diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2022-04-13 14:06:05 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2022-04-21 15:29:04 -0400 |
commit | 80c0fceb24b70a85f3f2ca8be29f4a131c0881d4 (patch) | |
tree | f7ceffaaf30f4b8057638db446b5512fbbe27318 /test/system/030-run.bats | |
parent | 121dde6234ddfcaf11abea03449bfd2a11da90a5 (diff) | |
download | podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.gz podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.bz2 podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.zip |
Add support for --userns=nomap
From a security point of view, it would be nice to be able to map a
rootless usernamespace that does not use your own UID within the
container.
This would add protection against a hostile process escapping the
container and reading content in your homedir.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test/system/030-run.bats')
-rw-r--r-- | test/system/030-run.bats | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats index aba18badb..aa75a6462 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -273,9 +273,11 @@ echo $rand | 0 | $rand # symptom only manifests on a fedora container image -- we have no # reproducer on alpine. Checking directory ownership is good enough. @test "podman run : user namespace preserved root ownership" { + keep="--userns=keep-id" + is_rootless || keep="" for priv in "" "--privileged"; do for user in "--user=0" "--user=100"; do - for keepid in "" "--userns=keep-id"; do + for keepid in "" ${keep}; do opts="$priv $user $keepid" for dir in /etc /usr;do @@ -290,6 +292,7 @@ echo $rand | 0 | $rand # #6829 : add username to /etc/passwd inside container if --userns=keep-id @test "podman run : add username to /etc/passwd if --userns=keep-id" { + skip_if_not_rootless "--userns=keep-id only works in rootless mode" # Default: always run as root run_podman run --rm $IMAGE id -un is "$output" "root" "id -un on regular container" @@ -340,6 +343,7 @@ echo $rand | 0 | $rand # #6991 : /etc/passwd is modifiable @test "podman run : --userns=keep-id: passwd file is modifiable" { + skip_if_not_rootless "--userns=keep-id only works in rootless mode" run_podman run -d --userns=keep-id --cap-add=dac_override $IMAGE sh -c 'while ! test -e /tmp/stop; do sleep 0.1; done' cid="$output" @@ -824,6 +828,9 @@ EOF # CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image @test "podman top does not use nsenter from image" { + keepid="--userns=keep-id" + is_rootless || keepid="" + tmpdir=$PODMAN_TMPDIR/build-test mkdir -p $tmpdir tmpbuilddir=$tmpdir/build @@ -838,7 +845,7 @@ EOF test_image="cve_2022_1227_test" run_podman build -t $test_image $tmpbuilddir - run_podman run -d --userns=keep-id $test_image top + run_podman run -d ${keepid} $test_image top ctr="$output" run_podman top $ctr huser,user run_podman rm -f -t0 $ctr |