diff options
author | Yiqiao Pu <ypu@redhat.com> | 2018-05-29 17:41:57 +0800 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-06-04 18:14:33 +0000 |
commit | 28d1cec9f64cca11d42410c6e33c43b01b1d7678 (patch) | |
tree | ca4919667568e95b4cfd9f765eaab2abd70cdb62 | |
parent | c69f80c86c35b508ae21a7653e3e926e7c164e81 (diff) | |
download | podman-28d1cec9f64cca11d42410c6e33c43b01b1d7678.tar.gz podman-28d1cec9f64cca11d42410c6e33c43b01b1d7678.tar.bz2 podman-28d1cec9f64cca11d42410c6e33c43b01b1d7678.zip |
Add some test for podman run flag security-opt
Add following test cases for security-opt:
- Check default selinux value
- Disable security options in container
- Setup selinux type in security-opt
- Disable seccomp protection
- Configure custom seccomp.json
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Closes: #837
Approved by: rhatdan
-rw-r--r-- | test/e2e/run_test.go | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index a581b36fb..759c292eb 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -62,6 +62,64 @@ var _ = Describe("Podman run", func() { Expect(match).Should(BeTrue()) }) + It("podman run selinux disable test", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("unconfined_t") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux type check test", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match1, _ := session.GrepString("container_t") + match2, _ := session.GrepString("svirt_lxc_net_t") + Expect(match1 || match2).Should(BeTrue()) + }) + + It("podman run selinux type setup test", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + + It("podman run seccomp undefine test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("hello") + Expect(match).Should(BeTrue()) + }) + + It("podman run seccomp test", func() { + jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json") + in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) + err := WriteJsonFile(in, jsonFile) + if err != nil { + fmt.Println(err) + Skip("Failed to prepare seccomp.json for test.") + } + + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + match, _ := session.GrepString("Operation not permitted") + Expect(match).Should(BeTrue()) + }) + It("podman run capabilities test", func() { session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"}) session.WaitWithDefaultTimeout() |