github.com/AbhinandanKurakure/podman/v3@v3.4.10/test/e2e/run_selinux_test.go (about) 1 package integration 2 3 import ( 4 "os" 5 "path/filepath" 6 7 . "github.com/containers/podman/v3/test/utils" 8 . "github.com/onsi/ginkgo" 9 . "github.com/onsi/gomega" 10 . "github.com/onsi/gomega/gexec" 11 "github.com/opencontainers/selinux/go-selinux" 12 ) 13 14 var _ = Describe("Podman run", func() { 15 var ( 16 tempdir string 17 err error 18 podmanTest *PodmanTestIntegration 19 ) 20 21 BeforeEach(func() { 22 tempdir, err = CreateTempDirInTempDir() 23 if err != nil { 24 os.Exit(1) 25 } 26 podmanTest = PodmanTestCreate(tempdir) 27 podmanTest.Setup() 28 podmanTest.SeedImages() 29 if !selinux.GetEnabled() { 30 Skip("SELinux not enabled") 31 } 32 }) 33 34 AfterEach(func() { 35 podmanTest.Cleanup() 36 f := CurrentGinkgoTestDescription() 37 processTestResult(f) 38 39 }) 40 41 It("podman run selinux", func() { 42 session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) 43 session.WaitWithDefaultTimeout() 44 Expect(session).Should(Exit(0)) 45 match, _ := session.GrepString("container_t") 46 Expect(match).Should(BeTrue()) 47 }) 48 49 It("podman run selinux grep test", func() { 50 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 51 session.WaitWithDefaultTimeout() 52 Expect(session).Should(Exit(0)) 53 match, _ := session.GrepString("s0:c1,c2") 54 Expect(match).Should(BeTrue()) 55 }) 56 57 It("podman run selinux disable test", func() { 58 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) 59 session.WaitWithDefaultTimeout() 60 Expect(session).Should(Exit(0)) 61 match, _ := session.GrepString("spc_t") 62 Expect(match).Should(BeTrue()) 63 }) 64 65 It("podman run selinux type check test", func() { 66 session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) 67 session.WaitWithDefaultTimeout() 68 Expect(session).Should(Exit(0)) 69 match1, _ := session.GrepString("container_t") 70 match2, _ := session.GrepString("svirt_lxc_net_t") 71 Expect(match1 || match2).Should(BeTrue()) 72 }) 73 74 It("podman run selinux type setup test", func() { 75 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) 76 session.WaitWithDefaultTimeout() 77 Expect(session).Should(Exit(0)) 78 match, _ := session.GrepString("spc_t") 79 Expect(match).Should(BeTrue()) 80 }) 81 82 It("podman privileged selinux", func() { 83 session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) 84 session.WaitWithDefaultTimeout() 85 Expect(session).Should(Exit(0)) 86 match, _ := session.GrepString("spc_t") 87 Expect(match).Should(BeTrue()) 88 }) 89 90 It("podman test selinux label resolv.conf", func() { 91 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 92 session.WaitWithDefaultTimeout() 93 Expect(session).Should(Exit(0)) 94 match, _ := session.GrepString("container_file_t") 95 Expect(match).Should(BeTrue()) 96 }) 97 98 It("podman test selinux label hosts", func() { 99 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 100 session.WaitWithDefaultTimeout() 101 Expect(session).Should(Exit(0)) 102 match, _ := session.GrepString("container_file_t") 103 Expect(match).Should(BeTrue()) 104 }) 105 106 It("podman test selinux label hostname", func() { 107 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 108 session.WaitWithDefaultTimeout() 109 Expect(session).Should(Exit(0)) 110 match, _ := session.GrepString("container_file_t") 111 Expect(match).Should(BeTrue()) 112 }) 113 114 It("podman test selinux label /run/secrets", func() { 115 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 116 session.WaitWithDefaultTimeout() 117 Expect(session).Should(Exit(0)) 118 match, _ := session.GrepString("container_file_t") 119 Expect(match).Should(BeTrue()) 120 }) 121 122 It("podman test selinux --privileged label resolv.conf", func() { 123 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 124 session.WaitWithDefaultTimeout() 125 Expect(session).Should(Exit(0)) 126 match, _ := session.GrepString("container_file_t") 127 Expect(match).Should(BeTrue()) 128 }) 129 130 It("podman test selinux --privileged label hosts", func() { 131 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 132 session.WaitWithDefaultTimeout() 133 