From fea3eea68bf483e33bae56d77071d5cb8ded91db Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 13 Jul 2020 09:42:47 -0600
Subject: system tests: new tests for run, exec

 - Issue #6735 : problem with multiple namespaces; confirms
   combinations of --userns=keep-id, --privileged, --user=XX

 - Issue #6829 : --userns=keep-id will add a /etc/passwd entry

 - Issue #6593 : podman exec, with --userns=keep-id, errors
   (test is currently skipped because issue remains live)

...and, addendum: add new helper function, remove_same_dev_warning.
Some CI systems issue a warning on podman run --privileged:

   WARNING: The same type, major and minor should not be used for multiple devices.

We already had special-case code to ignore than in the SELinux
test, but now we're seeing it in the new run tests I added, so
I've refactored the "ignore this warning" code and written
tests for the removal code.

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 test/system/030-run.bats | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

(limited to 'test/system/030-run.bats')

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index bc6347012..13fec20ad 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -242,4 +242,46 @@ echo $rand        |   0 | $rand
     run_podman rmi myi
 }
 
+# #6735 : complex interactions with multiple user namespaces
+# The initial report has to do with bind mounts, but that particular
+# symptom only manifests on a fedora container image -- we have no
+# reproducer on alpine. Checking directory ownership is good enough.
+@test "podman run : user namespace preserved root ownership" {
+    for priv in "" "--privileged"; do
+        for user in "--user=0" "--user=100"; do
+            for keepid in "" "--userns=keep-id"; do
+                opts="$priv $user $keepid"
+
+                for dir in /etc /usr;do
+                    run_podman run --rm $opts $IMAGE stat -c '%u:%g:%n' $dir
+                    remove_same_dev_warning      # grumble
+                    is "$output" "0:0:$dir" "run $opts ($dir)"
+                done
+            done
+        done
+    done
+}
+
+# #6829 : add username to /etc/passwd inside container if --userns=keep-id
+@test "podman run : add username to /etc/passwd if --userns=keep-id" {
+    # Default: always run as root
+    run_podman run --rm $IMAGE id -un
+    is "$output" "root" "id -un on regular container"
+
+    # This would always work on root, but is new behavior on rootless: #6829
+    # adds a user entry to /etc/passwd
+    run_podman run --rm --userns=keep-id $IMAGE id -un
+    is "$output" "$(id -un)" "username on container with keep-id"
+
+    # --privileged should make no difference
+    run_podman run --rm --privileged --userns=keep-id $IMAGE id -un
+    remove_same_dev_warning      # grumble
+    is "$output" "$(id -un)" "username on container with keep-id"
+
+    # ...but explicitly setting --user should override keep-id
+    run_podman run --rm --privileged --userns=keep-id --user=0 $IMAGE id -un
+    remove_same_dev_warning      # grumble
+    is "$output" "root" "--user=0 overrides keep-id"
+}
+
 # vim: filetype=sh
-- 
cgit v1.2.3-54-g00ecf