opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-03 19:59:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Bump CI VMs to ones with netavark 1.10.3

Browse Source 
And, runc-1.12 broke our seccomp e2e tests (runc now calls getcwd(),
which is the dummy syscall blocked for testing seccomp). Switch
to blocking link() instead.

Also, disable v4.1.0 upgrade tests. They're hanging, and I have
no idea why, and have wasted most of a day debugging.

Fixes: #21546

Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit is contained in:
Ed Santiago
2024-02-12 06:50:35 -07:00
parent f7f4d1064d
commit 5eb801a562
4 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
test/e2e/run_test.go
View File

@@ -361,8 +361,8 @@ var _ = Describe("Podman run", func() {
Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init")))
})
forbidGetCWDSeccompProfile := func() string {
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
forbidLinkSeccompProfile := func() string {
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
jsonFile, err := podmanTest.CreateSeccompJSON(in)
if err != nil {
GinkgoWriter.Println(err)
@@ -517,17 +517,27 @@ var _ = Describe("Podman run", func() {
})
It("podman run seccomp test", func() {
session := podmanTest.Podman([]string{"run", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
})
secOpts := []string{"--security-opt", strings.Join([]string{"seccomp=", forbidLinkSeccompProfile()}, "")}
cmd := []string{ALPINE, "ln", "/etc/motd", "/linkNotAllowed"}
It("podman run seccomp test --privileged", func() {
session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
// Without seccomp, this should succeed
session := podmanTest.Podman(append([]string{"run"}, cmd...))
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
Expect(session).To(ExitCleanly())
// With link syscall blocked, should fail
cmd = append(secOpts, cmd...)
session = podmanTest.Podman(append([]string{"run"}, cmd...))
session.WaitWithDefaultTimeout()
Expect(session).To(Exit(1))
Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
// ...even with --privileged
cmd = append([]string{"--privileged"}, cmd...)
session = podmanTest.Podman(append([]string{"run"}, cmd...))
session.WaitWithDefaultTimeout()
Expect(session).To(Exit(1))
Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
})
It("podman run seccomp test --privileged no profile should be unconfined", func() {