From 0ab9e39064e5906b80a69d51fab3757ad43f32c5 Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 5 Oct 2020 10:27:18 -0600
Subject: system tests: cleanup, and add more tests

 - images test: add test for 'table' and '\t' formatting

 - image mount test: check output from 'umount', test
   repeat umount (NOP), and test invalid-umount

 - kill test: remove kludgy workaround for crun signal bug
   ref: #5004 -- code is no longer needed (fingers crossed),
   and the workaround involved pulling an expensive image.

 - selinux test: add new tests for shared context in:
   * pods , w/ and w/o infra container (ref: #7902)
   * containers with namespace sharing: --ipc, --pid, --net

 - selinux test: new test for --pid=host (disabled pending
   propagation of container-selinux-2.146, ref: #7939)

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 test/system/010-images.bats  |  52 +++++++++++++++++++++
 test/system/060-mount.bats   |  13 ++++++
 test/system/130-kill.bats    |  20 +-------
 test/system/410-selinux.bats | 108 ++++++++++++++++++++++++++++++++++++++++---
 test/system/helpers.bash     |  11 +++++
 5 files changed, 179 insertions(+), 25 deletions(-)

diff --git a/test/system/010-images.bats b/test/system/010-images.bats
index ac65e54d9..900a24368 100644
--- a/test/system/010-images.bats
+++ b/test/system/010-images.bats
@@ -159,4 +159,56 @@ Labels.created_at | 20[0-9-]\\\+T[0-9:]\\\+Z
     is "$output" "$images_baseline" "after podman rmi @sha, still the same"
 }
 
+# Tests #7199 (Restore "table" --format from V1)
+#
+# Tag our image with different-length strings; confirm table alignment
+@test "podman images - table format" {
+    # Craft two tags such that they will bracket $IMAGE on either side (above
+    # and below). This assumes that $IMAGE is quay.io or foo.com or simply
+    # not something insane that will sort before 'aaa' or after 'zzz'.
+    local aaa_name=a.b/c
+    local aaa_tag=d
+    local zzz_name=zzzzzzzzzz.yyyyyyyyy/xxxxxxxxx
+    local zzz_tag=$(random_string 15)
+
+    # Helper function to check one line of tabular output; all this does is
+    # generate a line with the given repo/tag, formatted to the width of the
+    # widest image, which is the zzz one. Fields are separated by TWO spaces.
+    function _check_line() {
+        local lineno=$1
+        local name=$2
+        local tag=$3
+
+        is "${lines[$lineno]}" \
+           "$(printf '%-*s  %-*s  %s' ${#zzz_name} ${name} ${#zzz_tag} ${tag} $iid)" \
+           "podman images, $testname, line $lineno"
+    }
+
+    function _run_format_test() {
+        local testname=$1
+        local format=$2
+
+        run_podman images --sort repository --format "$format"
+        _check_line 0 ${aaa_name} ${aaa_tag}
+        _check_line 1 "${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/${PODMAN_TEST_IMAGE_NAME}" "${PODMAN_TEST_IMAGE_TAG}"
+        _check_line 2 ${zzz_name} ${zzz_tag}
+    }
+
+    # Begin the test: tag $IMAGE with both the given names
+    run_podman tag $IMAGE ${aaa_name}:${aaa_tag}
+    run_podman tag $IMAGE ${zzz_name}:${zzz_tag}
+
+    # Get the image ID, used to verify output below (all images share same IID)
+    run_podman inspect --format '{{.ID}}' $IMAGE
+    iid=${output:0:12}
+
+    # Run the test: this will output three column-aligned rows. Test them.
+    # Tab character (\t) should have the same effect as the 'table' directive
+    _run_format_test 'table' 'table {{.Repository}} {{.Tag}} {{.ID}}'
+    _run_format_test 'tabs'  '{{.Repository}}\t{{.Tag}}\t{{.ID}}'
+
+    # Clean up.
+    run_podman rmi ${aaa_name}:${aaa_tag} ${zzz_name}:${zzz_tag}
+}
+
 # vim: filetype=sh
diff --git a/test/system/060-mount.bats b/test/system/060-mount.bats
index 75c88e4ad..cd3b8ff5b 100644
--- a/test/system/060-mount.bats
+++ b/test/system/060-mount.bats
@@ -43,6 +43,11 @@ load helpers
     # Start with clean slate
     run_podman image umount -a
 
