summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorUrvashi Mohnani <umohnani@redhat.com>2020-11-18 21:36:16 -0500
committerUrvashi Mohnani <umohnani@redhat.com>2020-12-02 16:07:18 -0500
commit0334b6195820f7261f87a4f4e5d739a6d560f4b2 (patch)
treead0667023f0aac28760e9a3bd879099e68684641 /test
parente3f0b7db7508f1e1ecfdb23adb53531c89a29b99 (diff)
downloadpodman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.gz
podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.bz2
podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.zip
Add mask and unmask option to --security-opt
Add the mask and unmask option to the --security-opt flag to allow users to specify paths to mask and unmask in the container. If unmask=ALL, this will unmask all the paths we mask by default. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/e2e/run_test.go33
-rw-r--r--test/system/400-unprivileged-access.bats2
2 files changed, 34 insertions, 1 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 0d65a3e59..efc125d2b 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -233,6 +233,39 @@ var _ = Describe("Podman run", func() {
return jsonFile
}
+ It("podman run mask and unmask path test", func() {
+ session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr1", "--security-opt", "unmask=ALL", "--security-opt", "mask=/proc/acpi", ALPINE, "sleep", "200"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"exec", "maskCtr1", "ls", "/sys/firmware"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(Not(BeEmpty()))
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"exec", "maskCtr1", "ls", "/proc/acpi"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(BeEmpty())
+
+ session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr2", "--security-opt", "unmask=/proc/acpi:/sys/firmware", ALPINE, "sleep", "200"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"exec", "maskCtr2", "ls", "/sys/firmware"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(Not(BeEmpty()))
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"exec", "maskCtr2", "ls", "/proc/acpi"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(Not(BeEmpty()))
+ Expect(session.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr3", "--security-opt", "mask=/sys/power/disk", ALPINE, "sleep", "200"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"exec", "maskCtr3", "cat", "/sys/power/disk"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(BeEmpty())
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
It("podman run seccomp test", func() {
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
index 142d7dcd9..20fdd068f 100644
--- a/test/system/400-unprivileged-access.bats
+++ b/test/system/400-unprivileged-access.bats
@@ -118,7 +118,7 @@ EOF
/proc/scsi
/sys/firmware
/sys/fs/selinux
- /sys/dev
+ /sys/dev/block
)
# Some of the above may not exist on our host. Find only the ones that do.