From 207abc4a9ada6dcc03420a02e243041d2f2f1c79 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 13 Oct 2021 16:24:46 -0400 Subject: We should only be relabeling when on first run On the second runs, the labels should be the same so no need to relabel. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2013548 Signed-off-by: Daniel J Walsh --- test/system/160-volumes.bats | 30 +++++++++++++++++++ test/system/410-selinux.bats | 70 +++++++++++++++++++++++++++++--------------- 2 files changed, 77 insertions(+), 23 deletions(-) (limited to 'test/system') diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats index 7128f1b65..43462de36 100644 --- a/test/system/160-volumes.bats +++ b/test/system/160-volumes.bats @@ -210,6 +210,36 @@ EOF run_podman volume rm my_vol2 } +# Podman volume user test +@test "podman volume user test" { + is_rootless || skip "only meaningful when run rootless" + user="1000:2000" + newuser="100:200" + tmpdir=${PODMAN_TMPDIR}/volume_$(random_string) + mkdir $tmpdir + touch $tmpdir/test1 + + run_podman run --name user --user $user -v $tmpdir:/data:U $IMAGE stat -c "%u:%g" /data + is "$output" "$user" "user should be changed" + + # Now chown the source directory and make sure recursive chown happens + run_podman unshare chown -R $newuser $tmpdir + run_podman start --attach user + is "$output" "$user" "user should be the same" + + # Now chown the file in source directory and make sure recursive chown + # doesn't happen + run_podman unshare chown -R $newuser $tmpdir/test1 + run_podman start --attach user + is "$output" "$user" "user should be the same" + # test1 should still be chowned to $newuser + run_podman unshare stat -c "%u:%g" $tmpdir/test1 + is "$output" "$newuser" "user should not be changed" + + run_podman unshare rm $tmpdir/test1 + run_podman rm user +} + # Confirm that container sees the correct id @test "podman volume with --userns=keep-id" { diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index ed9e73a3e..dbdfd4b9d 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -27,9 +27,9 @@ function check_label() { is "$type" "$1" "SELinux type" if [ -n "$2" ]; then - # e.g. from the above example -> "s0:c45,c745" - range=$(cut -d: -f4,5 <<<"$context") - is "$range" "$2^@" "SELinux range" + # e.g. from the above example -> "s0:c45,c745" + range=$(cut -d: -f4,5 <<<"$context") + is "$range" "$2^@" "SELinux range" fi } @@ -66,9 +66,9 @@ function check_label() { # FIXME this test fails when run rootless with runc: # Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied if is_rootless; then - runtime=$(podman_runtime) - test "$runtime" == "crun" \ - || skip "runtime is $runtime; this test requires crun" + runtime=$(podman_runtime) + test "$runtime" == "crun" \ + || skip "runtime is $runtime; this test requires crun" fi check_label "--pid=host" "spc_t" @@ -96,10 +96,10 @@ function check_label() { skip_if_no_selinux run_podman run -d --name myc \ - --security-opt seccomp=unconfined \ - --security-opt label=type:spc_t \ - --security-opt label=level:s0 \ - $IMAGE sh -c 'while test ! -e /stop; do sleep 0.1; done' + --security-opt seccomp=unconfined \ + --security-opt label=type:spc_t \ + --security-opt label=level:s0 \ + $IMAGE sh -c 'while test ! -e /stop; do sleep 0.1; done' run_podman inspect --format='{{ .HostConfig.SecurityOpt }}' myc is "$output" "[label=type:spc_t,label=level:s0 seccomp=unconfined]" \ "'podman inspect' preserves all --security-opts" @@ -118,7 +118,7 @@ function check_label() { skip_if_rootless_cgroupsv1 if [[ $(podman_runtime) == "runc" ]]; then - skip "some sort of runc bug, not worth fixing (#11784)" + skip "some sort of runc bug, not worth fixing (#11784)" fi run_podman run -d --name myctr $IMAGE top @@ -136,7 +136,7 @@ function check_label() { # net NS: do not share context run_podman run --rm --net container:myctr $IMAGE cat -v /proc/self/attr/current if [[ "$output" = "$context_c1" ]]; then - die "run --net : context ($output) is same as running container (it should not be)" + die "run --net : context ($output) is same as running container (it should not be)" fi # The 'myctr2' above was not run with --rm, so it still exists, and @@ -158,8 +158,8 @@ function check_label() { # We don't need a fullblown pause container; avoid pulling the k8s one run_podman pod create --name myselinuxpod \ - --infra-image $IMAGE \ - --infra-command /home/podman/pause + --infra-image $IMAGE \ + --infra-command /home/podman/pause # Get baseline run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current @@ -190,7 +190,7 @@ function check_label() { # Even after #7902, labels (':c123,c456') should be different run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current if [[ "$output" = "$context_c1" ]]; then - die "context ($output) is the same on two separate containers, it should have been different" + die "context ($output) is the same on two separate containers, it should have been different" fi run_podman pod rm myselinuxpod @@ -203,12 +203,12 @@ function check_label() { # runc and crun emit different diagnostics runtime=$(podman_runtime) case "$runtime" in - # crun 0.20.1 changes the error message - # from /proc/thread-self/attr/exec`: .* unable to assign - # to /proc/self/attr/keycreate`: .* unable to process - crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;; - runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;; - *) skip "Unknown runtime '$runtime'";; + # crun 0.20.1 changes the error message + # from /proc/thread-self/attr/exec`: .* unable to assign + # to /proc/self/attr/keycreate`: .* unable to process + crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;; + runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;; + *) skip "Unknown runtime '$runtime'";; esac # The '.*' in the error below is for dealing with podman-remote, which @@ -223,7 +223,7 @@ function check_label() { LABEL="system_u:object_r:tmp_t:s0" RELABEL="system_u:object_r:container_file_t:s0" tmpdir=$PODMAN_TMPDIR/vol - touch $tmpdir + mkdir -p $tmpdir chcon -vR ${LABEL} $tmpdir ls -Z $tmpdir @@ -239,12 +239,36 @@ function check_label() { run ls -dZ $tmpdir is "$output" "${RELABEL} $tmpdir" "Privileged Relabel Correctly" - run_podman run -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current + run_podman run --name label -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current level=$(secon -l $output) run ls -dZ $tmpdir is "$output" "system_u:object_r:container_file_t:$level $tmpdir" \ "Confined Relabel Correctly" + if is_rootless; then + run_podman unshare touch $tmpdir/test1 + # Relabel entire directory + run_podman unshare chcon system_u:object_r:usr_t:s0 $tmpdir + run_podman start --attach label + newlevel=$(secon -l $output) + is "$level" "$newlevel" "start should relabel with same SELinux labels" + run ls -dZ $tmpdir + is "$output" "system_u:object_r:container_file_t:$level $tmpdir" \ + "Confined Relabel Correctly" + run ls -dZ $tmpdir/test1 + is "$output" "system_u:object_r:container_file_t:$level $tmpdir/test1" \ + "Start did not Relabel" + + # Relabel only file in subdir + run_podman unshare chcon system_u:object_r:usr_t:s0 $tmpdir/test1 + run_podman start --attach label + newlevel=$(secon -l $output) + is "$level" "$newlevel" "start should use same SELinux labels" + + run ls -dZ $tmpdir/test1 + is "$output" "system_u:object_r:usr_t:s0 $tmpdir/test1" \ + "Start did not Relabel" + fi run_podman run -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current run ls -dZ $tmpdir is "$output" "${RELABEL} $tmpdir" "Shared Relabel Correctly" -- cgit v1.2.3-54-g00ecf