github.com/AbhinandanKurakure/podman/v3@v3.4.10/test/e2e/run_apparmor_test.go (about) 1 // +build !remote 2 3 package integration 4 5 import ( 6 "fmt" 7 "io/ioutil" 8 "os" 9 "path/filepath" 10 11 "github.com/containers/common/pkg/apparmor" 12 . "github.com/containers/podman/v3/test/utils" 13 . "github.com/onsi/ginkgo" 14 . "github.com/onsi/gomega" 15 . "github.com/onsi/gomega/gexec" 16 ) 17 18 // wip 19 func skipIfAppArmorEnabled() { 20 if apparmor.IsEnabled() { 21 Skip("Apparmor is enabled") 22 } 23 } 24 func skipIfAppArmorDisabled() { 25 if !apparmor.IsEnabled() { 26 Skip("Apparmor is not enabled") 27 } 28 } 29 30 var _ = Describe("Podman run", func() { 31 var ( 32 tempdir string 33 err error 34 podmanTest *PodmanTestIntegration 35 ) 36 37 BeforeEach(func() { 38 tempdir, err = CreateTempDirInTempDir() 39 if err != nil { 40 os.Exit(1) 41 } 42 podmanTest = PodmanTestCreate(tempdir) 43 podmanTest.Setup() 44 podmanTest.SeedImages() 45 }) 46 47 AfterEach(func() { 48 podmanTest.Cleanup() 49 f := CurrentGinkgoTestDescription() 50 processTestResult(f) 51 52 }) 53 54 It("podman run apparmor default", func() { 55 skipIfAppArmorDisabled() 56 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 57 session.WaitWithDefaultTimeout() 58 Expect(session).Should(Exit(0)) 59 60 cid := session.OutputToString() 61 // Verify that apparmor.Profile is being set 62 inspect := podmanTest.InspectContainer(cid) 63 Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile)) 64 }) 65 66 It("podman run no apparmor --privileged", func() { 67 skipIfAppArmorDisabled() 68 session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"}) 69 session.WaitWithDefaultTimeout() 70 Expect(session).Should(Exit(0)) 71 72 cid := session.OutputToString() 73 // Verify that apparmor.Profile is being set 74 inspect := podmanTest.InspectContainer(cid) 75 Expect(inspect[0].AppArmorProfile).To(Equal("")) 76 }) 77 78 It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() { 79 skipIfAppArmorDisabled() 80 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"}) 81 session.WaitWithDefaultTimeout() 82 Expect(session).Should(Exit(0)) 83 84 cid := session.OutputToString() 85 // Verify that apparmor.Profile is being set 86 inspect := podmanTest.InspectContainer(cid) 87 Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile)) 88 }) 89 90 It("podman run apparmor aa-test-profile", func() { 91 skipIfAppArmorDisabled() 92 aaProfile := ` 93 #include <tunables/global> 94 profile aa-test-profile flags=(attach_disconnected,mediate_deleted) { 95 #include <abstractions/base> 96 deny mount, 97 deny /sys/[^f]*/** wklx, 98 deny /sys/f[^s]*/** wklx, 99 deny /sys/fs/[^c]*/** wklx, 100 deny /sys/fs/c[^g]*/** wklx, 101 deny /sys/fs/cg[^r]*/** wklx, 102 deny /sys/firmware/efi/efivars/** rwklx, 103 deny /sys/kernel/security/** rwklx, 104 } 105 ` 106 aaFile := filepath.Join(os.TempDir(), "aaFile") 107 Expect(ioutil.WriteFile(aaFile, []byte(aaProfile), 0755)).To(BeNil()) 108 parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile}) 109 Expect(parse).Should(Exit(0)) 110 111 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"}) 112 session.WaitWithDefaultTimeout() 113 Expect(session).Should(Exit(0)) 114 115 cid := session.OutputToString() 116 // Verify that apparmor.Profile is being set 117 inspect := podmanTest.InspectContainer(cid) 118 Expect(inspect[0].AppArmorProfile).To(Equal("aa-test-profile")) 119 }) 120 121 It("podman run apparmor invalid", func() { 122 skipIfAppArmorDisabled() 123 session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"}) 124 session.WaitWithDefaultTimeout() 125 Expect(session).To(ExitWithError()) 126 }) 127 128 It("podman run apparmor unconfined", func() { 129 skipIfAppArmorDisabled() 130 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 131 session.WaitWithDefaultTimeout() 132 Expect(session).Should(Exit(0)) 133 134 cid := session.OutputToString() 135 // Verify that apparmor.Profile is being set 136 inspect := podmanTest.InspectContainer(cid) 137 Expect(inspect[0].AppArmorProfile).To(Equal("unconfined")) 138 }) 139 140 It("podman run apparmor disabled --security-opt apparmor fails", func() { 141 skipIfAppArmorEnabled() 142 // Should fail if user specifies apparmor on disabled system 143 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"}) 144 session.WaitWithDefaultTimeout() 145 Expect(session).To(ExitWithError()) 146 }) 147 148 It("podman run apparmor disabled no default", func() { 149 skipIfAppArmorEnabled() 150 // Should succeed if user specifies apparmor on disabled system 151 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 152 session.WaitWithDefaultTimeout() 153 Expect(session).Should(Exit(0)) 154 155 cid := session.OutputToString() 156 // Verify that apparmor.Profile is being set 157 inspect := podmanTest.InspectContainer(cid) 158 Expect(inspect[0].AppArmorProfile).To(Equal("")) 159 }) 160 161 It("podman run apparmor disabled unconfined", func() { 162 skipIfAppArmorEnabled() 163 164 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 165 session.WaitWithDefaultTimeout() 166 Expect(session).Should(Exit(0)) 167 168 cid := session.OutputToString() 169 // Verify that apparmor.Profile is being set 170 inspect := podmanTest.InspectContainer(cid) 171 Expect(inspect[0].AppArmorProfile).To(Equal("")) 172 }) 173 })