github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/test/e2e/run_privileged_test.go (about) 1 // +build !remoteclient 2 3 package integration 4 5 import ( 6 "os" 7 "strings" 8 9 . "github.com/containers/libpod/test/utils" 10 . "github.com/onsi/ginkgo" 11 . "github.com/onsi/gomega" 12 ) 13 14 var _ = Describe("Podman privileged container tests", func() { 15 var ( 16 tempdir string 17 err error 18 podmanTest *PodmanTestIntegration 19 ) 20 21 BeforeEach(func() { 22 tempdir, err = CreateTempDirInTempDir() 23 if err != nil { 24 os.Exit(1) 25 } 26 podmanTest = PodmanTestCreate(tempdir) 27 podmanTest.Setup() 28 podmanTest.SeedImages() 29 }) 30 31 AfterEach(func() { 32 podmanTest.Cleanup() 33 f := CurrentGinkgoTestDescription() 34 processTestResult(f) 35 36 }) 37 38 It("podman privileged make sure sys is mounted rw", func() { 39 session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "mount"}) 40 session.WaitWithDefaultTimeout() 41 Expect(session.ExitCode()).To(Equal(0)) 42 ok, lines := session.GrepString("sysfs") 43 Expect(ok).To(BeTrue()) 44 Expect(lines[0]).To(ContainSubstring("sysfs (rw,")) 45 }) 46 47 It("podman privileged CapEff", func() { 48 SkipIfRootless() 49 cap := SystemExec("grep", []string{"CapEff", "/proc/self/status"}) 50 Expect(cap.ExitCode()).To(Equal(0)) 51 52 session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "grep", "CapEff", "/proc/self/status"}) 53 session.WaitWithDefaultTimeout() 54 Expect(session.ExitCode()).To(Equal(0)) 55 Expect(session.OutputToString()).To(Equal(cap.OutputToString())) 56 }) 57 58 It("podman cap-add CapEff", func() { 59 SkipIfRootless() 60 cap := SystemExec("grep", []string{"CapEff", "/proc/self/status"}) 61 Expect(cap.ExitCode()).To(Equal(0)) 62 63 session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "grep", "CapEff", "/proc/self/status"}) 64 session.WaitWithDefaultTimeout() 65 Expect(session.ExitCode()).To(Equal(0)) 66 Expect(session.OutputToString()).To(Equal(cap.OutputToString())) 67 }) 68 69 It("podman cap-drop CapEff", func() { 70 session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"}) 71 session.WaitWithDefaultTimeout() 72 Expect(session.ExitCode()).To(Equal(0)) 73 capEff := strings.Split(session.OutputToString(), " ") 74 Expect("0000000000000000").To(Equal(capEff[1])) 75 }) 76 77 It("podman non-privileged should have very few devices", func() { 78 session := podmanTest.Podman([]string{"run", "-t", "busybox", "ls", "-l", "/dev"}) 79 session.WaitWithDefaultTimeout() 80 Expect(session.ExitCode()).To(Equal(0)) 81 Expect(len(session.OutputToStringArray())).To(Equal(17)) 82 }) 83 84 It("podman privileged should inherit host devices", func() { 85 SkipIfRootless() 86 session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "-l", "/dev"}) 87 session.WaitWithDefaultTimeout() 88 Expect(session.ExitCode()).To(Equal(0)) 89 Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20)) 90 }) 91 92 It("run no-new-privileges test", func() { 93 // Check if our kernel is new enough 94 k, err := IsKernelNewerThan("4.14") 95 Expect(err).To(BeNil()) 96 if !k { 97 Skip("Kernel is not new enough to test this feature") 98 } 99 100 cap := SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"}) 101 if cap.ExitCode() != 0 { 102 Skip("Can't determine NoNewPrivs") 103 } 104 105 session := podmanTest.Podman([]string{"run", "busybox", "grep", "NoNewPrivs", "/proc/self/status"}) 106 session.WaitWithDefaultTimeout() 107 Expect(session.ExitCode()).To(Equal(0)) 108 109 privs := strings.Split(session.OutputToString(), ":") 110 session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", "busybox", "grep", "NoNewPrivs", "/proc/self/status"}) 111 session.WaitWithDefaultTimeout() 112 Expect(session.ExitCode()).To(Equal(0)) 113 114 noprivs := strings.Split(session.OutputToString(), ":") 115 Expect(privs[1]).To(Not(Equal(noprivs[1]))) 116 }) 117 118 })