github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/test/e2e/run_security_labels.go (about) 1 // +build !remoteclient 2 3 package integration 4 5 import ( 6 "os" 7 "strings" 8 9 . "github.com/containers/libpod/test/utils" 10 . "github.com/onsi/ginkgo" 11 . "github.com/onsi/gomega" 12 ) 13 14 var _ = Describe("Podman generate kube", func() { 15 var ( 16 tempdir string 17 err error 18 podmanTest *PodmanTestIntegration 19 ) 20 21 BeforeEach(func() { 22 tempdir, err = CreateTempDirInTempDir() 23 if err != nil { 24 os.Exit(1) 25 } 26 podmanTest = PodmanTestCreate(tempdir) 27 podmanTest.Setup() 28 podmanTest.SeedImages() 29 30 }) 31 32 AfterEach(func() { 33 podmanTest.Cleanup() 34 f := CurrentGinkgoTestDescription() 35 processTestResult(f) 36 }) 37 38 It("podman security labels", func() { 39 test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"}) 40 test1.WaitWithDefaultTimeout() 41 Expect(test1.ExitCode()).To(BeZero()) 42 43 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 44 inspect.WaitWithDefaultTimeout() 45 Expect(inspect.ExitCode()).To(Equal(0)) 46 47 ctr := inspect.InspectContainerToJSON() 48 caps := strings.Join(ctr[0].EffectiveCaps, ",") 49 Expect(caps).To(Equal("CAP_SETUID,CAP_SETGID")) 50 }) 51 52 It("podman bad security labels", func() { 53 test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 54 test1.WaitWithDefaultTimeout() 55 Expect(test1.ExitCode()).To(BeZero()) 56 57 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 58 inspect.WaitWithDefaultTimeout() 59 Expect(inspect.ExitCode()).To(Equal(0)) 60 61 ctr := inspect.InspectContainerToJSON() 62 caps := strings.Join(ctr[0].EffectiveCaps, ",") 63 Expect(caps).To(Not(Equal("CAP_SYS_ADMIN"))) 64 }) 65 66 It("podman --cap-add sys_admin security labels", func() { 67 test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 68 test1.WaitWithDefaultTimeout() 69 Expect(test1.ExitCode()).To(BeZero()) 70 71 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 72 inspect.WaitWithDefaultTimeout() 73 Expect(inspect.ExitCode()).To(Equal(0)) 74 75 ctr := inspect.InspectContainerToJSON() 76 caps := strings.Join(ctr[0].EffectiveCaps, ",") 77 Expect(caps).To(Equal("CAP_SYS_ADMIN")) 78 }) 79 80 It("podman --cap-drop all sys_admin security labels", func() { 81 test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 82 test1.WaitWithDefaultTimeout() 83 Expect(test1.ExitCode()).To(BeZero()) 84 85 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 86 inspect.WaitWithDefaultTimeout() 87 Expect(inspect.ExitCode()).To(Equal(0)) 88 89 ctr := inspect.InspectContainerToJSON() 90 caps := strings.Join(ctr[0].EffectiveCaps, ",") 91 Expect(caps).To(Equal("")) 92 }) 93 94 It("podman security labels from image", func() { 95 test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"}) 96 test1.WaitWithDefaultTimeout() 97 Expect(test1.ExitCode()).To(BeZero()) 98 99 commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=sys_chroot,net_raw", "test1", "image1"}) 100 commit.WaitWithDefaultTimeout() 101 Expect(commit.ExitCode()).To(BeZero()) 102 103 image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"}) 104 image1.WaitWithDefaultTimeout() 105 Expect(image1.ExitCode()).To(BeZero()) 106 107 inspect := podmanTest.Podman([]string{"inspect", "test2"}) 108 inspect.WaitWithDefaultTimeout() 109 Expect(inspect.ExitCode()).To(Equal(0)) 110 111 ctr := inspect.InspectContainerToJSON() 112 caps := strings.Join(ctr[0].EffectiveCaps, ",") 113 Expect(caps).To(Equal("CAP_SYS_CHROOT,CAP_NET_RAW")) 114 115 }) 116 117 It("podman --privileged security labels", func() { 118 pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"}) 119 pull.WaitWithDefaultTimeout() 120 Expect(pull.ExitCode()).To(BeZero()) 121 122 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 123 inspect.WaitWithDefaultTimeout() 124 Expect(inspect.ExitCode()).To(Equal(0)) 125 126 ctr := inspect.InspectContainerToJSON() 127 caps := strings.Join(ctr[0].EffectiveCaps, ",") 128 Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID"))) 129 }) 130 131 It("podman container runlabel (podman --version)", func() { 132 PodmanDockerfile := ` 133 FROM alpine:latest 134 LABEL io.containers.capabilities=chown,mknod` 135 136 image := "podman-caps:podman" 137 podmanTest.BuildImage(PodmanDockerfile, image, "false") 138 139 test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"}) 140 test1.WaitWithDefaultTimeout() 141 Expect(test1.ExitCode()).To(BeZero()) 142 143 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 144 inspect.WaitWithDefaultTimeout() 145 Expect(inspect.ExitCode()).To(Equal(0)) 146 147 ctr := inspect.InspectContainerToJSON() 148 caps := strings.Join(ctr[0].EffectiveCaps, ",") 149 Expect(caps).To(Equal("CAP_CHOWN,CAP_MKNOD")) 150 }) 151 152 })