summaryrefslogtreecommitdiff
path: root/test/system/030-run.bats
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2022-04-13 14:06:05 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2022-04-21 15:29:04 -0400
commit80c0fceb24b70a85f3f2ca8be29f4a131c0881d4 (patch)
treef7ceffaaf30f4b8057638db446b5512fbbe27318 /test/system/030-run.bats
parent121dde6234ddfcaf11abea03449bfd2a11da90a5 (diff)
downloadpodman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.gz
podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.bz2
podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.zip
Add support for --userns=nomap
From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test/system/030-run.bats')
-rw-r--r--test/system/030-run.bats11
1 files changed, 9 insertions, 2 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index aba18badb..aa75a6462 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -273,9 +273,11 @@ echo $rand | 0 | $rand
# symptom only manifests on a fedora container image -- we have no
# reproducer on alpine. Checking directory ownership is good enough.
@test "podman run : user namespace preserved root ownership" {
+ keep="--userns=keep-id"
+ is_rootless || keep=""
for priv in "" "--privileged"; do
for user in "--user=0" "--user=100"; do
- for keepid in "" "--userns=keep-id"; do
+ for keepid in "" ${keep}; do
opts="$priv $user $keepid"
for dir in /etc /usr;do
@@ -290,6 +292,7 @@ echo $rand | 0 | $rand
# #6829 : add username to /etc/passwd inside container if --userns=keep-id
@test "podman run : add username to /etc/passwd if --userns=keep-id" {
+ skip_if_not_rootless "--userns=keep-id only works in rootless mode"
# Default: always run as root
run_podman run --rm $IMAGE id -un
is "$output" "root" "id -un on regular container"
@@ -340,6 +343,7 @@ echo $rand | 0 | $rand
# #6991 : /etc/passwd is modifiable
@test "podman run : --userns=keep-id: passwd file is modifiable" {
+ skip_if_not_rootless "--userns=keep-id only works in rootless mode"
run_podman run -d --userns=keep-id --cap-add=dac_override $IMAGE sh -c 'while ! test -e /tmp/stop; do sleep 0.1; done'
cid="$output"
@@ -824,6 +828,9 @@ EOF
# CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image
@test "podman top does not use nsenter from image" {
+ keepid="--userns=keep-id"
+ is_rootless || keepid=""
+
tmpdir=$PODMAN_TMPDIR/build-test
mkdir -p $tmpdir
tmpbuilddir=$tmpdir/build
@@ -838,7 +845,7 @@ EOF
test_image="cve_2022_1227_test"
run_podman build -t $test_image $tmpbuilddir
- run_podman run -d --userns=keep-id $test_image top
+ run_podman run -d ${keepid} $test_image top
ctr="$output"
run_podman top $ctr huser,user
run_podman rm -f -t0 $ctr