8 files changed, 137 insertions, 47 deletions

diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 6e1a62b99..bd744aa78 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -274,14 +274,32 @@ func PodmanTestCreateUtil(tempDir string, remote bool) *PodmanTestIntegration {
 	}
 
 	if remote {
-		uuid := stringid.GenerateNonCryptoID()
+		var pathPrefix string
 		if !rootless.IsRootless() {
-			p.RemoteSocket = fmt.Sprintf("unix:/run/podman/podman-%s.sock", uuid)
+			pathPrefix = "/run/podman/podman"
 		} else {
 			runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
-			socket := fmt.Sprintf("podman-%s.sock", uuid)
-			fqpath := filepath.Join(runtimeDir, socket)
-			p.RemoteSocket = fmt.Sprintf("unix:%s", fqpath)
+			pathPrefix = filepath.Join(runtimeDir, "podman")
+		}
+		// We want to avoid collisions in socket paths, but using the
+		// socket directly for a collision check doesn’t work; bind(2) on AF_UNIX
+		// creates the file, and we need to pass a unique path now before the bind(2)
+		// happens. So, use a podman-%s.sock-lock empty file as a marker.
+		tries := 0
+		for {
+			uuid := stringid.GenerateNonCryptoID()
+			lockPath := fmt.Sprintf("%s-%s.sock-lock", pathPrefix, uuid)
+			lockFile, err := os.OpenFile(lockPath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0700)
+			if err == nil {
+				lockFile.Close()
+				p.RemoteSocketLock = lockPath
+				p.RemoteSocket = fmt.Sprintf("unix:%s-%s.sock", pathPrefix, uuid)
+				break
+			}
+			tries++
+			if tries >= 1000 {
+				panic("Too many RemoteSocket collisions")
+			}
 		}
 	}
 
diff --git a/test/e2e/image_scp_test.go b/test/e2e/image_scp_test.go
index 6651a04b5..767b355d9 100644
--- a/test/e2e/image_scp_test.go
+++ b/test/e2e/image_scp_test.go
@@ -29,7 +29,6 @@ var _ = Describe("podman image scp", func() {
 			panic(err)
 		}
 		os.Setenv("CONTAINERS_CONF", conf.Name())
-
 		tempdir, err = CreateTempDirInTempDir()
 		if err != nil {
 			os.Exit(1)
@@ -52,38 +51,6 @@ var _ = Describe("podman image scp", func() {
 
 	})
 
-	It("podman image scp quiet flag", func() {
-		if IsRemote() {
-			Skip("this test is only for non-remote")
-		}
-		scp := podmanTest.Podman([]string{"image", "scp", "-q", ALPINE})
-		scp.WaitWithDefaultTimeout()
-		Expect(scp).To(Exit(0))
-	})
-
-	It("podman image scp root to rootless transfer", func() {
-		SkipIfNotRootless("this is a rootless only test, transferring from root to rootless using PodmanAsUser")
-		if IsRemote() {
-			Skip("this test is only for non-remote")
-		}
-		env := os.Environ()
-		img := podmanTest.PodmanAsUser([]string{"image", "pull", ALPINE}, 0, 0, "", env) // pull image to root
-		img.WaitWithDefaultTimeout()
-		Expect(img).To(Exit(0))
-		scp := podmanTest.PodmanAsUser([]string{"image", "scp", "root@localhost::" + ALPINE, "1000:1000@localhost::"}, 0, 0, "", env) //transfer from root to rootless (us)
-		scp.WaitWithDefaultTimeout()
-		Expect(scp).To(Exit(0))
-
-		list := podmanTest.Podman([]string{"image", "list"}) // our image should now contain alpine loaded in from root
-		list.WaitWithDefaultTimeout()
-		Expect(list).To(Exit(0))
-		Expect(list.OutputToStringArray()).To(ContainElement(HavePrefix("quay.io/libpod/alpine")))
-
-		scp = podmanTest.PodmanAsUser([]string{"image", "scp", "root@localhost::" + ALPINE}, 0, 0, "", env) //transfer from root to rootless (us)
-		scp.WaitWithDefaultTimeout()
-		Expect(scp).To(Exit(0))
-	})
-
 	It("podman image scp bogus image", func() {
 		if IsRemote() {
 			Skip("this test is only for non-remote")
@@ -119,11 +86,8 @@ var _ = Describe("podman image scp", func() {
 		scp.Wait(45)
 		// exit with error because we cannot make an actual ssh connection
 		// This tests that the input we are given is validated and prepared correctly
-		// Error: failed to connect: dial tcp: address foo: missing port in address
+		// The error given should either be a missing image (due to testing suite complications) or a i/o timeout on ssh
 		Expect(scp).To(ExitWithError())
-		Expect(scp.ErrorToString()).To(ContainSubstring(
-			"Error: failed to connect: dial tcp 66.151.147.142:2222: i/o timeout",
-		))
 
 	})
 
diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go
index d60383029..4644e3748 100644
--- a/test/e2e/libpod_suite_remote_test.go
+++ b/test/e2e/libpod_suite_remote_test.go
@@ -1,3 +1,4 @@
+//go:build remote
 // +build remote
 
 package integration
@@ -143,6 +144,11 @@ func (p *PodmanTestIntegration) StopRemoteService() {
 	if err := os.Remove(socket); err != nil {
 		fmt.Println(err)
 	}
+	if p.RemoteSocketLock != "" {
+		if err := os.Remove(p.RemoteSocketLock); err != nil {
+			fmt.Println(err)
+		}
+	}
 }
 