Expect(session).Should(Exit(0)) 134 match, _ := session.GrepString("container_file_t") 135 Expect(match).Should(BeTrue()) 136 }) 137 138 It("podman test selinux --privileged label hostname", func() { 139 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 140 session.WaitWithDefaultTimeout() 141 Expect(session).Should(Exit(0)) 142 match, _ := session.GrepString("container_file_t") 143 Expect(match).Should(BeTrue()) 144 }) 145 146 It("podman test selinux --privileged label /run/secrets", func() { 147 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 148 session.WaitWithDefaultTimeout() 149 Expect(session).Should(Exit(0)) 150 match, _ := session.GrepString("container_file_t") 151 Expect(match).Should(BeTrue()) 152 }) 153 154 It("podman run selinux file type setup test", func() { 155 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"}) 156 session.WaitWithDefaultTimeout() 157 Expect(session).Should(Exit(0)) 158 match, _ := session.GrepString("container_var_lib_t") 159 Expect(match).Should(BeTrue()) 160 161 session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"}) 162 session.WaitWithDefaultTimeout() 163 Expect(session).Should(Exit(126)) 164 }) 165 166 It("podman exec selinux check", func() { 167 setup := podmanTest.RunTopContainer("test1") 168 setup.WaitWithDefaultTimeout() 169 Expect(setup).Should(Exit(0)) 170 171 session := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/1/attr/current"}) 172 session.WaitWithDefaultTimeout() 173 session1 := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 174 session1.WaitWithDefaultTimeout() 175 Expect(session.OutputToString()).To(Equal(session1.OutputToString())) 176 }) 177 178 It("podman run --privileged and --security-opt SELinux options", func() { 179 session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", "label=type:spc_t", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 180 session.WaitWithDefaultTimeout() 181 Expect(session).Should(Exit(0)) 182 match, _ := session.GrepString("spc_t") 183 Expect(match).To(BeTrue()) 184 match2, _ := session.GrepString("s0:c1,c2") 185 Expect(match2).To(BeTrue()) 186 }) 187 188 It("podman pod container share SELinux labels", func() { 189 session := podmanTest.Podman([]string{"pod", "create"}) 190 session.WaitWithDefaultTimeout() 191 Expect(session).Should(Exit(0)) 192 podID := session.OutputToString() 193 194 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 195 session.WaitWithDefaultTimeout() 196 Expect(session).Should(Exit(0)) 197 label1 := session.OutputToString() 198 199 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 200 session.WaitWithDefaultTimeout() 201 Expect(session).Should(Exit(0)) 202 Expect(session.OutputToString()).To(Equal(label1)) 203 204 session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"}) 205 session.WaitWithDefaultTimeout() 206 Expect(session).Should(Exit(0)) 207 }) 208 209 It("podman pod container --infra=false doesn't share SELinux labels", func() { 210 session := podmanTest.Podman([]string{"pod", "create", "--infra=false"}) 211 session.WaitWithDefaultTimeout() 212 Expect(session).Should(Exit(0)) 213 podID := session.OutputToString() 214 215 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 216 session.WaitWithDefaultTimeout() 217 Expect(session).Should(Exit(0)) 218 label1 := session.OutputToString() 219 220 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 221 session.WaitWithDefaultTimeout() 222 Expect(session).Should(Exit(0)) 223 Expect(session.OutputToString()).To(Not(Equal(label1))) 224 225 session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"}) 226 session.WaitWithDefaultTimeout() 227 Expect(session).Should(Exit(0)) 228 }) 229 230 It("podman shared IPC NS container share SELinux labels", func() { 231 session := podmanTest.RunTopContainer("test1") 232 session.WaitWithDefaultTimeout() 233 Expect(session).Should(Exit(0)) 234 235 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 236 session.WaitWithDefaultTimeout() 237 Expect(session).Should(Exit(0)) 238 label1 := session.OutputToString() 239 240 session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 241 session.WaitWithDefaultTimeout() 242 