Add some test for podman run flag security-opt
Add following test cases for security-opt: - Check default selinux value - Disable security options in container - Setup selinux type in security-opt - Disable seccomp protection - Configure custom seccomp.json Signed-off-by: Yiqiao Pu <ypu@redhat.com> Closes: #837 Approved by: rhatdan
This commit is contained in:
		
							parent
							
								
									c69f80c86c
								
							
						
					
					
						commit
						28d1cec9f6
					
				|  | @ -62,6 +62,64 @@ var _ = Describe("Podman run", func() { | |||
| 		Expect(match).Should(BeTrue()) | ||||
| 	}) | ||||
| 
 | ||||
| 	It("podman run selinux disable test", func() { | ||||
| 		if !selinux.GetEnabled() { | ||||
| 			Skip("SELinux not enabled") | ||||
| 		} | ||||
| 		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) | ||||
| 		session.WaitWithDefaultTimeout() | ||||
| 		Expect(session.ExitCode()).To(Equal(0)) | ||||
| 		match, _ := session.GrepString("unconfined_t") | ||||
| 		Expect(match).Should(BeTrue()) | ||||
| 	}) | ||||
| 
 | ||||
| 	It("podman run selinux type check test", func() { | ||||
| 		if !selinux.GetEnabled() { | ||||
| 			Skip("SELinux not enabled") | ||||
| 		} | ||||
| 		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) | ||||
| 		session.WaitWithDefaultTimeout() | ||||
| 		Expect(session.ExitCode()).To(Equal(0)) | ||||
| 		match1, _ := session.GrepString("container_t") | ||||
| 		match2, _ := session.GrepString("svirt_lxc_net_t") | ||||
| 		Expect(match1 || match2).Should(BeTrue()) | ||||
| 	}) | ||||
| 
 | ||||
| 	It("podman run selinux type setup test", func() { | ||||
| 		if !selinux.GetEnabled() { | ||||
| 			Skip("SELinux not enabled") | ||||
| 		} | ||||
| 		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) | ||||
| 		session.WaitWithDefaultTimeout() | ||||
| 		Expect(session.ExitCode()).To(Equal(0)) | ||||
| 		match, _ := session.GrepString("spc_t") | ||||
| 		Expect(match).Should(BeTrue()) | ||||
| 	}) | ||||
| 
 | ||||
| 	It("podman run seccomp undefine test", func() { | ||||
| 		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"}) | ||||
| 		session.WaitWithDefaultTimeout() | ||||
| 		Expect(session.ExitCode()).To(Equal(0)) | ||||
| 		match, _ := session.GrepString("hello") | ||||
| 		Expect(match).Should(BeTrue()) | ||||
| 	}) | ||||
| 
 | ||||
| 	It("podman run seccomp test", func() { | ||||
| 		jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json") | ||||
| 		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) | ||||
| 		err := WriteJsonFile(in, jsonFile) | ||||
| 		if err != nil { | ||||
| 			fmt.Println(err) | ||||
| 			Skip("Failed to prepare seccomp.json for test.") | ||||
| 		} | ||||
| 
 | ||||
| 		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"}) | ||||
| 		session.WaitWithDefaultTimeout() | ||||
| 		Expect(session.ExitCode()).To(Not(Equal(0))) | ||||
| 		match, _ := session.GrepString("Operation not permitted") | ||||
| 		Expect(match).Should(BeTrue()) | ||||
| 	}) | ||||
| 
 | ||||
| 	It("podman run capabilities test", func() { | ||||
| 		session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"}) | ||||
| 		session.WaitWithDefaultTimeout() | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue