summaryrefslogtreecommitdiff
path: root/test/e2e
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-01-05 17:56:36 +0100
committerGitHub <noreply@github.com>2022-01-05 17:56:36 +0100
commit50e156b60536017fc1841ef6b875565cb1a08a4e (patch)
tree4dfe1e4929f29470cc5e99b955d47b7080ac1555 /test/e2e
parent2157414cf83a3b99accc2f52ac8da3f2f05bd8dd (diff)
parent289270375a54c26b86f9e2d99aab18b427e56b88 (diff)
downloadpodman-50e156b60536017fc1841ef6b875565cb1a08a4e.tar.gz
podman-50e156b60536017fc1841ef6b875565cb1a08a4e.tar.bz2
podman-50e156b60536017fc1841ef6b875565cb1a08a4e.zip
Merge pull request #12208 from cdoern/podSecurityOpt
Pod Security Option support and Infra Inheritance changes
Diffstat (limited to 'test/e2e')
-rw-r--r--test/e2e/pod_create_test.go62
1 files changed, 62 insertions, 0 deletions
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 41a017a52..fab107af8 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -9,6 +9,8 @@ import (
"strconv"
"strings"
+ "github.com/containers/common/pkg/apparmor"
+ "github.com/containers/common/pkg/seccomp"
"github.com/containers/common/pkg/sysinfo"
"github.com/containers/podman/v3/pkg/rootless"
"github.com/containers/podman/v3/pkg/util"
@@ -16,6 +18,7 @@ import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
. "github.com/onsi/gomega/gexec"
+ "github.com/opencontainers/selinux/go-selinux"
)
var _ = Describe("Podman pod create", func() {
@@ -967,4 +970,63 @@ ENTRYPOINT ["sleep","99999"]
Expect(inspect).Should(Exit(0))
Expect(inspect.OutputToString()).Should(Equal("host"))
})
+
+ It("podman pod create --security-opt", func() {
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=type:spc_t", "--security-opt", "seccomp=unconfined"})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+ ctrCreate.WaitWithDefaultTimeout()
+ Expect(ctrCreate).Should(Exit(0))
+
+ ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+ Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"label=type:spc_t", "seccomp=unconfined"}))
+
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=disable"})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ ctrCreate = podmanTest.Podman([]string{"container", "run", "-it", "--pod", podCreate.OutputToString(), ALPINE, "cat", "/proc/self/attr/current"})
+ ctrCreate.WaitWithDefaultTimeout()
+ Expect(ctrCreate).Should(Exit(0))
+ match, _ := ctrCreate.GrepString("spc_t")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman pod create --security-opt seccomp", func() {
+ if !seccomp.IsEnabled() {
+ Skip("seccomp is not enabled")
+ }
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "seccomp=unconfined"})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+ ctrCreate.WaitWithDefaultTimeout()
+ Expect(ctrCreate).Should(Exit(0))
+
+ ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+ Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"seccomp=unconfined"}))
+ })
+
+ It("podman pod create --security-opt apparmor test", func() {
+ if !apparmor.IsEnabled() {
+ Skip("Apparmor is not enabled")
+ }
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile)})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+ ctrCreate.WaitWithDefaultTimeout()
+ Expect(ctrCreate).Should(Exit(0))
+
+ inspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+ Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
+
+ })
})