diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2022-04-13 14:06:05 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2022-04-21 15:29:04 -0400 |
| commit | 80c0fceb24b70a85f3f2ca8be29f4a131c0881d4 (patch) | |
| tree | f7ceffaaf30f4b8057638db446b5512fbbe27318 /test/e2e/toolbox_test.go | |
| parent | 121dde6234ddfcaf11abea03449bfd2a11da90a5 (diff) | |
| download | podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.gz podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.bz2 podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.zip | |
Add support for --userns=nomap
From a security point of view, it would be nice to be able to map a
rootless usernamespace that does not use your own UID within the
container.
This would add protection against a hostile process escapping the
container and reading content in your homedir.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test/e2e/toolbox_test.go')
| -rw-r--r-- | test/e2e/toolbox_test.go | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/test/e2e/toolbox_test.go b/test/e2e/toolbox_test.go index b34fd299c..1fc28a06d 100644 --- a/test/e2e/toolbox_test.go +++ b/test/e2e/toolbox_test.go @@ -160,6 +160,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman create --userns=keep-id --user root:root - entrypoint - entrypoint is executed as root", func() { + SkipIfNotRootless("only meaningful when run rootless") session := podmanTest.Podman([]string{"run", "--userns=keep-id", "--user", "root:root", ALPINE, "id"}) session.WaitWithDefaultTimeout() @@ -168,6 +169,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman create --userns=keep-id + podman exec - correct names of user and group", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration var err error @@ -199,6 +201,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman create --userns=keep-id - entrypoint - adding user with useradd and then removing their password", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration var username string = "testuser" @@ -238,6 +241,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman create --userns=keep-id + podman exec - adding group with groupadd", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration var groupName string = "testgroup" @@ -268,6 +272,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman create --userns=keep-id - entrypoint - modifying existing user with usermod - add to new group, change home/shell/uid", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration var badHomeDir string = "/home/badtestuser" var badShell string = "/bin/sh" @@ -315,6 +320,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman run --privileged --userns=keep-id --user root:root - entrypoint - (bind)mounting", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration session = podmanTest.Podman([]string{"run", "--privileged", "--userns=keep-id", "--user", "root:root", ALPINE, @@ -329,6 +335,7 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman create + start - with all needed switches for create - sleep as entry-point", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration // These should be most of the switches that Toolbox uses to create a "toolbox" container @@ -365,8 +372,8 @@ var _ = Describe("Toolbox-specific testing", func() { }) It("podman run --userns=keep-id check $HOME", func() { + SkipIfNotRootless("only meaningful when run rootless") var session *PodmanSessionIntegration - currentUser, err := user.Current() Expect(err).To(BeNil()) |