() {
        // These symlinks already exist on any Linux system.
        // ln() is idempotent - returns Ok if already correct.
        require_root();
        assert!(proc_symlinks().is_ok());
    }

    #[test]
    fn test_device_nodes() {
        // mknod() removes existing nodes first, then recreates.
        // Safe: just recreates /dev/null, /dev/zero, etc. with same params.
        require_root();
        assert!(device_nodes().is_ok());
    }

    // === setup() is dangerous - mounts filesystems ===
    // Only test in ephemeral VMs, not on development machines.
}

1	// SPDX-License-Identifier: Apache-2.0
2	// Copyright (c) NVIDIA CORPORATION
3
4	//! Filesystem setup for the minimal init environment.
5	//!
6	//! Coverage note: ~80% is the safe maximum. `setup()` mounts filesystems
7	//! and can only be tested in ephemeral VMs.
8
9	use crate::coreutils::{ln, mknod};
10	use anyhow::{Context, Result};
11	use nix::mount::{self, MsFlags};
12	use nix::sys::stat;
13	use std::fs;
14	use std::path::Path;
15
16	/// Check if path is mounted (exact match on mountpoint, not substring).
17	/// Uses exact field matching to avoid false positives like "/dev" matching "/dev/pts".
18	fn is_mounted_in(mounts: &str, path: &str) -> bool {	1✔
19	mounts
20	.lines()
21	.any(\|line\| line.split_whitespace().nth(1) == Some(path))	3✔
22	}
23
24	/// Check if a filesystem type is available in the kernel.
25	/// Some filesystems (securityfs, efivarfs) may not be present in all kernels.
26	fn fs_available_in(filesystems: &str, fs: &str) -> bool {	1✔
27	filesystems.lines().any(\|line\| line.contains(fs))	3✔
28	}
29
30	/// Mount filesystem only if not already mounted.
31	/// Idempotent: safe to call multiple times. Uses pre-read mounts snapshot
32	/// to avoid TOCTOU races between check and mount.
33	fn mount_cached(	2✔
34	mounts: &str,
35	source: &str,
36	target: &str,
37	fstype: &str,
38	flags: MsFlags,
39	data: Option<&str>,
40	) -> Result<()> {
41	if !is_mounted_in(mounts, target) {	2✔
42	mount::mount(Some(source), target, Some(fstype), flags, data)	3✔
43	.with_context(\|\| format!("Failed to mount {source} on {target}"))?;	4✔
44	}
45	Ok(())	1✔
46	}
47
48	/// Remount a filesystem as read-only.
49	/// Security hardening: prevents writes to the root filesystem after init,
50	/// reducing attack surface in the confidential VM.
51	pub fn readonly(target: &str) -> Result<()> {	1✔
52	let flags = MsFlags::MS_NOSUID \| MsFlags::MS_NODEV \| MsFlags::MS_RDONLY \| MsFlags::MS_REMOUNT;	1✔
53	mount::mount(None::<&str>, target, None::<&str>, flags, None::<&str>)	1✔
54	.with_context(\|\| format!("Failed to remount {target} readonly"))	3✔
55	}
56
57	/// Mount filesystem only if the fstype is available AND the target exists.
58	/// Used for optional filesystems like securityfs and efivarfs that may not
59	/// be present on all systems or kernel configurations.
60	fn mount_if_cached(	1✔
61	mounts: &str,
62	filesystems: &str,
63	fstype: &str,
64	source: &str,
65	target: &str,
66	flags: MsFlags,
67	data: Option<&str>,
68	) -> Result<()> {
69	if fs_available_in(filesystems, fstype) && Path::new(target).exists() {	2✔
70	mount_cached(mounts, source, target, fstype, flags, data)?;	1✔
71	}
72	Ok(())	1✔
73	}
74
75	/// Create /dev symlinks pointing to /proc entries.
76	/// Standard Unix convention: /dev/stdin, /dev/stdout, /dev/stderr should
