From 289270375a54c26b86f9e2d99aab18b427e56b88 Mon Sep 17 00:00:00 2001 From: cdoern Date: Thu, 4 Nov 2021 23:48:35 -0400 Subject: Pod Security Option support Added support for pod security options. These are applied to infra and passed down to the containers as added (unless overridden). Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit` This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create code and pod creation. resolves #12173 Signed-off-by: cdoern --- test/e2e/pod_create_test.go | 62 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) (limited to 'test/e2e') diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go index 41a017a52..fab107af8 100644 --- a/test/e2e/pod_create_test.go +++ b/test/e2e/pod_create_test.go @@ -9,6 +9,8 @@ import ( "strconv" "strings" + "github.com/containers/common/pkg/apparmor" + "github.com/containers/common/pkg/seccomp" "github.com/containers/common/pkg/sysinfo" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" @@ -16,6 +18,7 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" . "github.com/onsi/gomega/gexec" + "github.com/opencontainers/selinux/go-selinux" ) var _ = Describe("Podman pod create", func() { @@ -967,4 +970,63 @@ ENTRYPOINT ["sleep","99999"] Expect(inspect).Should(Exit(0)) Expect(inspect.OutputToString()).Should(Equal("host")) }) + + It("podman pod create --security-opt", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=type:spc_t", "--security-opt", "seccomp=unconfined"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + + ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE}) + ctrCreate.WaitWithDefaultTimeout() + Expect(ctrCreate).Should(Exit(0)) + + ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString()) + Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"label=type:spc_t", "seccomp=unconfined"})) + + podCreate = podmanTest.Podman([]string{"pod", "create", "--security-opt", "label=disable"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + + ctrCreate = podmanTest.Podman([]string{"container", "run", "-it", "--pod", podCreate.OutputToString(), ALPINE, "cat", "/proc/self/attr/current"}) + ctrCreate.WaitWithDefaultTimeout() + Expect(ctrCreate).Should(Exit(0)) + match, _ := ctrCreate.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + + It("podman pod create --security-opt seccomp", func() { + if !seccomp.IsEnabled() { + Skip("seccomp is not enabled") + } + podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", "seccomp=unconfined"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + + ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE}) + ctrCreate.WaitWithDefaultTimeout() + Expect(ctrCreate).Should(Exit(0)) + + ctrInspect := podmanTest.InspectContainer(ctrCreate.OutputToString()) + Expect(ctrInspect[0].HostConfig.SecurityOpt).To(Equal([]string{"seccomp=unconfined"})) + }) + + It("podman pod create --security-opt apparmor test", func() { + if !apparmor.IsEnabled() { + Skip("Apparmor is not enabled") + } + podCreate := podmanTest.Podman([]string{"pod", "create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile)}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + + ctrCreate := podmanTest.Podman([]string{"container", "create", "--pod", podCreate.OutputToString(), ALPINE}) + ctrCreate.WaitWithDefaultTimeout() + Expect(ctrCreate).Should(Exit(0)) + + inspect := podmanTest.InspectContainer(ctrCreate.OutputToString()) + Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile)) + + }) }) -- cgit v1.2.3-54-g00ecf