opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 03:19:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add filepath glob support to --security-opt unmask

Browse Source 
Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2021-05-01 05:50:31 -04:00
parent 7f2c27d43f
commit 4fd1965ab4
6 changed files with 81 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
pkg/specgen/generate/config_linux_test.go Normal file
View File

@ -0,0 +1,28 @@
package generate
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestShouldMask(t *testing.T) {
tests := []struct {
mask string
unmask []string
shouldMask bool
}{
{"/proc/foo", []string{"all"}, false},
{"/proc/foo", []string{"ALL"}, false},
{"/proc/foo", []string{"/proc/foo"}, false},
{"/proc/foo", []string{"/proc/*"}, false},
{"/proc/foo", []string{"/proc/bar", "all"}, false},
{"/proc/foo", []string{"/proc/f*"}, false},
{"/proc/foo", []string{"/proc/b*"}, true},
{"/proc/foo", []string{}, true},
}
for _, test := range tests {
val := shouldMask(test.mask, test.unmask)
assert.Equal(t, val, test.shouldMask)
}
}