aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYiqiao Pu <ypu@redhat.com>2018-05-29 17:41:57 +0800
committerAtomic Bot <atomic-devel@projectatomic.io>2018-06-04 18:14:33 +0000
commit28d1cec9f64cca11d42410c6e33c43b01b1d7678 (patch)
treeca4919667568e95b4cfd9f765eaab2abd70cdb62
parentc69f80c86c35b508ae21a7653e3e926e7c164e81 (diff)
downloadpodman-28d1cec9f64cca11d42410c6e33c43b01b1d7678.tar.gz
podman-28d1cec9f64cca11d42410c6e33c43b01b1d7678.tar.bz2
podman-28d1cec9f64cca11d42410c6e33c43b01b1d7678.zip
Add some test for podman run flag security-opt
Add following test cases for security-opt: - Check default selinux value - Disable security options in container - Setup selinux type in security-opt - Disable seccomp protection - Configure custom seccomp.json Signed-off-by: Yiqiao Pu <ypu@redhat.com> Closes: #837 Approved by: rhatdan
-rw-r--r--test/e2e/run_test.go58
1 files changed, 58 insertions, 0 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index a581b36fb..759c292eb 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -62,6 +62,64 @@ var _ = Describe("Podman run", func() {
Expect(match).Should(BeTrue())
})
+ It("podman run selinux disable test", func() {
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("unconfined_t")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman run selinux type check test", func() {
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+ session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match1, _ := session.GrepString("container_t")
+ match2, _ := session.GrepString("svirt_lxc_net_t")
+ Expect(match1 || match2).Should(BeTrue())
+ })
+
+ It("podman run selinux type setup test", func() {
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("spc_t")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman run seccomp undefine test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("hello")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman run seccomp test", func() {
+ jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json")
+ in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+ err := WriteJsonFile(in, jsonFile)
+ if err != nil {
+ fmt.Println(err)
+ Skip("Failed to prepare seccomp.json for test.")
+ }
+
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Not(Equal(0)))
+ match, _ := session.GrepString("Operation not permitted")
+ Expect(match).Should(BeTrue())
+ })
+
It("podman run capabilities test", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
session.WaitWithDefaultTimeout()