diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-04-14 10:52:44 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-04-21 13:28:36 -0400 |
commit | e356160f415b6111df09af214f0dea299e78ad04 (patch) | |
tree | 5a2186591697b7261b1f90d819c9026f06bd98fa /test/system/170-run-userns.bats | |
parent | 9c8277247d3e2e60a1f945d82851f58447cbdd74 (diff) | |
download | podman-e356160f415b6111df09af214f0dea299e78ad04.tar.gz podman-e356160f415b6111df09af214f0dea299e78ad04.tar.bz2 podman-e356160f415b6111df09af214f0dea299e78ad04.zip |
Add --group-add keep-groups: suplimentary groups into container
Currently we have rootless users who want to leak their groups access
into containers, but this group access is only able to be pushed in by
a hard to find OCI Runtime annotation. This PR makes this option a lot
more visable and hides the complexity within the podman client.
This option is only really needed for local rootless users. It makes
no sense for remote clients, and probably makes little sense for
rootfull containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test/system/170-run-userns.bats')
-rw-r--r-- | test/system/170-run-userns.bats | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats new file mode 100644 index 000000000..2dc5b078f --- /dev/null +++ b/test/system/170-run-userns.bats @@ -0,0 +1,45 @@ +#!/usr/bin/env bats -*- bats -*- +# shellcheck disable=SC2096 +# +# Tests for podman build +# + +load helpers + +@test "podman --group-add keep-groups while in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id + is "$output" ".*65534(nobody)" "Check group leaked into user namespace" +} + +@test "podman --group-add keep-groups while not in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id + is "$output" ".*1234" "Check group leaked into container" +} + +@test "podman --group-add without keep-groups while in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id + is "$output" ".*457" "Check group leaked into container" +} + +@test "podman --remote --group-add keep-groups " { + if is_remote; then + run_podman 125 run --group-add keep-groups $IMAGE id + is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups" + fi +} + +@test "podman --group-add without keep-groups " { + run_podman run --group-add 457 $IMAGE id + is "$output" ".*457" "Check group leaked into container" +} + +@test "podman --group-add keep-groups plus added groups " { + run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id + is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container" +} |