summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-07-15 16:33:24 -0400
committerMatthew Heon <matthew.heon@pm.me>2020-07-22 13:14:15 -0400
commitcb603b8a3e4a4a1da194ed020caf270fa85f6f5b (patch)
tree10631dc3d3a556ad1f9d30481764f69216d9b4ce /test
parent2d24487ba244e5cd900f6aecc5d8896e1354d1ee (diff)
downloadpodman-cb603b8a3e4a4a1da194ed020caf270fa85f6f5b.tar.gz
podman-cb603b8a3e4a4a1da194ed020caf270fa85f6f5b.tar.bz2
podman-cb603b8a3e4a4a1da194ed020caf270fa85f6f5b.zip
Support default profile for apparmor
Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/e2e/run_apparmor_test.go158
1 files changed, 158 insertions, 0 deletions
diff --git a/test/e2e/run_apparmor_test.go b/test/e2e/run_apparmor_test.go
new file mode 100644
index 000000000..344309b93
--- /dev/null
+++ b/test/e2e/run_apparmor_test.go
@@ -0,0 +1,158 @@
+// +build !remote
+
+package integration
+
+import (
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+
+ "github.com/containers/common/pkg/apparmor"
+ . "github.com/containers/libpod/v2/test/utils"
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+func skipIfAppArmorEnabled() {
+ if apparmor.IsEnabled() {
+ Skip("Apparmor is enabled")
+ }
+}
+func skipIfAppArmorDisabled() {
+ if !apparmor.IsEnabled() {
+ Skip("Apparmor is not enabled")
+ }
+}
+
+var _ = Describe("Podman run", func() {
+ var (
+ tempdir string
+ err error
+ podmanTest *PodmanTestIntegration
+ )
+
+ BeforeEach(func() {
+ tempdir, err = CreateTempDirInTempDir()
+ if err != nil {
+ os.Exit(1)
+ }
+ podmanTest = PodmanTestCreate(tempdir)
+ podmanTest.Setup()
+ podmanTest.SeedImages()
+ })
+
+ AfterEach(func() {
+ podmanTest.Cleanup()
+ f := CurrentGinkgoTestDescription()
+ processTestResult(f)
+
+ })
+
+ It("podman run apparmor default", func() {
+ skipIfAppArmorDisabled()
+ session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
+ })
+
+ It("podman run no apparmor --privileged", func() {
+ skipIfAppArmorDisabled()
+ session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal(""))
+ })
+
+ It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() {
+ skipIfAppArmorDisabled()
+ session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
+ })
+
+ It("podman run apparmor aa-test-profile", func() {
+ skipIfAppArmorDisabled()
+ aaProfile := `
+#include <tunables/global>
+profile aa-test-profile flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/base>
+ deny mount,
+ deny /sys/[^f]*/** wklx,
+ deny /sys/f[^s]*/** wklx,
+ deny /sys/fs/[^c]*/** wklx,
+ deny /sys/fs/c[^g]*/** wklx,
+ deny /sys/fs/cg[^r]*/** wklx,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+}
+`
+ aaFile := filepath.Join(os.TempDir(), "aaFile")
+ Expect(ioutil.WriteFile(aaFile, []byte(aaProfile), 0755)).To(BeNil())
+ parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile})
+ Expect(parse.ExitCode()).To(Equal(0))
+
+ session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal("aa-test-profile"))
+ })
+
+ It("podman run apparmor invalid", func() {
+ skipIfAppArmorDisabled()
+ session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman run apparmor unconfined", func() {
+ skipIfAppArmorDisabled()
+ session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal("unconfined"))
+ })
+
+ It("podman run apparmor disabled --security-opt apparmor fails", func() {
+ skipIfAppArmorEnabled()
+ // Should fail if user specifies apparmor on disabled system
+ session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman run apparmor disabled no default", func() {
+ skipIfAppArmorEnabled()
+ // Should succeed if user specifies apparmor on disabled system
+ session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ cid := session.OutputToString()
+ // Verify that apparmor.Profile is being set
+ inspect := podmanTest.InspectContainer(cid)
+ Expect(inspect[0].AppArmorProfile).To(Equal(""))
+ })
+})