diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2021-05-01 05:50:31 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-05-04 14:40:43 -0400 |
| commit | 4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec (patch) | |
| tree | e944a81bbdd86ab0e166923c2fde320311718de0 /pkg/specgen/generate/config_linux_test.go | |
| parent | 7f2c27d43fc5d109c156e6203bf4901853b3cc7a (diff) | |
| download | podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.tar.gz podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.tar.bz2 podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.zip | |
Add filepath glob support to --security-opt unmask
Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/specgen/generate/config_linux_test.go')
| -rw-r--r-- | pkg/specgen/generate/config_linux_test.go | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/pkg/specgen/generate/config_linux_test.go b/pkg/specgen/generate/config_linux_test.go new file mode 100644 index 000000000..39973324b --- /dev/null +++ b/pkg/specgen/generate/config_linux_test.go @@ -0,0 +1,28 @@ +package generate + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestShouldMask(t *testing.T) { + tests := []struct { + mask string + unmask []string + shouldMask bool + }{ + {"/proc/foo", []string{"all"}, false}, + {"/proc/foo", []string{"ALL"}, false}, + {"/proc/foo", []string{"/proc/foo"}, false}, + {"/proc/foo", []string{"/proc/*"}, false}, + {"/proc/foo", []string{"/proc/bar", "all"}, false}, + {"/proc/foo", []string{"/proc/f*"}, false}, + {"/proc/foo", []string{"/proc/b*"}, true}, + {"/proc/foo", []string{}, true}, + } + for _, test := range tests { + val := shouldMask(test.mask, test.unmask) + assert.Equal(t, val, test.shouldMask) + } +} |