github.com/AbhinandanKurakure/podman/v3@v3.4.10/test/e2e/run_privileged_test.go

github.com/AbhinandanKurakure/podman/v3@v3.4.10/test/e2e/run_privileged_test.go (about)

     1  package integration
     2  
     3  import (
     4  	"os"
     5  	"strconv"
     6  	"strings"
     7  
     8  	. "github.com/containers/podman/v3/test/utils"
     9  	. "github.com/onsi/ginkgo"
    10  	. "github.com/onsi/gomega"
    11  	. "github.com/onsi/gomega/gexec"
    12  	"github.com/syndtr/gocapability/capability"
    13  )
    14  
    15  // helper function for confirming that container capabilities are equal
    16  // to those of the host, but only to the extent of caps we (podman)
    17  // know about at compile time. That is: the kernel may have more caps
    18  // available than we are aware of, leading to host=FFF... and ctr=3FF...
    19  // because the latter is all we request. Accept that.
    20  func containerCapMatchesHost(ctrCap string, hostCap string) {
    21  	if isRootless() {
    22  		return
    23  	}
    24  	ctrCap_n, err := strconv.ParseUint(ctrCap, 16, 64)
    25  	Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", ctrCap)
    26  
    27  	hostCap_n, err := strconv.ParseUint(hostCap, 16, 64)
    28  	Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", hostCap)
    29  
    30  	// host caps can never be zero (except rootless).
    31  	// and host caps must always be a superset (inclusive) of container
    32  	Expect(hostCap_n).To(BeNumerically(">", 0), "host cap %q should be nonzero", hostCap)
    33  	Expect(hostCap_n).To(BeNumerically(">=", ctrCap_n), "host cap %q should never be less than container cap %q", hostCap, ctrCap)
    34  	hostCap_masked := hostCap_n & (1<<len(capability.List()) - 1)
    35  	Expect(ctrCap_n).To(Equal(hostCap_masked), "container cap %q is not a subset of host cap %q", ctrCap, hostCap)
    36  }
    37  
    38  var _ = Describe("Podman privileged container tests", func() {
    39  	var (
    40  		tempdir    string
    41  		err        error
    42  		podmanTest *PodmanTestIntegration
    43  	)
    44  
    45  	BeforeEach(func() {
    46  		tempdir, err = CreateTempDirInTempDir()
    47  		if err != nil {
    48  			os.Exit(1)
    49  		}
    50  		podmanTest = PodmanTestCreate(tempdir)
    51  		podmanTest.Setup()
    52  		podmanTest.SeedImages()
    53  	})
    54  
    55  	AfterEach(func() {
    56  		podmanTest.Cleanup()
    57  		f := CurrentGinkgoTestDescription()
    58  		processTestResult(f)
    59  
    60  	})
    61  
    62  	It("podman privileged make sure sys is mounted rw", func() {
    63  		session := podmanTest.Podman([]string{"run", "--privileged", BB, "mount"})
    64  		session.WaitWithDefaultTimeout()
    65  		Expect(session).Should(Exit(0))
    66  		ok, lines := session.GrepString("sysfs")
    67  		Expect(ok).To(BeTrue())
    68  		Expect(lines[0]).To(ContainSubstring("sysfs (rw,"))
    69  	})
    70  
    71  	It("podman privileged CapEff", func() {
    72  		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
    73  		Expect(hostCap).Should(Exit(0))
    74  
    75  		session := podmanTest.Podman([]string{"run", "--privileged", BB, "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
    76  		session.WaitWithDefaultTimeout()
    77  		Expect(session).Should(Exit(0))
    78  
    79  		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
    80  	})
    81  
    82  	It("podman cap-add CapEff", func() {
    83  		// Get caps of current process
    84  		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
    85  		Expect(hostCap).Should(Exit(0))
    86  
    87  		session := podmanTest.Podman([]string{"run", "--cap-add", "all", BB, "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
    88  		session.WaitWithDefaultTimeout()
    89  		Expect(session).Should(Exit(0))
    90  
    91  		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
    92  	})
    93  
    94  	It("podman cap-add CapEff with --user", func() {
    95  		// Get caps of current process
    96  		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
    97  		Expect(hostCap).Should(Exit(0))
    98  
    99  		session := podmanTest.Podman([]string{"run", "--user=bin", "--cap-add", "all", BB, "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
   100  		session.WaitWithDefaultTimeout()
   101  		Expect(session).Should(Exit(0))
   102  
   103  		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
   104  	})
   105  
   106  	It("podman cap-drop CapEff", func() {
   107  		session := podmanTest.Podman([]string{"run", "--cap-drop", "all", BB, "grep", "CapEff", "/proc/self/status"})
   108  		session.WaitWithDefaultTimeout()
   109  		Expect(session).Should(Exit(0))
   110  		capEff := strings.Split(session.OutputToString(), " ")
   111  		Expect("0000000000000000").To(Equal(capEff[1]))
   112  	})
   113  
   114  	It("podman privileged should disable seccomp by default", func() {
   115  		hostSeccomp := SystemExec("grep", []string{"-Ei", "^Seccomp:\\s+0$", "/proc/self/status"})
   116  		Expect(hostSeccomp).Should(Exit(0))
   117  
   118  		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "grep", "-Ei", "^Seccomp:\\s+0$", "/proc/self/status"})
   119  		session.WaitWithDefaultTimeout()
   120  		Expect(session).Should(Exit(0))
   121  	})
   122  
   123  	It("podman non-privileged should have very few devices", func() {
   124  		session := podmanTest.Podman([]string{"run", "-t", BB, "ls", "-l", "/dev"})
   125  		session.WaitWithDefaultTimeout()
   126  		Expect(session).Should(Exit(0))
   127  		Expect(len(session.OutputToStringArray())).To(Equal(17))
   128  	})
   129  
   130  	It("podman privileged should inherit host devices", func() {
   131  		SkipIfRootless("FIXME: This seems to be broken for rootless mode, /dev/ is close to the same")
   132  		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "-l", "/dev"})
   133  		session.WaitWithDefaultTimeout()
   134  		Expect(session).Should(Exit(0))
   135  		Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20))
   136  	})
   137  
   138  	It("run no-new-privileges test", func() {
   139  		// Check if our kernel is new enough
   140  		k, err := IsKernelNewerThan("4.14")
   141  		Expect(err).To(BeNil())
   142  		if !k {
   143  			Skip("Kernel is not new enough to test this feature")
   144  		}
   145  
   146  		cap := SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
   147  		if cap.ExitCode() != 0 {
   148  			Skip("Can't determine NoNewPrivs")
   149  		}
   150  
   151  		session := podmanTest.Podman([]string{"run", BB, "grep", "NoNewPrivs", "/proc/self/status"})
   152  		session.WaitWithDefaultTimeout()
   153  		Expect(session).Should(Exit(0))
   154  
   155  		privs := strings.Split(session.OutputToString(), ":")
   156  		session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", BB, "grep", "NoNewPrivs", "/proc/self/status"})
   157  		session.WaitWithDefaultTimeout()
   158  		Expect(session).Should(Exit(0))
   159  
   160  		noprivs := strings.Split(session.OutputToString(), ":")
   161  		Expect(privs[1]).To(Not(Equal(noprivs[1])))
   162  	})
   163  
   164  })