opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-25 02:04:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7269 from openSUSE/seccomp

Browse Source 
Allow specifying seccomp profiles for privileged containers
This commit is contained in:
OpenShift Merge Robot
2020-08-11 07:19:21 -04:00
committed by GitHub
parent 68c67d2430 97a2c86aab
commit 6d3075a6c7
2 changed files with 30 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
test/e2e/run_test.go
View File

@ -193,22 +193,46 @@ var _ = Describe("Podman run", func() {
Expect(conData[0].Config.Annotations["io.podman.annotations.init"]).To(Equal("FALSE"))
})
It("podman run seccomp test", func() {
forbidGetCWDSeccompProfile := func() string {
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
jsonFile, err := podmanTest.CreateSeccompJson(in)
if err != nil {
fmt.Println(err)
Skip("Failed to prepare seccomp.json for test.")
}
return jsonFile
}
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", jsonFile}, ""), ALPINE, "pwd"})
It("podman run seccomp test", func() {
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
match, _ := session.GrepString("Operation not permitted")
Expect(match).Should(BeTrue())
})
It("podman run seccomp test --privileged", func() {
session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
match, _ := session.GrepString("Operation not permitted")
Expect(match).Should(BeTrue())
})
It("podman run seccomp test --privileged no profile should be unconfined", func() {
session := podmanTest.Podman([]string{"run", "-it", "--privileged", ALPINE, "grep", "Seccomp", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(ContainSubstring("0"))
Expect(session.ExitCode()).To(Equal(0))
})
It("podman run seccomp test no profile should be default", func() {
session := podmanTest.Podman([]string{"run", "-it", ALPINE, "grep", "Seccomp", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(ContainSubstring("2"))
Expect(session.ExitCode()).To(Equal(0))
})
It("podman run capabilities test", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--cap-add", "all", ALPINE, "cat", "/proc/self/status"})
session.WaitWithDefaultTimeout()