Merge pull request #9495 from rhatdan/groups

Add '--group-add keep-groups': supplementary groups into container

4 files changed, 48 insertions, 3 deletions

diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py
index bf0ee0603..3b089e2f2 100644
--- a/test/apiv2/rest_api/test_rest_v2_0_0.py
+++ b/test/apiv2/rest_api/test_rest_v2_0_0.py
@@ -378,7 +378,7 @@ class TestApi(unittest.TestCase):
             self.assertEqual(r.status_code, 200, r.text)
             objs = json.loads(r.text)
             self.assertIn(type(objs), (list,))
-            # There should be only one offical image
+            # There should be only one official image
             self.assertEqual(len(objs), 1)
 
         def do_search4():
diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats
index a9495e350..2ed791429 100644
--- a/test/system/050-stop.bats
+++ b/test/system/050-stop.bats
@@ -114,7 +114,7 @@ load helpers
 @test "podman stop - unlock while waiting for timeout" {
     # Test that the container state transitions to "stopping" and that other
     # commands can get the container's lock.  To do that, run a container that
-    # ingores SIGTERM such that the Podman would wait 20 seconds for the stop
+    # ignores SIGTERM such that the Podman would wait 20 seconds for the stop
     # to finish.  This gives us enough time to try some commands and inspect
     # the container's status.
 
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index d4017ae01..6ae78de2e 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -354,7 +354,7 @@ Cmd[1]             | $s_echo
 WorkingDir         | $workdir
 Labels.$label_name | $label_value
 "
-    # FIXME: 2021-02-24: Fixed in buildah #3036; reenable this once podman
+    # FIXME: 2021-02-24: Fixed in buildah #3036; re-enable this once podman
     #        vendors in a newer buildah!
     # Labels.\"io.buildah.version\" | $buildah_version
 
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
new file mode 100644
index 000000000..2dc5b078f
--- /dev/null
+++ b/test/system/170-run-userns.bats
@@ -0,0 +1,45 @@
+#!/usr/bin/env bats   -*- bats -*-
+# shellcheck disable=SC2096
+#
+# Tests for podman build
+#
+
+load helpers
+
+@test "podman --group-add keep-groups while in a userns" {
+    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_remote "--group-add keep-groups not supported in remote mode"
+    run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
+    is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
+}
+
+@test "podman --group-add keep-groups while not in a userns" {
+    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_remote "--group-add keep-groups not supported in remote mode"
+    run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id
+    is "$output" ".*1234" "Check group leaked into container"
+}
+
+@test "podman --group-add without keep-groups while in a userns" {
+    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_remote "--group-add keep-groups not supported in remote mode"
+    run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id
+    is "$output" ".*457" "Check group leaked into container"
+}
+
+@test "podman --remote --group-add keep-groups " {
+    if is_remote; then
+        run_podman 125 run --group-add keep-groups $IMAGE id
+        is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
+    fi
+}
+
+@test "podman --group-add without keep-groups " {
+    run_podman run --group-add 457 $IMAGE id
+    is "$output" ".*457" "Check group leaked into container"
+}
+
+@test "podman --group-add keep-groups plus added groups " {
+    run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id
+    is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
+}