+    # Get full image ID, to verify umount
+    run_podman image inspect --format '{{.ID}}' $IMAGE
+    iid="$output"
+
+    # Mount, and make sure the mount point exists
     run_podman image mount $IMAGE
     mount_path="$output"
 
@@ -60,6 +65,14 @@ load helpers
 
     # Clean up
     run_podman image umount $IMAGE
+    is "$output" "$iid" "podman image umount: image ID of what was umounted"
+
+    run_podman image umount $IMAGE
+    is "$output" "" "podman image umount: does not re-umount"
+
+    run_podman 125 image umount no-such-container
+    is "$output" "Error: unable to find a name and tag match for no-such-container in repotags: no such image" \
+       "error message from image umount no-such-container"
 
     run_podman image mount
     is "$output" "" "podman image mount, no args, after umount"
diff --git a/test/system/130-kill.bats b/test/system/130-kill.bats
index c16e64c58..3770eac27 100644
--- a/test/system/130-kill.bats
+++ b/test/system/130-kill.bats
@@ -6,23 +6,9 @@
 load helpers
 
 @test "podman kill - test signal handling in containers" {
-    # podman-remote and crun interact poorly in f31: crun seems to gobble up
-    # some signals.
-    # Workaround: run 'env --default-signal sh' instead of just 'sh' in
-    # the container. Since env on our regular alpine image doesn't support
-    # that flag, we need to pull fedora-minimal. See:
-    #    https://github.com/containers/podman/issues/5004
-    # FIXME: remove this kludge once we get rid of podman-remote
-    local _image=$IMAGE
-    local _sh_cmd="sh"
-    if is_remote; then
-        _image=quay.io/libpod/fedora-minimal:latest
-        _sh_cmd="env --default-signal sh"
-    fi
-
     # Start a container that will handle all signals by emitting 'got: N'
     local -a signals=(1 2 3 4 5 6 8 10 12 13 14 15 16 20 21 22 23 24 25 26 64)
-    run_podman run -d $_image $_sh_cmd -c \
+    run_podman run -d $IMAGE sh -c \
         "for i in ${signals[*]}; do trap \"echo got: \$i\" \$i; done;
         echo READY;
         while ! test -e /stop; do sleep 0.05; done;
@@ -81,10 +67,6 @@ load helpers
     run_podman wait $cid
     run_podman rm $cid
     wait $podman_log_pid
-
-    if [[ $_image != $IMAGE ]]; then
-        run_podman rmi $_image
-    fi
 }
 
 @test "podman kill - rejects invalid args" {
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 497e29b3e..1e44fe06c 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -7,9 +7,7 @@ load helpers
 
 
 function check_label() {
-    if [ ! -e /usr/sbin/selinuxenabled ] || ! /usr/sbin/selinuxenabled; then
-        skip "selinux disabled or not available"
-    fi
+    skip_if_no_selinux
 
     local args="$1"; shift        # command-line args for run
 
@@ -52,15 +50,33 @@ function check_label() {
     check_label "--privileged --userns=host" "spc_t"
 }
 
+@test "podman selinux: pid=host" {
+    # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0
+    # (this is ugly, but better than an unconditional skip)
+    skip_if_no_selinux
+    if is_rootless; then
+        if [ -x /usr/bin/rpm ]; then
+            cs_version=$(rpm -q --qf '%{version}' container-selinux)
+        else
+            # SELinux not enabled on Ubuntu, so we should never get here
+            die "WHOA! SELinux enabled, but no /usr/bin/rpm!"
+        fi
+        if [[ "$cs_version" < "2.146" ]]; then
+            skip "FIXME: #7939: requires container-selinux-2.146.0 (currently installed: $cs_version)"
+        fi
+    fi
+    # FIXME FIXME FIXME: delete up to here, leaving just check_label
+
+    check_label "--pid=host" "spc_t"
+}
+
 @test "podman selinux: container with overridden range" {
     check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
 }
 
