diff options
author | Sascha Grunert <sgrunert@suse.com> | 2020-08-10 10:16:28 +0200 |
---|---|---|
committer | Sascha Grunert <sgrunert@suse.com> | 2020-08-11 11:18:52 +0200 |
commit | 97a2c86aab36f4d931371e4ac80d45d70aa575d2 (patch) | |
tree | 5556fab1ee3df6b6ce9cf41d684016a9dd0127a4 /test/e2e | |
parent | 68fd9aa2cf67a749258ccdc6fa8fd89c2557ebfc (diff) | |
download | podman-97a2c86aab36f4d931371e4ac80d45d70aa575d2.tar.gz podman-97a2c86aab36f4d931371e4ac80d45d70aa575d2.tar.bz2 podman-97a2c86aab36f4d931371e4ac80d45d70aa575d2.zip |
Allow specifying seccomp profiles for privileged containers
To sync the behavior between AppArmor and seccomp it is now possible to
also specify seccomp profiles for privileged containers.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Diffstat (limited to 'test/e2e')
-rw-r--r-- | test/e2e/run_test.go | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 9cb76d1f6..17034abeb 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -193,22 +193,46 @@ var _ = Describe("Podman run", func() { Expect(conData[0].Config.Annotations["io.podman.annotations.init"]).To(Equal("FALSE")) }) - It("podman run seccomp test", func() { - + forbidGetCWDSeccompProfile := func() string { in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) jsonFile, err := podmanTest.CreateSeccompJson(in) if err != nil { fmt.Println(err) Skip("Failed to prepare seccomp.json for test.") } + return jsonFile + } + + It("podman run seccomp test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) + session.WaitWithDefaultTimeout() + Expect(session).To(ExitWithError()) + match, _ := session.GrepString("Operation not permitted") + Expect(match).Should(BeTrue()) + }) - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"}) + It("podman run seccomp test --privileged", func() { + session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) session.WaitWithDefaultTimeout() Expect(session).To(ExitWithError()) match, _ := session.GrepString("Operation not permitted") Expect(match).Should(BeTrue()) }) + It("podman run seccomp test --privileged no profile should be unconfined", func() { + session := podmanTest.Podman([]string{"run", "-it", "--privileged", ALPINE, "grep", "Seccomp", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(ContainSubstring("0")) + Expect(session.ExitCode()).To(Equal(0)) + }) + + It("podman run seccomp test no profile should be default", func() { + session := podmanTest.Podman([]string{"run", "-it", ALPINE, "grep", "Seccomp", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(ContainSubstring("2")) + Expect(session.ExitCode()).To(Equal(0)) + }) + It("podman run capabilities test", func() { session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"}) session.WaitWithDefaultTimeout() |