aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDan Čermák <dcermak@suse.com>2022-09-21 23:09:10 +0200
committerDan Čermák <dcermak@suse.com>2022-09-22 16:44:26 +0200
commit5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (patch)
tree75d118cca1ec243b737e883651bbb6229e41722f /test
parent828fae12971c5a7b9807c8c4f8e029fe5d0ddc2f (diff)
downloadpodman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.gz
podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.tar.bz2
podman-5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08.zip
Don't mount /dev/tty* inside privileged containers running systemd
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák <dcermak@suse.com>
Diffstat (limited to 'test')
-rw-r--r--test/system/030-run.bats18
1 files changed, 18 insertions, 0 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 2abf749a1..65a1150a3 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -901,4 +901,22 @@ $IMAGE--c_ok" \
run_podman rm $ctr_name
}
+@test "podman run --privileged as root with systemd will not mount /dev/tty" {
+ skip_if_rootless "this test only makes sense as root"
+
+ ctr_name="container-$(random_string 5)"
+ run_podman run --rm -d --privileged --systemd=always --name "$ctr_name" "$IMAGE" /home/podman/pause
+
+ TTYs=$(ls /dev/tty*|sed '/^\/dev\/tty$/d')
+
+ if [[ $TTYs = "" ]]; then
+ die "Did not find any /dev/ttyN devices on local host"
+ else
+ run_podman exec "$ctr_name" ls /dev/
+ assert "$(grep tty <<<$output)" = "tty" "There must be no /dev/ttyN devices in the container"
+ fi
+
+ run_podman stop "$ctr_name"
+}
+
# vim: filetype=sh