From 0334b6195820f7261f87a4f4e5d739a6d560f4b2 Mon Sep 17 00:00:00 2001
From: Urvashi Mohnani <umohnani@redhat.com>
Date: Wed, 18 Nov 2020 21:36:16 -0500
Subject: Add mask and unmask option to --security-opt

Add the mask and unmask option to the --security-opt flag
to allow users to specify paths to mask and unmask in the
container. If unmask=ALL, this will unmask all the paths we
mask by default.

Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
---
 test/e2e/run_test.go                     | 33 ++++++++++++++++++++++++++++++++
 test/system/400-unprivileged-access.bats |  2 +-
 2 files changed, 34 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 0d65a3e59..efc125d2b 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -233,6 +233,39 @@ var _ = Describe("Podman run", func() {
 		return jsonFile
 	}
 
+	It("podman run mask and unmask path test", func() {
+		session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr1", "--security-opt", "unmask=ALL", "--security-opt", "mask=/proc/acpi", ALPINE, "sleep", "200"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"exec", "maskCtr1", "ls", "/sys/firmware"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(Not(BeEmpty()))
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"exec", "maskCtr1", "ls", "/proc/acpi"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(BeEmpty())
+
+		session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr2", "--security-opt", "unmask=/proc/acpi:/sys/firmware", ALPINE, "sleep", "200"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"exec", "maskCtr2", "ls", "/sys/firmware"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(Not(BeEmpty()))
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"exec", "maskCtr2", "ls", "/proc/acpi"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(Not(BeEmpty()))
+		Expect(session.ExitCode()).To(Equal(0))
+
+		session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr3", "--security-opt", "mask=/sys/power/disk", ALPINE, "sleep", "200"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		session = podmanTest.Podman([]string{"exec", "maskCtr3", "cat", "/sys/power/disk"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(BeEmpty())
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
 	It("podman run seccomp test", func() {
 		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
 		session.WaitWithDefaultTimeout()
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
index 142d7dcd9..20fdd068f 100644
--- a/test/system/400-unprivileged-access.bats
+++ b/test/system/400-unprivileged-access.bats
@@ -118,7 +118,7 @@ EOF
         /proc/scsi
         /sys/firmware
         /sys/fs/selinux
-        /sys/dev
+        /sys/dev/block
     )
 
     # Some of the above may not exist on our host. Find only the ones that do.
-- 
cgit v1.2.3-54-g00ecf