aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-08-11 07:19:21 -0400
committerGitHub <noreply@github.com>2020-08-11 07:19:21 -0400
commit6d3075a6c79a6e761c183e0d5e6aa239fad21b63 (patch)
treef0298e8417c1160d03be14de6b26f99bcc0e609c
parent68c67d24308710d5ad23ee5ddeb35293e2123fb6 (diff)
parent97a2c86aab36f4d931371e4ac80d45d70aa575d2 (diff)
downloadpodman-6d3075a6c79a6e761c183e0d5e6aa239fad21b63.tar.gz
podman-6d3075a6c79a6e761c183e0d5e6aa239fad21b63.tar.bz2
podman-6d3075a6c79a6e761c183e0d5e6aa239fad21b63.zip
Merge pull request #7269 from openSUSE/seccomp
Allow specifying seccomp profiles for privileged containers
-rw-r--r--pkg/specgen/generate/security.go5
-rw-r--r--test/e2e/run_test.go30
2 files changed, 30 insertions, 5 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 4352ef718..5e4cc3399 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -158,8 +158,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Linux.Seccomp = seccompConfig
}
- // Clear default Seccomp profile from Generator for privileged containers
- if s.SeccompProfilePath == "unconfined" || s.Privileged {
+ // Clear default Seccomp profile from Generator for unconfined containers
+ // and privileged containers which do not specify a seccomp profile.
+ if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
configSpec.Linux.Seccomp = nil
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index dc44d3b3f..30e565894 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -193,22 +193,46 @@ var _ = Describe("Podman run", func() {
Expect(conData[0].Config.Annotations["io.podman.annotations.init"]).To(Equal("FALSE"))
})
- It("podman run seccomp test", func() {
-
+ forbidGetCWDSeccompProfile := func() string {
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
jsonFile, err := podmanTest.CreateSeccompJson(in)
if err != nil {
fmt.Println(err)
Skip("Failed to prepare seccomp.json for test.")
}
+ return jsonFile
+ }
+
+ It("podman run seccomp test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).To(ExitWithError())
+ match, _ := session.GrepString("Operation not permitted")
+ Expect(match).Should(BeTrue())
+ })
- session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
+ It("podman run seccomp test --privileged", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
match, _ := session.GrepString("Operation not permitted")
Expect(match).Should(BeTrue())
})
+ It("podman run seccomp test --privileged no profile should be unconfined", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--privileged", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(ContainSubstring("0"))
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
+ It("podman run seccomp test no profile should be default", func() {
+ session := podmanTest.Podman([]string{"run", "-it", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(ContainSubstring("2"))
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
It("podman run capabilities test", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
session.WaitWithDefaultTimeout()