Merge pull request #4806 from vrothberg/seccomp

policy for seccomp-profile selection
2025-12-05 04:40:47 +08:00 · 2020-01-15 01:16:07 +01:00
parent ad5137bc7b f3f4c54f2a
commit 0aa9dba3e1
9 changed files with 187 additions and 18 deletions
--- a/test/e2e/config.go
+++ b/test/e2e/config.go
@@ -14,4 +14,13 @@ var (
 	BB                = "docker.io/library/busybox:latest"
 	healthcheck       = "docker.io/libpod/alpine_healthcheck:latest"
 	ImageCacheDir     = "/tmp/podman/imagecachedir"
+
+	// This image has seccomp profiles that blocks all syscalls.
+	// The intention behind blocking all syscalls is to prevent
+	// regressions in the future.  The required syscalls can vary
+	// depending on which runtime we're using.
+	alpineSeccomp = "docker.io/libpod/alpine-with-seccomp:latest"
+	// This image has a bogus/invalid seccomp profile which should
+	// yield a json error when being read.
+	alpineBogusSeccomp = "docker.io/libpod/alpine-with-bogus-seccomp:latest"
 )
--- a/test/e2e/run_seccomp.go
+++ b/test/e2e/run_seccomp.go
@@ -0,0 +1,70 @@
+// +build !remoteclient
+
+package integration
+
+import (
+	"os"
+
+	. "github.com/containers/libpod/test/utils"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Podman run", func() {
+	var (
+		tempdir    string
+		err        error
+		podmanTest *PodmanTestIntegration
+	)
+
+	BeforeEach(func() {
+		tempdir, err = CreateTempDirInTempDir()
+		if err != nil {
+			os.Exit(1)
+		}
+		podmanTest = PodmanTestCreate(tempdir)
+		podmanTest.Setup()
+		podmanTest.SeedImages()
+	})
+
+	AfterEach(func() {
+		podmanTest.Cleanup()
+		f := CurrentGinkgoTestDescription()
+		processTestResult(f)
+
+	})
+
+	It("podman run --seccomp-policy default", func() {
+		session := podmanTest.Podman([]string{"run", "--seccomp-policy", "default", alpineSeccomp, "ls"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman run --seccomp-policy ''", func() {
+		// Empty string is interpreted as "default".
+		session := podmanTest.Podman([]string{"run", "--seccomp-policy", "", alpineSeccomp, "ls"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman run --seccomp-policy invalid", func() {
+		session := podmanTest.Podman([]string{"run", "--seccomp-policy", "invalid", alpineSeccomp, "ls"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).ToNot(Equal(0))
+	})
+
+	It("podman run --seccomp-policy image (block all syscalls)", func() {
+		session := podmanTest.Podman([]string{"run", "--seccomp-policy", "image", alpineSeccomp, "ls"})
+		session.WaitWithDefaultTimeout()
+		// TODO: we're getting a "cannot start a container that has
+		//       stopped" error which seems surprising.  Investigate
+		//       why that is so.
+		Expect(session.ExitCode()).ToNot(Equal(0))
+	})
+
+	It("podman run --seccomp-policy image (bogus profile)", func() {
+		session := podmanTest.Podman([]string{"run", "--seccomp-policy", "image", alpineBogusSeccomp, "ls"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(125))
+	})
+})