opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-23 02:18:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add some test for podman run flag security-opt

Browse Source 
Add following test cases for security-opt:
  - Check default selinux value
  - Disable security options in container
  - Setup selinux type in security-opt
  - Disable seccomp protection
  - Configure custom seccomp.json

Signed-off-by: Yiqiao Pu <ypu@redhat.com>

Closes: #837
Approved by: rhatdan
This commit is contained in:
Yiqiao Pu
2018-05-29 17:41:57 +08:00
committed by Atomic Bot
parent c69f80c86c
commit 28d1cec9f6
1 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
test/e2e/run_test.go
View File

@ -62,6 +62,64 @@ var _ = Describe("Podman run", func() {
Expect(match).Should(BeTrue()) Expect(match).Should(BeTrue())
}) })
It("podman run selinux disable test", func() {
if !selinux.GetEnabled() {
Skip("SELinux not enabled")
}
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
match, _ := session.GrepString("unconfined_t")
Expect(match).Should(BeTrue())
})
It("podman run selinux type check test", func() {
if !selinux.GetEnabled() {
Skip("SELinux not enabled")
}
session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
match1, _ := session.GrepString("container_t")
match2, _ := session.GrepString("svirt_lxc_net_t")
Expect(match1 || match2).Should(BeTrue())
})
It("podman run selinux type setup test", func() {
if !selinux.GetEnabled() {
Skip("SELinux not enabled")
}
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
match, _ := session.GrepString("spc_t")
Expect(match).Should(BeTrue())
})
It("podman run seccomp undefine test", func() {
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
match, _ := session.GrepString("hello")
Expect(match).Should(BeTrue())
})
It("podman run seccomp test", func() {
jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json")
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
err := WriteJsonFile(in, jsonFile)
if err != nil {
fmt.Println(err)
Skip("Failed to prepare seccomp.json for test.")
}
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Not(Equal(0)))
match, _ := session.GrepString("Operation not permitted")
Expect(match).Should(BeTrue())
})
It("podman run capabilities test", func() { It("podman run capabilities test", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"}) session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()