From 990199a021fcbb5330cc3e050e581565f025366e Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Wed, 29 Mar 2023 18:36:01 +0000
Subject: [PATCH] Test to ensure nosuid,nodev,noexec are set on /etc/reolv.conf
 mount.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
---
 pkg/cri/server/sandbox_run_linux_test.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/cri/server/sandbox_run_linux_test.go b/pkg/cri/server/sandbox_run_linux_test.go
index 9c646e069..70209a45d 100644
--- a/pkg/cri/server/sandbox_run_linux_test.go
+++ b/pkg/cri/server/sandbox_run_linux_test.go
@@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 			assert.NotEqual(t, "", spec.Process.SelinuxLabel)
 			assert.NotEqual(t, "", spec.Linux.MountLabel)
 		}
+
+		assert.Contains(t, spec.Mounts, runtimespec.Mount{
+			Source:      "/test/root/sandboxes/test-id/resolv.conf",
+			Destination: resolvConfPath,
+			Type:        "bind",
+			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
+		})
+
 	}
 	return config, imageConfig, specCheck
 }