From 4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Sat, 1 May 2021 05:50:31 -0400
Subject: Add filepath glob support to --security-opt unmask

Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 pkg/specgen/generate/config_linux_test.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 pkg/specgen/generate/config_linux_test.go

(limited to 'pkg/specgen/generate/config_linux_test.go')

diff --git a/pkg/specgen/generate/config_linux_test.go b/pkg/specgen/generate/config_linux_test.go
new file mode 100644
index 000000000..39973324b
--- /dev/null
+++ b/pkg/specgen/generate/config_linux_test.go
@@ -0,0 +1,28 @@
+package generate
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestShouldMask(t *testing.T) {
+	tests := []struct {
+		mask       string
+		unmask     []string
+		shouldMask bool
+	}{
+		{"/proc/foo", []string{"all"}, false},
+		{"/proc/foo", []string{"ALL"}, false},
+		{"/proc/foo", []string{"/proc/foo"}, false},
+		{"/proc/foo", []string{"/proc/*"}, false},
+		{"/proc/foo", []string{"/proc/bar", "all"}, false},
+		{"/proc/foo", []string{"/proc/f*"}, false},
+		{"/proc/foo", []string{"/proc/b*"}, true},
+		{"/proc/foo", []string{}, true},
+	}
+	for _, test := range tests {
+		val := shouldMask(test.mask, test.unmask)
+		assert.Equal(t, val, test.shouldMask)
+	}
+}
-- 
cgit v1.2.3-54-g00ecf