diff options
| author | Marco Vedovati <mvedovati@suse.com> | 2018-08-09 13:09:59 +0200 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-08-24 17:08:11 +0000 |
| commit | 72e41c81aaa2c5ea39f7b5bd1c0654937703a346 (patch) | |
| tree | 779314912b63eed2e4d97d872982386745ee54fe /test | |
| parent | af9f83f11c9b92ea806b33b75337de7e5d93592d (diff) | |
| download | podman-72e41c81aaa2c5ea39f7b5bd1c0654937703a346.tar.gz podman-72e41c81aaa2c5ea39f7b5bd1c0654937703a346.tar.bz2 podman-72e41c81aaa2c5ea39f7b5bd1c0654937703a346.zip | |
Do not try to enable AppArmor in rootless mode
When in rootless mode it's not possible to load profiles or
check which profiles are loaded.
Added a few baseline tests to check all possible cases.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Closes: #1250
Approved by: mheon
Diffstat (limited to 'test')
| -rwxr-xr-x | test/test_podman_baseline.sh | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/test/test_podman_baseline.sh b/test/test_podman_baseline.sh index a9ade8c7b..74a4398ca 100755 --- a/test/test_podman_baseline.sh +++ b/test/test_podman_baseline.sh @@ -372,3 +372,77 @@ podman run whale-says podman rm --all podman rmi --all rm ./Dockerfile* + +######## +# Run AppArmor rootless tests +######## +if aa-enabled >/dev/null && getent passwd 1000 >/dev/null; then + # Expected to succeed + sudo -u "#1000" podman run alpine echo hello + rc=$? + echo -n "rootless with no AppArmor profile " + if [ $rc == 0 ]; then + echo "passed" + else + echo "failed" + fi + + # Expected to succeed + sudo -u "#1000" podman run --security-opt apparmor=unconfined alpine echo hello + rc=$? + echo -n "rootless with unconfined AppArmor profile " + if [ $rc == 0 ]; then + echo "passed" + else + echo "failed" + fi + + aaFile="/tmp/aaProfile" + aaProfile="aa-demo-profile" + cat > $aaFile << EOF +#include <tunables/global> +profile aa-demo-profile flags=(attach_disconnected,mediate_deleted) { + #include <abstractions/base> + deny mount, + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, +} +EOF + + apparmor_parser -Kr $aaFile + + #Expected to pass (as root) + podman run --security-opt apparmor=$aaProfile alpine echo hello + rc=$? + echo -n "root with specified AppArmor profile: " + if [ $rc == 0 ]; then + echo "passed" + else + echo "failed" + fi + + #Expected to fail (as rootless) + sudo -u "#1000" podman run --security-opt apparmor=$aaProfile alpine echo hello + rc=$? + echo -n "rootless with specified AppArmor profile: " + if [ $rc != 0 ]; then + echo "passed" + else + echo "failed" + fi + + ######## + # Clean up Podman and $aaFile + ######## + apparmor_parser -R $aaFile + podman rm --all + podman rmi --all + sudo -u "#1000" podman rm --all + sudo -u "#1000" podman rmi --all + rm -f $aaFile +fi |