[no-relnote] Add e2e test for firmware path traversal

[ArangoGutierrez]

A container image could be crafted with a symbolic link in
/lib/firmware/nvidia/ that points to a location outside of the
container's root filesystem. When running such a container with the
NVIDIA Container Toolkit, this could potentially lead to files being
created on the host filesystem.

This change adds an end-to-end test to ensure that the toolkit is not
vulnerable to this kind of path traversal attack.

The test case covers two scenarios:

• When using CDI, which is the default, the test ensures that the
  container runs without error and no files are created on the host.
• When using the legacy nvidia-container-runtime-hook, the test
  ensures that the operation fails with a specific path error,
  preventing any file creation on the host.

[coveralls]

Pull Request Test Coverage Report for Build 16054009949

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 33.117%

---

Totals
Change from base Build 16051860676:	0.0%
Covered Lines:	4381
Relevant Lines:	13229

---

💛 - Coveralls

[Copilot]

Pull Request Overview

This PR updates the test runner to propagate stderr on failures and adds an end-to-end test validating firmware file creation under CDI vs. legacy runtimes.

• Propagate actual stderr from runner.Run when a script fails
• Add new E2E tests to ensure CDI injection prevents host-side firmware file creation
• Import fmt to support formatted commands in tests

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
tests/e2e/runner.go	Return stderr.String() as the second value on errors
tests/e2e/nvidia-container-toolkit_test.go	Introduce firmware-file-creation tests with setup and cleanup

Comments suppressed due to low confidence (2)

tests/e2e/nvidia-container-toolkit_test.go:307

• This ignores the err return from ls; adding _, _, err := runner.Run(...) followed by Expect(err).ToNot(HaveOccurred()) will ensure any unexpected failures are caught.

			output, _, _ := runner.Run(fmt.Sprintf("ls -A %s", outputDir))

tests/e2e/nvidia-container-toolkit_test.go:277

• [nitpick] The variable dockerBuildDockerfile holds the Dockerfile content; renaming it to something like dockerfileContent could improve clarity.

FROM ubuntu

[elezar]

Our other CDI tests we use:

Suggested change

	output, _, err := runner.Run("docker run --rm --runtime=nvidia --gpus=runtime.nvidia.com/gpu=all firmware-test")

[elezar]

Let's add a test for the nvidia-container-runtime too:

Suggested change

	Expect(stderr).To(ContainSubstring("nvidia-container-cli.real: mount error: path error:"))
	It("should not fail when using the nvidia-container-runtime-hook", func(ctx context.Context) {
	_, _, err := runner.Run("docker run --rm --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=all -e NVIDIA_DRIVER_CAPABILITIES=all firmware-test")
	Expect(err).ToNot(HaveOccurred())
	output, _, _ := runner.Run(fmt.Sprintf("ls -A %s", outputDir))
	Expect(output).To(BeEmpty())
	}
	It("should fail when using the nvidia-container-runtime-hook", Label("legacy"), func(ctx context.Context) {

[elezar]

Does it make sense to move the check for empty output folders to an AfterEach so that we don't have to repeat it for every test (and also don't forget to add it to new tests).

[elezar]

This might have been a typo in my suggestion:

Suggested change

	It("should not fail when using the nvidia-container-runtime-hook", func(ctx context.Context) {
	It("should not fail when using the nvidia-container-runtime", func(ctx context.Context) {

[elezar]

(the string concatenation is a nit)

Suggested change

	output, _, _ := runner.Run(fmt.Sprintf("ls -A %s", outputDir))
	Expect(output).To(BeEmpty())
	output, _, err := runner.Run("ls -A " + outputDir)
	Expect(err).ToNot(HaveOccurred())
	Expect(output).To(BeEmpty())