aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorSascha Grunert <sgrunert@suse.com>2020-08-10 10:16:28 +0200
committerSascha Grunert <sgrunert@suse.com>2020-08-11 11:18:52 +0200
commit97a2c86aab36f4d931371e4ac80d45d70aa575d2 (patch)
tree5556fab1ee3df6b6ce9cf41d684016a9dd0127a4 /test
parent68fd9aa2cf67a749258ccdc6fa8fd89c2557ebfc (diff)
downloadpodman-97a2c86aab36f4d931371e4ac80d45d70aa575d2.tar.gz
podman-97a2c86aab36f4d931371e4ac80d45d70aa575d2.tar.bz2
podman-97a2c86aab36f4d931371e4ac80d45d70aa575d2.zip
Allow specifying seccomp profiles for privileged containers
To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Diffstat (limited to 'test')
-rw-r--r--test/e2e/run_test.go30
1 files changed, 27 insertions, 3 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 9cb76d1f6..17034abeb 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -193,22 +193,46 @@ var _ = Describe("Podman run", func() {
Expect(conData[0].Config.Annotations["io.podman.annotations.init"]).To(Equal("FALSE"))
})
- It("podman run seccomp test", func() {
-
+ forbidGetCWDSeccompProfile := func() string {
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
jsonFile, err := podmanTest.CreateSeccompJson(in)
if err != nil {
fmt.Println(err)
Skip("Failed to prepare seccomp.json for test.")
}
+ return jsonFile
+ }
+
+ It("podman run seccomp test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).To(ExitWithError())
+ match, _ := session.GrepString("Operation not permitted")
+ Expect(match).Should(BeTrue())
+ })
- session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
+ It("podman run seccomp test --privileged", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
match, _ := session.GrepString("Operation not permitted")
Expect(match).Should(BeTrue())
})
+ It("podman run seccomp test --privileged no profile should be unconfined", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--privileged", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(ContainSubstring("0"))
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
+ It("podman run seccomp test no profile should be default", func() {
+ session := podmanTest.Podman([]string{"run", "-it", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(ContainSubstring("2"))
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
It("podman run capabilities test", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
session.WaitWithDefaultTimeout()