77	/// exist for programs that expect them. /dev/fd provides access to open
78	/// file descriptors via /proc/self/fd.
79	fn proc_symlinks() -> Result<()> {	1✔
80	for (src, dst) in [	2✔
81	("/proc/kcore", "/dev/core"),	1✔
82	("/proc/self/fd", "/dev/fd"),	1✔
83	("/proc/self/fd/0", "/dev/stdin"),	1✔
84	("/proc/self/fd/1", "/dev/stdout"),	1✔
85	("/proc/self/fd/2", "/dev/stderr"),	1✔
86	] {
87	ln(src, dst)?;	2✔
88	}
89	Ok(())	1✔
90	}
91
92	/// Create essential /dev device nodes for basic I/O.
93	/// These character devices are fundamental Unix primitives:
94	/// - /dev/null: discard output, read returns EOF
95	/// - /dev/zero: infinite stream of zeros
96	/// - /dev/random, /dev/urandom: cryptographic randomness
97	fn device_nodes() -> Result<()> {	1✔
98	for (path, minor) in [	2✔
99	("/dev/null", 3u64),	1✔
100	("/dev/zero", 5u64),	1✔
101	("/dev/random", 8u64),	1✔
102	("/dev/urandom", 9u64),	1✔
103	] {
104	mknod(path, stat::SFlag::S_IFCHR, 1, minor)?; // major 1 = memory devices	2✔
105	}
106	Ok(())	1✔
107	}
108
109	/// Set up the minimal filesystem hierarchy required for GPU initialization.
110	/// Creates /proc, /dev, /sys, /run, /tmp mounts and essential device nodes.
111	/// Snapshot-based: reads mount state once to avoid TOCTOU races.
UNCOV 112	pub fn setup() -> Result<()> {	×
113	// Snapshot mount state once - consistent view, no TOCTOU
114	let mounts = fs::read_to_string("/proc/mounts").unwrap_or_default();	×
115	let filesystems = fs::read_to_string("/proc/filesystems").unwrap_or_default();	×
116
117	let common = MsFlags::MS_NOSUID \| MsFlags::MS_NOEXEC \| MsFlags::MS_NODEV \| MsFlags::MS_RELATIME;	×
118	mount_cached(&mounts, "proc", "/proc", "proc", common, None)?;	×
119	let dev_flags = MsFlags::MS_NOSUID \| MsFlags::MS_NOEXEC \| MsFlags::MS_RELATIME;	×
120	mount_cached(
121	&mounts,	×
122	"dev",
123	"/dev",
124	"devtmpfs",
125	dev_flags,
126	Some("mode=0755"),
127	)?;
128	mount_cached(&mounts, "sysfs", "/sys", "sysfs", common, None)?;	×
129	mount_cached(&mounts, "run", "/run", "tmpfs", common, Some("mode=0755"))?;	×
130	let tmp_flags = MsFlags::MS_NOSUID \| MsFlags::MS_NODEV \| MsFlags::MS_RELATIME;	×
131	mount_cached(&mounts, "tmpfs", "/tmp", "tmpfs", tmp_flags, None)?;	×
132	mount_if_cached(
133	&mounts,	×
134	&filesystems,	×
135	"securityfs",
136	"securityfs",
137	"/sys/kernel/security",
138	common,
139	None,
140	)?;
141	mount_if_cached(
142	&mounts,	×
143	&filesystems,	×
144	"efivarfs",
145	"efivarfs",
146	"/sys/firmware/efi/efivars",
147	common,
148	None,
149	)?;
150	proc_symlinks()?;	×
151	device_nodes()?;	×
152	Ok(())	×
153	}
154
155	#[cfg(test)]
156	mod tests {
157	use super::*;
158	use crate::test_utils::require_root;
159	use std::fs;
160
161	// === Safe parsing function tests ===
162
163	#[test]
164	fn test_is_mounted_in() {
165	let mounts = fs::read_to_string("/proc/mounts").unwrap();
166	assert!(is_mounted_in(&mounts, "/"));
167	assert!(!is_mounted_in(&mounts, "/nonexistent"));
168	}
169
170	#[test]
171	fn test_is_mounted_exact_match() {
172	// /dev/pts mounted should NOT match /dev (substring matching bug fix)
173	let mounts = "devpts /dev/pts devpts rw 0 0\ntmpfs /tmp tmpfs rw 0 0\n";
174	assert!(!is_mounted_in(mounts, "/dev"));
175	assert!(is_mounted_in(mounts, "/dev/pts"));
176	assert!(is_mounted_in(mounts, "/tmp"));
177	}
178
179	#[test]
180	fn test_is_mounted_empty() {
181	assert!(!is_mounted_in("", "/"));
