libcontainer: force apps to think fips is enabled/disabled for testing

The motivation behind this change is to provide a flexible mechanism for
containers within a Kubernetes cluster to opt out of FIPS mode when necessary.
This change enables apps to simulate FIPS mode being enabled or disabled for testing
purposes. Users can control whether apps believe FIPS mode is on or off by manipulating
`/proc/sys/crypto/fips_enabled`.

Signed-off-by: Sohan Kunkerkar <[email protected]>

Author: lifubang

libcontainer/rootfs_linux.go

@@ -602,6 +602,7 @@ func checkProcMount(rootfs, dest, source string) error {
 		"/proc/slabinfo",
 		"/proc/net/dev",
 		"/proc/sys/kernel/ns_last_pid",
+		"/proc/sys/crypto/fips_enabled",
 	}
 	for _, valid := range validProcMounts {
 		path, err := filepath.Rel(filepath.Join(rootfs, valid), dest)

libcontainer/rootfs_linux_test.go

@@ -46,6 +46,14 @@ func TestCheckMountDestNsLastPid(t *testing.T) {
 	}
 }
 
+func TestCheckCryptoFipsEnabled(t *testing.T) {
+	dest := "/rootfs/proc/sys/crypto/fips_enabled"
+	err := checkProcMount("/rootfs", dest, "/proc")
+	if err != nil {
+		t.Fatalf("/proc/sys/crypto/fips_enabled should not return an error: %v", err)
+	}
+}
+
 func TestNeedsSetupDev(t *testing.T) {
 	config := &configs.Config{
 		Mounts: []*configs.Mount{