 # pr #6752
 @test "podman selinux: inspect multiple labels" {
-    if [ ! -e /usr/sbin/selinuxenabled ] || ! /usr/sbin/selinuxenabled; then
-        skip "selinux disabled or not available"
-    fi
+    skip_if_no_selinux
 
     run_podman run -d --name myc \
                --security-opt seccomp=unconfined \
@@ -75,4 +91,84 @@ function check_label() {
     run_podman rm -f myc
 }
 
+# Sharing context between two containers not in a pod
+# These tests were piggybacked in with #7902, but are not actually related
+@test "podman selinux: shared context in (some) namespaces" {
+    skip_if_no_selinux
+
+    run_podman run -d --name myctr $IMAGE top
+    run_podman exec myctr cat -v /proc/self/attr/current
+    context_c1="$output"
+
+    # --ipc container
+    run_podman run --name myctr2 --ipc container:myctr $IMAGE cat -v /proc/self/attr/current
+    is "$output" "$context_c1" "new container, run with ipc of existing one "
+
+    # --pid container
+    run_podman run --rm --pid container:myctr $IMAGE cat -v /proc/self/attr/current
+    is "$output" "$context_c1" "new container, run with --pid of existing one "
+
+    # net NS: do not share context
+    run_podman run --rm --net container:myctr $IMAGE cat -v /proc/self/attr/current
+    if [[ "$output" = "$context_c1" ]]; then
+        die "run --net : context ($output) is same as running container (it should not be)"
+    fi
+
+    # The 'myctr2' above was not run with --rm, so it still exists, and
+    # we can't remove the original container until this one is gone.
+    run_podman stop -t 0 myctr
+    run_podman 125 rm myctr
+    is "$output" "Error: container .* has dependent containers"
+
+    # We have to do this in two steps: even if ordered as 'myctr2 myctr',
+    # podman will try the removes in random order, which fails if it
+    # tries myctr first.
+    run_podman rm myctr2
+    run_podman rm myctr
+}
+
+# pr #7902 - containers in pods should all run under same context
+@test "podman selinux: containers in pods share full context" {
+    skip_if_no_selinux
+
+    # We don't need a fullblown pause container; avoid pulling the k8s one
+    run_podman pod create --name myselinuxpod \
+               --infra-image $IMAGE \
+               --infra-command /home/podman/pause
+
+    # Get baseline
+    run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+    context_c1="$output"
+
+    # Prior to #7902, the labels (':c123,c456') would be different
+    run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+    is "$output" "$context_c1" "SELinux context of 2nd container matches 1st"
+
+    # What the heck. Try a third time just for extra confidence
+    run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+    is "$output" "$context_c1" "SELinux context of 3rd container matches 1st"
+
+    run_podman pod rm myselinuxpod
+}
+
+# more pr #7902
+@test "podman selinux: containers in --no-infra pods do not share context" {
+    skip_if_no_selinux
+
+    # We don't need a fullblown pause container; avoid pulling the k8s one
+    run_podman pod create --name myselinuxpod --infra=false
+
+    # Get baseline
+    run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+    context_c1="$output"
+
+    # Even after #7902, labels (':c123,c456') should be different
+    run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+    if [[ "$output" = "$context_c1" ]]; then
+        die "context ($output) is the same on two separate containers, it should have been different"
+    fi
+
+    run_podman pod rm myselinuxpod
+}
+
 # vim: filetype=sh
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 998db5283..c6c2c12df 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -286,6 +286,17 @@ function skip_if_remote() {
     fi
 }
 
+########################
+#  skip_if_no_selinux  #
+########################
+function skip_if_no_selinux() {
+    if [ ! -e /usr/sbin/selinuxenabled ]; then
+        skip "selinux not available"
+    elif ! /usr/sbin/selinuxenabled; then
+        skip "selinux disabled"
+    fi
+}
+
 #########
 #  die  #  Abort with helpful message
 #########
-- 
cgit v1.2.3-54-g00ecf