summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorMarco Vedovati <mvedovati@suse.com>2018-08-09 13:09:59 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-08-24 17:08:11 +0000
commit72e41c81aaa2c5ea39f7b5bd1c0654937703a346 (patch)
tree779314912b63eed2e4d97d872982386745ee54fe /test
parentaf9f83f11c9b92ea806b33b75337de7e5d93592d (diff)
downloadpodman-72e41c81aaa2c5ea39f7b5bd1c0654937703a346.tar.gz
podman-72e41c81aaa2c5ea39f7b5bd1c0654937703a346.tar.bz2
podman-72e41c81aaa2c5ea39f7b5bd1c0654937703a346.zip
Do not try to enable AppArmor in rootless mode
When in rootless mode it's not possible to load profiles or check which profiles are loaded. Added a few baseline tests to check all possible cases. Signed-off-by: Marco Vedovati <mvedovati@suse.com> Closes: #1250 Approved by: mheon
Diffstat (limited to 'test')
-rwxr-xr-xtest/test_podman_baseline.sh74
1 files changed, 74 insertions, 0 deletions
diff --git a/test/test_podman_baseline.sh b/test/test_podman_baseline.sh
index a9ade8c7b..74a4398ca 100755
--- a/test/test_podman_baseline.sh
+++ b/test/test_podman_baseline.sh
@@ -372,3 +372,77 @@ podman run whale-says
podman rm --all
podman rmi --all
rm ./Dockerfile*
+
+########
+# Run AppArmor rootless tests
+########
+if aa-enabled >/dev/null && getent passwd 1000 >/dev/null; then
+ # Expected to succeed
+ sudo -u "#1000" podman run alpine echo hello
+ rc=$?
+ echo -n "rootless with no AppArmor profile "
+ if [ $rc == 0 ]; then
+ echo "passed"
+ else
+ echo "failed"
+ fi
+
+ # Expected to succeed
+ sudo -u "#1000" podman run --security-opt apparmor=unconfined alpine echo hello
+ rc=$?
+ echo -n "rootless with unconfined AppArmor profile "
+ if [ $rc == 0 ]; then
+ echo "passed"
+ else
+ echo "failed"
+ fi
+
+ aaFile="/tmp/aaProfile"
+ aaProfile="aa-demo-profile"
+ cat > $aaFile << EOF
+#include <tunables/global>
+profile aa-demo-profile flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/base>
+ deny mount,
+ deny /sys/[^f]*/** wklx,
+ deny /sys/f[^s]*/** wklx,
+ deny /sys/fs/[^c]*/** wklx,
+ deny /sys/fs/c[^g]*/** wklx,
+ deny /sys/fs/cg[^r]*/** wklx,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+}
+EOF
+
+ apparmor_parser -Kr $aaFile
+
+ #Expected to pass (as root)
+ podman run --security-opt apparmor=$aaProfile alpine echo hello
+ rc=$?
+ echo -n "root with specified AppArmor profile: "
+ if [ $rc == 0 ]; then
+ echo "passed"
+ else
+ echo "failed"
+ fi
+
+ #Expected to fail (as rootless)
+ sudo -u "#1000" podman run --security-opt apparmor=$aaProfile alpine echo hello
+ rc=$?
+ echo -n "rootless with specified AppArmor profile: "
+ if [ $rc != 0 ]; then
+ echo "passed"
+ else
+ echo "failed"
+ fi
+
+ ########
+ # Clean up Podman and $aaFile
+ ########
+ apparmor_parser -R $aaFile
+ podman rm --all
+ podman rmi --all
+ sudo -u "#1000" podman rm --all
+ sudo -u "#1000" podman rmi --all
+ rm -f $aaFile
+fi