From 28d1cec9f64cca11d42410c6e33c43b01b1d7678 Mon Sep 17 00:00:00 2001
From: Yiqiao Pu <ypu@redhat.com>
Date: Tue, 29 May 2018 17:41:57 +0800
Subject: Add some test for podman run flag security-opt

Add following test cases for security-opt:
  - Check default selinux value
  - Disable security options in container
  - Setup selinux type in security-opt
  - Disable seccomp protection
  - Configure custom seccomp.json

Signed-off-by: Yiqiao Pu <ypu@redhat.com>

Closes: #837
Approved by: rhatdan
---
 test/e2e/run_test.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index a581b36fb..759c292eb 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -62,6 +62,64 @@ var _ = Describe("Podman run", func() {
 		Expect(match).Should(BeTrue())
 	})
 
+	It("podman run selinux disable test", func() {
+		if !selinux.GetEnabled() {
+			Skip("SELinux not enabled")
+		}
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("unconfined_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run selinux type check test", func() {
+		if !selinux.GetEnabled() {
+			Skip("SELinux not enabled")
+		}
+		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match1, _ := session.GrepString("container_t")
+		match2, _ := session.GrepString("svirt_lxc_net_t")
+		Expect(match1 || match2).Should(BeTrue())
+	})
+
+	It("podman run selinux type setup test", func() {
+		if !selinux.GetEnabled() {
+			Skip("SELinux not enabled")
+		}
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("spc_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run seccomp undefine test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("hello")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run seccomp test", func() {
+		jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json")
+		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+		err := WriteJsonFile(in, jsonFile)
+		if err != nil {
+			fmt.Println(err)
+			Skip("Failed to prepare seccomp.json for test.")
+		}
+
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Not(Equal(0)))
+		match, _ := session.GrepString("Operation not permitted")
+		Expect(match).Should(BeTrue())
+	})
+
 	It("podman run capabilities test", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
-- 
cgit v1.2.3-54-g00ecf