diff options
| author | Jakub Guzik <jakubmguzik@gmail.com> | 2021-02-28 13:14:11 +0100 |
|---|---|---|
| committer | Jakub Guzik <jakubmguzik@gmail.com> | 2021-02-28 15:59:43 +0100 |
| commit | d9cb135b6423da5cb16bca82e9c2b5d322dec8a9 (patch) | |
| tree | 2d7c5e7acd9e4706431ffeeb8a77db883cde0b2b /test | |
| parent | 397aae32b9ae219eda190cde65b18e4361427932 (diff) | |
| download | podman-d9cb135b6423da5cb16bca82e9c2b5d322dec8a9.tar.gz podman-d9cb135b6423da5cb16bca82e9c2b5d322dec8a9.tar.bz2 podman-d9cb135b6423da5cb16bca82e9c2b5d322dec8a9.zip | |
Enable cgroupsv2 rw mount via security-opt unmask
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/e2e/run_test.go | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index f0ba9d1d9..490d05699 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -304,6 +304,42 @@ var _ = Describe("Podman run", func() { }) + It("podman run security-opt unmask on /sys/fs/cgroup", func() { + + SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1") + SkipIfRootless("/sys/fs/cgroup rw access is needed") + rwOnCGroups := "/sys/fs/cgroup cgroup2 rw" + session := podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup///", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "ls", "/sys/fs/cgroup"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).ToNot(BeEmpty()) + }) + It("podman run seccomp test", func() { session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) session.WaitWithDefaultTimeout() |