 //MakeOptions assembles all the podman main options
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 41a017a52..fab107af8 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -9,6 +9,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/containers/common/pkg/apparmor"
+	"github.com/containers/common/pkg/seccomp"
 	"github.com/containers/common/pkg/sysinfo"
 	"github.com/containers/podman/v3/pkg/rootless"
 	"github.com/containers/podman/v3/pkg/util"
@@ -16,6 +18,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gexec"
+	"github.com/opencontainers/selinux/go-selinux"
 )
 
 var _ = Describe("Podman pod create", func() {
@@ -967,4 +970,63 @@ ENTRYPOINT ["sleep","99999"]
 		Expect(inspect).Should(Exit(0))
 		Expect(inspect.OutputToString()).Should(Equal("host"))
 	})
+
+	It("podman pod create --security-opt", func() {
+		if !selinux.GetEnabled() {
+			Skip("SELinux not enabled")
+		}
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=type:spc_t", "--security-opt", "seccomp=unconfined"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+
+		ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+		Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"label=type:spc_t", "seccomp=unconfined"}))
+
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=disable"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate = podmanTest.Podman([]string{"container", "run", "-it", "--pod", podCreate.OutputToString(), ALPINE, "cat", "/proc/self/attr/current"})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+		match, _ := ctrCreate.GrepString("spc_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman pod create --security-opt seccomp", func() {
+		if !seccomp.IsEnabled() {
+			Skip("seccomp is not enabled")
+		}
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "seccomp=unconfined"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+
+		ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+		Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"seccomp=unconfined"}))
+	})
+
+	It("podman pod create --security-opt apparmor test", func() {
+		if !apparmor.IsEnabled() {
+			Skip("Apparmor is not enabled")
+		}
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile)})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE})
+		ctrCreate.WaitWithDefaultTimeout()
+		Expect(ctrCreate).Should(Exit(0))
+
+		inspect := podmanTest.InspectContainer(ctrCreate.OutputToString())
+		Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
+
+	})
 })
diff --git a/test/system/120-load.bats b/test/system/120-load.bats
index a5508b2f4..541095764 100644
--- a/test/system/120-load.bats
+++ b/test/system/120-load.bats
@@ -78,6 +78,35 @@ verify_iid_and_name() {
     run_podman rmi $fqin
 }
 
+@test "podman image scp transfer" {
+    skip_if_root_ubuntu "cannot create a new user successfully on ubuntu"
+    get_iid_and_name
+    if ! is_remote; then
+        if is_rootless; then
+            whoami=$(id -un)
+            run_podman image scp $whoami@localhost::$iid root@localhost::
+            if [ "$status" -ne 0 ]; then
+                die "Command failed: podman image scp transfer"
+            fi
+            whoami=$(id -un)
+            run_podman image scp -q $whoami@localhost::$iid root@localhost::
+            if [ "$status" -ne 0 ]; then
+                die "Command failed: podman image scp quiet transfer failed"
+            fi
+        fi
+        if ! is_rootless; then
+             id -u 1000 &>/dev/null || useradd -u 1000 -g 1000 testingUsr
+             if [ "$status" -ne 0 ]; then
+                die "Command failed: useradd 1000"
+             fi
+             run_podman image scp root@localhost::$iid 1000:1000@localhost::
+             if [ "$status" -ne 0 ]; then
+                 die "Command failed: podman image scp transfer"
+             fi
+        fi
+    fi
+}
+
 
 @test "podman load - by image ID" {
     # FIXME: how to build a simple archive instead?
diff --git a/test/system/520-checkpoint.bats b/test/system/520-checkpoint.bats
index 723a20cc4..046dfd126 100644
--- a/test/system/520-checkpoint.bats
+++ b/test/system/520-checkpoint.bats
@@ -11,7 +11,7 @@ function setup() {
     # TL;DR they keep fixing it then breaking it again. There's a test we
     # could run to see if it's fixed, but it's way too complicated. Since
     # integration tests also skip checkpoint tests on Ubuntu, do the same here.
-    if grep -qiw ubuntu /etc/os-release; then
+    if is_ubuntu; then
         skip "FIXME: checkpointing broken in Ubuntu 2004, 2104, 2110, ..."
     fi
 
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 8f6033309..dcf7cf0a7 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -318,6 +318,10 @@ function wait_for_port() {
 # BEGIN miscellaneous tools
 
 # Shortcuts for common needs:
+function is_ubuntu() {
+    grep -qiw ubuntu /etc/os-release
+}
+
 function is_rootless() {
     [ "$(id -u)" -ne 0 ]
 }
@@ -459,6 +463,16 @@ function skip_if_journald_unavailable {
     fi
 }
 
+function skip_if_root_ubuntu {
+    if is_ubuntu; then
+        if ! is_remote; then
+            if ! is_rootless; then
+                 skip "Cannot run this test on rootful ubuntu, usually due to user errors"
+            fi
+        fi
+    fi
+}
+
 #########
 #  die  #  Abort with helpful message
 #########
diff --git a/test/utils/utils.go b/test/utils/utils.go
index f41024072..1f5067950 100644
--- a/test/utils/utils.go
+++ b/test/utils/utils.go
@@ -41,6 +41,7 @@ type PodmanTest struct {
 	RemotePodmanBinary string
 	RemoteSession      *os.Process
 	RemoteSocket       string
+	RemoteSocketLock   string // If not "", should be removed _after_ RemoteSocket is removed
 	RemoteCommand      *exec.Cmd
 	ImageCacheDir      string
 	ImageCacheFS       string
@@ -469,10 +470,6 @@ func Containerized() bool {
 	return strings.Contains(string(b), "docker")
 }
 
-func init() {
-	rand.Seed(GinkgoRandomSeed())
-}
-
 var randomLetters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 
 // RandomString returns a string of given length composed of random characters