summaryrefslogtreecommitdiff
path: root/test/e2e/run_privileged_test.go
diff options
context:
space:
mode:
authorEd Santiago <santiago@redhat.com>2020-09-03 11:07:15 -0600
committerEd Santiago <santiago@redhat.com>2020-09-03 14:08:34 -0600
commit36caf4ee446a9f363cb76c629904e4ae165799b3 (patch)
tree6beb0b5433f1aaad5cf22eb1cd8f56b5fb5d3f70 /test/e2e/run_privileged_test.go
parentfa487a65220951e84779f200f48780666b4b9209 (diff)
downloadpodman-36caf4ee446a9f363cb76c629904e4ae165799b3.tar.gz
podman-36caf4ee446a9f363cb76c629904e4ae165799b3.tar.bz2
podman-36caf4ee446a9f363cb76c629904e4ae165799b3.zip
WIP: update VM images
(This is an adoption of #7533 because Brent is on PTO). Pick up new crun and crio-runc. Also: renames from useful fedora-32 and -31 to less-useful names; presumably this is needed by something-something in the new VM setup. Also: tweak two e2e tests to more properly handle a kernel (5.8.4) with a greater set of capabilities than what we or crun can yet handle. Signed-off-by: Ed Santiago <santiago@redhat.com>
Diffstat (limited to 'test/e2e/run_privileged_test.go')
-rw-r--r--test/e2e/run_privileged_test.go42
1 files changed, 34 insertions, 8 deletions
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index ca8da981f..064ba7d2c 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -2,13 +2,36 @@ package integration
import (
"os"
+ "strconv"
"strings"
. "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ "github.com/syndtr/gocapability/capability"
)
+// helper function for confirming that container capabilities are equal
+// to those of the host, but only to the extent of caps we (podman)
+// know about at compile time. That is: the kernel may have more caps
+// available than we are aware of, leading to host=FFF... and ctr=3FF...
+// because the latter is all we request. Accept that.
+func containerCapMatchesHost(ctr_cap string, host_cap string) {
+ ctr_cap_n, err := strconv.ParseUint(ctr_cap, 16, 64)
+ Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", ctr_cap)
+
+ host_cap_n, err := strconv.ParseUint(host_cap, 16, 64)
+ Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", host_cap)
+
+ // host caps can never be zero (except rootless, which we don't test).
+ // and host caps must always be a superset (inclusive) of container
+ Expect(host_cap_n).To(BeNumerically(">", 0), "host cap %q should be nonzero", host_cap)
+ Expect(host_cap_n).To(BeNumerically(">=", ctr_cap_n), "host cap %q should never be less than container cap %q", host_cap, ctr_cap)
+
+ host_cap_masked := host_cap_n & (1<<len(capability.List()) - 1)
+ Expect(ctr_cap_n).To(Equal(host_cap_masked), "container cap %q is not a subset of host cap %q", ctr_cap, host_cap)
+}
+
var _ = Describe("Podman privileged container tests", func() {
var (
tempdir string
@@ -44,24 +67,27 @@ var _ = Describe("Podman privileged container tests", func() {
It("podman privileged CapEff", func() {
SkipIfRootless()
- cap := SystemExec("grep", []string{"CapEff", "/proc/self/status"})
- Expect(cap.ExitCode()).To(Equal(0))
+ host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+ Expect(host_cap.ExitCode()).To(Equal(0))
- session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(Equal(cap.OutputToString()))
+
+ containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
})
It("podman cap-add CapEff", func() {
SkipIfRootless()
- cap := SystemExec("grep", []string{"CapEff", "/proc/self/status"})
- Expect(cap.ExitCode()).To(Equal(0))
+ // Get caps of current process
+ host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+ Expect(host_cap.ExitCode()).To(Equal(0))
- session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(Equal(cap.OutputToString()))
+
+ containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
})
It("podman cap-drop CapEff", func() {