From e356160f415b6111df09af214f0dea299e78ad04 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 14 Apr 2021 10:52:44 -0400
Subject: Add --group-add keep-groups: suplimentary groups into container

Currently we have rootless users who want to leak their groups access
into containers, but this group access is only able to be pushed in by
a hard to find OCI Runtime annotation.  This PR makes this option a lot
more visable and hides the complexity within the podman client.

This option is only really needed for local rootless users. It makes
no sense for remote clients, and probably makes little sense for
rootfull containers.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 test/system/170-run-userns.bats | 45 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 test/system/170-run-userns.bats

(limited to 'test/system')

diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
new file mode 100644
index 000000000..2dc5b078f
--- /dev/null
+++ b/test/system/170-run-userns.bats
@@ -0,0 +1,45 @@
+#!/usr/bin/env bats   -*- bats -*-
+# shellcheck disable=SC2096
+#
+# Tests for podman build
+#
+
+load helpers
+
+@test "podman --group-add keep-groups while in a userns" {
+    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_remote "--group-add keep-groups not supported in remote mode"
+    run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
+    is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
+}
+
+@test "podman --group-add keep-groups while not in a userns" {
+    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_remote "--group-add keep-groups not supported in remote mode"
+    run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id
+    is "$output" ".*1234" "Check group leaked into container"
+}
+
+@test "podman --group-add without keep-groups while in a userns" {
+    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_remote "--group-add keep-groups not supported in remote mode"
+    run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id
+    is "$output" ".*457" "Check group leaked into container"
+}
+
+@test "podman --remote --group-add keep-groups " {
+    if is_remote; then
+        run_podman 125 run --group-add keep-groups $IMAGE id
+        is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
+    fi
+}
+
+@test "podman --group-add without keep-groups " {
+    run_podman run --group-add 457 $IMAGE id
+    is "$output" ".*457" "Check group leaked into container"
+}
+
+@test "podman --group-add keep-groups plus added groups " {
+    run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id
+    is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
+}
-- 
cgit v1.2.3-54-g00ecf