containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13874 from vrothberg/test-for-CVE-2022-1227 

add a regression test for CVE-2022-1227
This commit is contained in:
OpenShift Merge Robot 2022-04-14 10:21:12 -04:00 committed by GitHub
parent 90293da292 2a75164e23
commit 53b984f20f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
test/system/030-run.bats
View File

@ -821,4 +821,28 @@ EOF
run_podman run --rm $IMAGE cat /proc/self/oom_score_adj run_podman run --rm $IMAGE cat /proc/self/oom_score_adj
is "$output" "$current_oom_score_adj" "different oom_score_adj in the container" is "$output" "$current_oom_score_adj" "different oom_score_adj in the container"
} }
# CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image
@test "podman top does not use nsenter from image" {
tmpdir=$PODMAN_TMPDIR/build-test
mkdir -p $tmpdir
tmpbuilddir=$tmpdir/build
mkdir -p $tmpbuilddir
dockerfile=$tmpbuilddir/Dockerfile
cat >$dockerfile <<EOF
FROM $IMAGE
RUN rm /usr/bin/nsenter; \
echo -e "#!/bin/sh\nfalse" >> /usr/bin/nsenter; \
chmod +x /usr/bin/nsenter
EOF
test_image="cve_2022_1227_test"
run_podman build -t $test_image $tmpbuilddir
run_podman run -d --userns=keep-id $test_image top
ctr="$output"
run_podman top $ctr huser,user
run_podman rm -f -t0 $ctr
run_podman rmi $test_image
}
# vim: filetype=sh # vim: filetype=sh