summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-04-11 11:51:02 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-04-11 15:40:00 +0200
commitb7800889fbd0d411d15ba8d1ddab58d02fd105ae (patch)
tree3d2e96a588b1c54016ea32a989d3c982751046c8 /test
parent6cd6eb6768bb936e87309c61d9cf131350274700 (diff)
downloadpodman-b7800889fbd0d411d15ba8d1ddab58d02fd105ae.tar.gz
podman-b7800889fbd0d411d15ba8d1ddab58d02fd105ae.tar.bz2
podman-b7800889fbd0d411d15ba8d1ddab58d02fd105ae.zip
userns: prevent /sys/kernel/* paths in the container
when we run in a user namespace, there are cases where we have not enough privileges to mount a fresh sysfs on /sys. To circumvent this limitation, we rbind /sys from the host. This carries inside of the container also some mounts we probably don't want to. We are also limited by the kernel to use rbind instead of bind, as allowing a bind would uncover paths that were not previously visible. This is a slimmed down version of the intermediate mount namespace logic we had before, where we only set /sys to slave, so the umounts done to the storage by the cleanup process are propagated back to the host. We also don't setup any new directory, so there is no additional cleanup to do. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/system/030-run.bats8
1 files changed, 8 insertions, 0 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 8ae68f33d..188070550 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -31,4 +31,12 @@ echo $rand | 0 | $rand
done < <(parse_table "$tests")
}
+@test "podman run - uidmapping has no /sys/kernel mounts" {
+ run_podman $expected_rc run --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
+ is "$output" "" "podman run $cmd - output"
+
+ run_podman $expected_rc run --net host --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
+ is "$output" "" "podman run $cmd - output"
+}
+
# vim: filetype=sh