182	assert!(!is_mounted_in("", "/dev"));
183	}
184
185	#[test]
186	fn test_fs_available_in() {
187	let filesystems = fs::read_to_string("/proc/filesystems").unwrap();
188	assert!(fs_available_in(&filesystems, "proc"));
189	assert!(fs_available_in(&filesystems, "sysfs"));
190	assert!(!fs_available_in(&filesystems, "nonexistent_fs"));
191	}
192
193	#[test]
194	fn test_fs_available_empty() {
195	assert!(!fs_available_in("", "proc"));
196	}
197
198	// === mount_cached tests (safe: no-op when already mounted) ===
199
200	#[test]
201	fn test_mount_cached_already_mounted() {
202	// When target is already in mounts, mount_cached is a no-op
203	let mounts = "proc /proc proc rw 0 0\n";
204	let result = mount_cached(mounts, "proc", "/proc", "proc", MsFlags::empty(), None);
205	assert!(result.is_ok());
206	}
207
208	// === mount_if_cached tests (safe: no-op when conditions not met) ===
209
210	#[test]
211	fn test_mount_if_cached_fs_not_available() {
212	// When filesystem is not available, should be no-op
213	let mounts = "";
214	let filesystems = "nodev tmpfs\n";
215	let result = mount_if_cached(
216	mounts,
217	filesystems,
218	"nonexistent_fs",
219	"src",
220	"/tmp", // exists but fs not available
221	MsFlags::empty(),
222	None,
223	);
224	assert!(result.is_ok());
225	}
226
227	#[test]
228	fn test_mount_if_cached_target_not_exists() {
229	// When target path doesn't exist, should be no-op
230	let mounts = "";
231	let filesystems = "nodev tmpfs\n";
232	let result = mount_if_cached(
233	mounts,
234	filesystems,
235	"tmpfs",
236	"src",
237	"/nonexistent/path",
238	MsFlags::empty(),
239	None,
240	);
241	assert!(result.is_ok());
242	}
243
244	#[test]
245	fn test_mount_if_cached_already_mounted() {
246	// When already mounted, should be no-op
247	let mounts = "tmpfs /tmp tmpfs rw 0 0\n";
248	let filesystems = "nodev tmpfs\n";
249	let result = mount_if_cached(
250	mounts,
251	filesystems,
252	"tmpfs",
253	"tmpfs",
254	"/tmp",
255	MsFlags::empty(),
256	None,
257	);
258	assert!(result.is_ok());
259	}
260
261	// === Error path tests (safe: mount fails, no changes made) ===
262
263	#[test]
264	fn test_mount_cached_fails_nonexistent_target() {
265	// Trying to mount to nonexistent path should fail
266	let mounts = "";
267	let result = mount_cached(
268	mounts,
269	"tmpfs",
270	"/nonexistent/mount/point",
271	"tmpfs",
272	MsFlags::empty(),
273	None,
274	);
275	assert!(result.is_err());
276	}
277
278	#[test]
279	fn test_readonly_fails_nonexistent() {
280	// Trying to remount nonexistent path should fail
281	let result = readonly("/nonexistent/path");
282	assert!(result.is_err());
283	}
284
285	// === Functions that need root but are safe ===
286
287	#[test]
288	fn test_proc_symlinks() {
289	// These symlinks already exist on any Linux system.
290	// ln() is idempotent - returns Ok if already correct.
291	require_root();
292	assert!(proc_symlinks().is_ok());
293	}
294
295	#[test]
296	fn test_device_nodes() {
297	// mknod() removes existing nodes first, then recreates.
298	// Safe: just recreates /dev/null, /dev/zero, etc. with same params.
299	require_root();
300	assert!(device_nodes().is_ok());
301	}
302
303	// === setup() is dangerous - mounts filesystems ===
304	// Only test in ephemeral VMs, not on development machines.
305	}

NVIDIA / nvrc / 20373283300

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous