summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/e2e/config.go9
-rw-r--r--test/e2e/run_seccomp.go70
2 files changed, 79 insertions, 0 deletions
diff --git a/test/e2e/config.go b/test/e2e/config.go
index aeb7affee..12d0e545e 100644
--- a/test/e2e/config.go
+++ b/test/e2e/config.go
@@ -14,4 +14,13 @@ var (
BB = "docker.io/library/busybox:latest"
healthcheck = "docker.io/libpod/alpine_healthcheck:latest"
ImageCacheDir = "/tmp/podman/imagecachedir"
+
+ // This image has seccomp profiles that blocks all syscalls.
+ // The intention behind blocking all syscalls is to prevent
+ // regressions in the future. The required syscalls can vary
+ // depending on which runtime we're using.
+ alpineSeccomp = "docker.io/libpod/alpine-with-seccomp:latest"
+ // This image has a bogus/invalid seccomp profile which should
+ // yield a json error when being read.
+ alpineBogusSeccomp = "docker.io/libpod/alpine-with-bogus-seccomp:latest"
)
diff --git a/test/e2e/run_seccomp.go b/test/e2e/run_seccomp.go
new file mode 100644
index 000000000..dcf938ad6
--- /dev/null
+++ b/test/e2e/run_seccomp.go
@@ -0,0 +1,70 @@
+// +build !remoteclient
+
+package integration
+
+import (
+ "os"
+
+ . "github.com/containers/libpod/test/utils"
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+var _ = Describe("Podman run", func() {
+ var (
+ tempdir string
+ err error
+ podmanTest *PodmanTestIntegration
+ )
+
+ BeforeEach(func() {
+ tempdir, err = CreateTempDirInTempDir()
+ if err != nil {
+ os.Exit(1)
+ }
+ podmanTest = PodmanTestCreate(tempdir)
+ podmanTest.Setup()
+ podmanTest.SeedImages()
+ })
+
+ AfterEach(func() {
+ podmanTest.Cleanup()
+ f := CurrentGinkgoTestDescription()
+ processTestResult(f)
+
+ })
+
+ It("podman run --seccomp-policy default", func() {
+ session := podmanTest.Podman([]string{"run", "--seccomp-policy", "default", alpineSeccomp, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
+ It("podman run --seccomp-policy ''", func() {
+ // Empty string is interpreted as "default".
+ session := podmanTest.Podman([]string{"run", "--seccomp-policy", "", alpineSeccomp, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
+ It("podman run --seccomp-policy invalid", func() {
+ session := podmanTest.Podman([]string{"run", "--seccomp-policy", "invalid", alpineSeccomp, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman run --seccomp-policy image (block all syscalls)", func() {
+ session := podmanTest.Podman([]string{"run", "--seccomp-policy", "image", alpineSeccomp, "ls"})
+ session.WaitWithDefaultTimeout()
+ // TODO: we're getting a "cannot start a container that has
+ // stopped" error which seems surprising. Investigate
+ // why that is so.
+ Expect(session.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman run --seccomp-policy image (bogus profile)", func() {
+ session := podmanTest.Podman([]string{"run", "--seccomp-policy", "image", alpineBogusSeccomp, "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(125))
+ })
+})