Expect(session).Should(Exit(0)) 243 Expect(session.OutputToString()).To(Equal(label1)) 244 }) 245 246 It("podman shared PID NS container share SELinux labels", func() { 247 session := podmanTest.RunTopContainer("test1") 248 session.WaitWithDefaultTimeout() 249 Expect(session).Should(Exit(0)) 250 251 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 252 session.WaitWithDefaultTimeout() 253 Expect(session).Should(Exit(0)) 254 label1 := session.OutputToString() 255 256 session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 257 session.WaitWithDefaultTimeout() 258 Expect(session).Should(Exit(0)) 259 Expect(session.OutputToString()).To(Equal(label1)) 260 }) 261 262 It("podman shared NET NS container doesn't share SELinux labels", func() { 263 session := podmanTest.RunTopContainer("test1") 264 session.WaitWithDefaultTimeout() 265 Expect(session).Should(Exit(0)) 266 267 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 268 session.WaitWithDefaultTimeout() 269 Expect(session).Should(Exit(0)) 270 label1 := session.OutputToString() 271 272 session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 273 session.WaitWithDefaultTimeout() 274 Expect(session).Should(Exit(0)) 275 Expect(session.OutputToString()).To(Not(Equal(label1))) 276 }) 277 278 It("podman test --pid=host", func() { 279 SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") 280 session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) 281 session.WaitWithDefaultTimeout() 282 Expect(session).Should(Exit(0)) 283 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 284 }) 285 286 It("podman test --ipc=host", func() { 287 session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"}) 288 session.WaitWithDefaultTimeout() 289 Expect(session).Should(Exit(0)) 290 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 291 }) 292 293 It("podman test --ipc=net", func() { 294 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 295 session.WaitWithDefaultTimeout() 296 Expect(session).Should(Exit(0)) 297 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 298 }) 299 300 It("podman test --ipc=net", func() { 301 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 302 session.WaitWithDefaultTimeout() 303 Expect(session).Should(Exit(0)) 304 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 305 }) 306 307 It("podman test --ipc=net", func() { 308 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 309 session.WaitWithDefaultTimeout() 310 Expect(session).Should(Exit(0)) 311 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 312 }) 313 314 It("podman test --runtime=/PATHTO/kata-runtime", func() { 315 runtime := podmanTest.OCIRuntime 316 podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime") 317 err := os.Symlink("/bin/true", podmanTest.OCIRuntime) 318 Expect(err).To(BeNil()) 319 if IsRemote() { 320 podmanTest.StopRemoteService() 321 podmanTest.StartRemoteService() 322 } 323 session := podmanTest.Podman([]string{"create", ALPINE}) 324 session.WaitWithDefaultTimeout() 325 Expect(session).Should(Exit(0)) 326 cid := session.OutputToString() 327 session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) 328 session.WaitWithDefaultTimeout() 329 Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t")) 330 331 podmanTest.OCIRuntime = runtime 332 if IsRemote() { 333 podmanTest.StopRemoteService() 334 podmanTest.StartRemoteService() 335 } 336 }) 337 338 It("podman test init labels", func() { 339 session := podmanTest.Podman([]string{"create", ubi_init, "/sbin/init"}) 340 session.WaitWithDefaultTimeout() 341 Expect(session).Should(Exit(0)) 342 cid := session.OutputToString() 343 session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) 344 session.WaitWithDefaultTimeout() 345 Expect(session.OutputToString()).To(ContainSubstring("container_init_t")) 346 }) 347 348 It("podman relabels named volume with :Z", func() { 349 session := podmanTest.Podman([]string{"run", "-v", "testvol:/test1/test:Z", fedoraMinimal, "ls", "-alZ", "/test1"}) 350 session.WaitWithDefaultTimeout() 351 Expect(session).Should(Exit(0)) 352 match, _ := session.GrepString(":s0:") 353 Expect(match).Should(BeTrue()) 354 }) 355 })