1 files changed, 46 insertions, 4 deletions

diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 9cb76d1f6..6c65a23e8 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -193,22 +193,46 @@ var _ = Describe("Podman run", func() {
 		Expect(conData[0].Config.Annotations["io.podman.annotations.init"]).To(Equal("FALSE"))
 	})
 
-	It("podman run seccomp test", func() {
-
+	forbidGetCWDSeccompProfile := func() string {
 		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
 		jsonFile, err := podmanTest.CreateSeccompJson(in)
 		if err != nil {
 			fmt.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
+		return jsonFile
+	}
 
-		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
+	It("podman run seccomp test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError())
 		match, _ := session.GrepString("Operation not permitted")
 		Expect(match).Should(BeTrue())
 	})
 
+	It("podman run seccomp test --privileged", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError())
+		match, _ := session.GrepString("Operation not permitted")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run seccomp test --privileged no profile should be unconfined", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--privileged", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(ContainSubstring("0"))
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman run seccomp test no profile should be default", func() {
+		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "grep", "Seccomp", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(ContainSubstring("2"))
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
 	It("podman run capabilities test", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
@@ -803,6 +827,15 @@ USER mail`
 		Expect(isSharedOnly).Should(BeTrue())
 	})
 
+	It("podman run --security-opts proc-opts=", func() {
+		session := podmanTest.Podman([]string{"run", "--security-opt", "proc-opts=nosuid,exec", fedoraMinimal, "findmnt", "-noOPTIONS", "/proc"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		output := session.OutputToString()
+		Expect(output).To(ContainSubstring("nosuid"))
+		Expect(output).To(Not(ContainSubstring("exec")))
+	})
+
 	It("podman run --mount type=bind,bind-nonrecursive", func() {
 		SkipIfRootless()
 		session := podmanTest.Podman([]string{"run", "--mount", "type=bind,bind-nonrecursive,slave,src=/,target=/host", fedoraMinimal, "findmnt", "-nR", "/host"})
@@ -1143,7 +1176,7 @@ USER mail`
 		Expect(session.ErrorToString()).To(ContainSubstring("Invalid umask"))
 	})
 
-	It("podman run makes entrypoint from image", func() {
+	It("podman run makes workdir from image", func() {
 		// BuildImage does not seem to work remote
 		SkipIfRemote()
 		dockerfile := `FROM busybox
@@ -1154,4 +1187,13 @@ WORKDIR /madethis`
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(session.OutputToString()).To(ContainSubstring("/madethis"))
 	})
+
+	It("podman run --entrypoint does not use image command", func() {
+		session := podmanTest.Podman([]string{"run", "--entrypoint", "/bin/echo", ALPINE})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		// We can't guarantee the output is completely empty, some
+		// nonprintables seem to work their way in.
+		Expect(session.OutputToString()).To(Not(ContainSubstring("/bin/sh")))
+	})
 })