diff options
Diffstat (limited to 'test/e2e/run_security_labels_test.go')
-rw-r--r-- | test/e2e/run_security_labels_test.go | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/test/e2e/run_security_labels_test.go b/test/e2e/run_security_labels_test.go new file mode 100644 index 000000000..0c5621e3f --- /dev/null +++ b/test/e2e/run_security_labels_test.go @@ -0,0 +1,151 @@ +package integration + +import ( + "os" + "strings" + + . "github.com/containers/podman/v2/test/utils" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = Describe("Podman generate kube", func() { + var ( + tempdir string + err error + podmanTest *PodmanTestIntegration + ) + + BeforeEach(func() { + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + podmanTest = PodmanTestCreate(tempdir) + podmanTest.Setup() + podmanTest.SeedImages() + + }) + + AfterEach(func() { + podmanTest.Cleanup() + f := CurrentGinkgoTestDescription() + processTestResult(f) + }) + + It("podman security labels", func() { + test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Equal("CAP_SETUID,CAP_SETGID")) + }) + + It("podman bad security labels", func() { + test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Not(Equal("CAP_SYS_ADMIN"))) + }) + + It("podman --cap-add sys_admin security labels", func() { + test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Equal("CAP_SYS_ADMIN")) + }) + + It("podman --cap-drop all sys_admin security labels", func() { + test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Equal("")) + }) + + It("podman security labels from image", func() { + test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1.ExitCode()).To(BeZero()) + + commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=sys_chroot,setuid", "test1", "image1"}) + commit.WaitWithDefaultTimeout() + Expect(commit.ExitCode()).To(BeZero()) + + image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"}) + image1.WaitWithDefaultTimeout() + Expect(image1.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test2"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Equal("CAP_SYS_CHROOT,CAP_SETUID")) + + }) + + It("podman --privileged security labels", func() { + pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"}) + pull.WaitWithDefaultTimeout() + Expect(pull.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID"))) + }) + + It("podman container runlabel (podman --version)", func() { + SkipIfRemote("runlabel not supported on podman-remote") + PodmanDockerfile := ` +FROM alpine:latest +LABEL io.containers.capabilities=chown,kill` + + image := "podman-caps:podman" + podmanTest.BuildImage(PodmanDockerfile, image, "false") + + test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + caps := strings.Join(ctr[0].EffectiveCaps, ",") + Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL")) + }) + +}) |