summaryrefslogtreecommitdiff
path: root/test/apparmor.bats
diff options
context:
space:
mode:
Diffstat (limited to 'test/apparmor.bats')
-rw-r--r--test/apparmor.bats164
1 files changed, 164 insertions, 0 deletions
diff --git a/test/apparmor.bats b/test/apparmor.bats
new file mode 100644
index 000000000..e5c89bf0a
--- /dev/null
+++ b/test/apparmor.bats
@@ -0,0 +1,164 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function teardown() {
+ cleanup_test
+}
+
+# 1. test running with loading the default apparmor profile.
+# test that we can run with the default apparmor profile which will not block touching a file in `.`
+@test "load default apparmor profile and run a container with it" {
+ # this test requires apparmor, so skip this test if apparmor is not enabled.
+ enabled=$(is_apparmor_enabled)
+ if [[ "$enabled" -eq 0 ]]; then
+ skip "skip this test since apparmor is not enabled."
+ fi
+
+ start_crio
+
+ sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname1": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor1.json
+
+ run crioctl pod run --name apparmor1 --config "$TESTDIR"/apparmor1.json
+ echo "$output"
+ [ "$status" -eq 0 ]
+ pod_id="$output"
+ run crioctl ctr create --name testname1 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+ echo "$output"
+ [ "$status" -eq 0 ]
+ ctr_id="$output"
+ run crioctl ctr execsync --id "$ctr_id" touch test.txt
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+
+ cleanup_ctrs
+ cleanup_pods
+ stop_crio
+}
+
+# 2. test running with loading a specific apparmor profile as crio default apparmor profile.
+# test that we can run with a specific apparmor profile which will block touching a file in `.` as crio default apparmor profile.
+@test "load a specific apparmor profile as default apparmor and run a container with it" {
+ # this test requires apparmor, so skip this test if apparmor is not enabled.
+ enabled=$(is_apparmor_enabled)
+ if [[ "$enabled" -eq 0 ]]; then
+ skip "skip this test since apparmor is not enabled."
+ fi
+
+ load_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
+ start_crio "" "$APPARMOR_TEST_PROFILE_NAME"
+
+ sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname2": "apparmor-test-deny-write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor2.json
+
+ run crioctl pod run --name apparmor2 --config "$TESTDIR"/apparmor2.json
+ echo "$output"
+ [ "$status" -eq 0 ]
+ pod_id="$output"
+ run crioctl ctr create --name testname2 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+ echo "$output"
+ [ "$status" -eq 0 ]
+ ctr_id="$output"
+ run crioctl ctr execsync --id "$ctr_id" touch test.txt
+ echo "$output"
+ [ "$status" -ne 0 ]
+ [[ "$output" =~ "Permission denied" ]]
+
+ cleanup_ctrs
+ cleanup_pods
+ stop_crio
+ remove_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
+}
+
+# 3. test running with loading a specific apparmor profile but not as crio default apparmor profile.
+# test that we can run with a specific apparmor profile which will block touching a file in `.`
+@test "load default apparmor profile and run a container with another apparmor profile" {
+ # this test requires apparmor, so skip this test if apparmor is not enabled.
+ enabled=$(is_apparmor_enabled)
+ if [[ "$enabled" -eq 0 ]]; then
+ skip "skip this test since apparmor is not enabled."
+ fi
+
+ load_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
+ start_crio
+
+ sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname3": "apparmor-test-deny-write"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor3.json
+
+ run crioctl pod run --name apparmor3 --config "$TESTDIR"/apparmor3.json
+ echo "$output"
+ [ "$status" -eq 0 ]
+ pod_id="$output"
+ run crioctl ctr create --name testname3 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+ echo "$output"
+ [ "$status" -eq 0 ]
+ ctr_id="$output"
+ run crioctl ctr execsync --id "$ctr_id" touch test.txt
+ echo "$output"
+ [ "$status" -ne 0 ]
+ [[ "$output" =~ "Permission denied" ]]
+
+ cleanup_ctrs
+ cleanup_pods
+ stop_crio
+ remove_apparmor_profile "$APPARMOR_TEST_PROFILE_PATH"
+}
+
+# 4. test running with wrong apparmor profile name.
+# test that we can will fail when running a ctr with rong apparmor profile name.
+@test "run a container with wrong apparmor profile name" {
+ # this test requires apparmor, so skip this test if apparmor is not enabled.
+ enabled=$(is_apparmor_enabled)
+ if [[ "$enabled" -eq 0 ]]; then
+ skip "skip this test since apparmor is not enabled."
+ fi
+
+ start_crio
+
+ sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname4": "not-exists"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor4.json
+
+ run crioctl pod run --name apparmor4 --config "$TESTDIR"/apparmor4.json
+ echo "$output"
+ [ "$status" -eq 0 ]
+ pod_id="$output"
+ run crioctl ctr create --name testname4 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+ echo "$output"
+ [ "$status" -ne 0 ]
+ [[ "$output" =~ "Creating container failed" ]]
+
+
+ cleanup_ctrs
+ cleanup_pods
+ stop_crio
+}
+
+# 5. test running with default apparmor profile unloaded.
+# test that we can will fail when running a ctr with rong apparmor profile name.
+@test "run a container after unloading default apparmor profile" {
+ # this test requires apparmor, so skip this test if apparmor is not enabled.
+ enabled=$(is_apparmor_enabled)
+ if [[ "$enabled" -eq 0 ]]; then
+ skip "skip this test since apparmor is not enabled."
+ fi
+
+ start_crio
+ remove_apparmor_profile "$FAKE_CRIO_DEFAULT_PROFILE_PATH"
+
+ sed -e 's/%VALUE%/,"container\.apparmor\.security\.beta\.kubernetes\.io\/testname5": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/apparmor5.json
+
+ run crioctl pod run --name apparmor5 --config "$TESTDIR"/apparmor5.json
+ echo "$output"
+ [ "$status" -eq 0 ]
+ pod_id="$output"
+ run crioctl ctr create --name testname5 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+ echo "$output"
+ [ "$status" -eq 0 ]
+ ctr_id="$output"
+ run crioctl ctr execsync --id "$ctr_id" touch test.txt
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+
+ cleanup_ctrs
+ cleanup_pods
+ stop_crio
+}