github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/test/e2e/run_selinux_test.go

github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/test/e2e/run_selinux_test.go (about)

     1  // +build !remoteclient
     2  
     3  package integration
     4  
     5  import (
     6  	"os"
     7  
     8  	. "github.com/containers/libpod/test/utils"
     9  	. "github.com/onsi/ginkgo"
    10  	. "github.com/onsi/gomega"
    11  	"github.com/opencontainers/selinux/go-selinux"
    12  )
    13  
    14  var _ = Describe("Podman run", func() {
    15  	var (
    16  		tempdir    string
    17  		err        error
    18  		podmanTest *PodmanTestIntegration
    19  	)
    20  
    21  	BeforeEach(func() {
    22  		tempdir, err = CreateTempDirInTempDir()
    23  		if err != nil {
    24  			os.Exit(1)
    25  		}
    26  		podmanTest = PodmanTestCreate(tempdir)
    27  		podmanTest.Setup()
    28  		podmanTest.SeedImages()
    29  		if !selinux.GetEnabled() {
    30  			Skip("SELinux not enabled")
    31  		}
    32  	})
    33  
    34  	AfterEach(func() {
    35  		podmanTest.Cleanup()
    36  		f := CurrentGinkgoTestDescription()
    37  		processTestResult(f)
    38  
    39  	})
    40  
    41  	It("podman run selinux", func() {
    42  		session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"})
    43  		session.WaitWithDefaultTimeout()
    44  		Expect(session.ExitCode()).To(Equal(0))
    45  		match, _ := session.GrepString("container_t")
    46  		Expect(match).Should(BeTrue())
    47  	})
    48  
    49  	It("podman run selinux grep test", func() {
    50  		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})
    51  		session.WaitWithDefaultTimeout()
    52  		Expect(session.ExitCode()).To(Equal(0))
    53  		match, _ := session.GrepString("s0:c1,c2")
    54  		Expect(match).Should(BeTrue())
    55  	})
    56  
    57  	It("podman run selinux disable test", func() {
    58  		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
    59  		session.WaitWithDefaultTimeout()
    60  		Expect(session.ExitCode()).To(Equal(0))
    61  		match, _ := session.GrepString("spc_t")
    62  		Expect(match).Should(BeTrue())
    63  	})
    64  
    65  	It("podman run selinux type check test", func() {
    66  		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
    67  		session.WaitWithDefaultTimeout()
    68  		Expect(session.ExitCode()).To(Equal(0))
    69  		match1, _ := session.GrepString("container_t")
    70  		match2, _ := session.GrepString("svirt_lxc_net_t")
    71  		Expect(match1 || match2).Should(BeTrue())
    72  	})
    73  
    74  	It("podman run selinux type setup test", func() {
    75  		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
    76  		session.WaitWithDefaultTimeout()
    77  		Expect(session.ExitCode()).To(Equal(0))
    78  		match, _ := session.GrepString("spc_t")
    79  		Expect(match).Should(BeTrue())
    80  	})
    81  
    82  	It("podman privileged selinux", func() {
    83  		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"})
    84  		session.WaitWithDefaultTimeout()
    85  		Expect(session.ExitCode()).To(Equal(0))
    86  		match, _ := session.GrepString("spc_t")
    87  		Expect(match).Should(BeTrue())
    88  	})
    89  
    90  	It("podman test selinux label resolv.conf", func() {
    91  		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"})
    92  		session.WaitWithDefaultTimeout()
    93  		Expect(session.ExitCode()).To(Equal(0))
    94  		match, _ := session.GrepString("container_file_t")
    95  		Expect(match).Should(BeTrue())
    96  	})
    97  
    98  	It("podman test selinux label hosts", func() {
    99  		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"})
   100  		session.WaitWithDefaultTimeout()
   101  		Expect(session.ExitCode()).To(Equal(0))
   102  		match, _ := session.GrepString("container_file_t")
   103  		Expect(match).Should(BeTrue())
   104  	})
   105  
   106  	It("podman test selinux label hostname", func() {
   107  		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"})
   108  		session.WaitWithDefaultTimeout()
   109  		Expect(session.ExitCode()).To(Equal(0))
   110  		match, _ := session.GrepString("container_file_t")
   111  		Expect(match).Should(BeTrue())
   112  	})
   113  
   114  	It("podman test selinux label /run/secrets", func() {
   115  		SkipIfRootless()
   116  		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"})
   117  		session.WaitWithDefaultTimeout()
   118  		Expect(session.ExitCode()).To(Equal(0))
   119  		match, _ := session.GrepString("container_file_t")
   120  		Expect(match).Should(BeTrue())
   121  	})
   122  
   123  	It("podman test selinux --privileged label resolv.conf", func() {
   124  		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"})
   125  		session.WaitWithDefaultTimeout()
   126  		Expect(session.ExitCode()).To(Equal(0))
   127  		match, _ := session.GrepString("container_file_t")
   128  		Expect(match).Should(BeTrue())
   129  	})
   130  
   131  	It("podman test selinux --privileged label hosts", func() {
   132  		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"})
   133  		session.WaitWithDefaultTimeout()
   134  		Expect(session.ExitCode()).To(Equal(0))
   135  		match, _ := session.GrepString("container_file_t")
   136  		Expect(match).Should(BeTrue())
   137  	})
   138  
   139  	It("podman test selinux --privileged label hostname", func() {
   140  		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"})
   141  		session.WaitWithDefaultTimeout()
   142  		Expect(session.ExitCode()).To(Equal(0))
   143  		match, _ := session.GrepString("container_file_t")
   144  		Expect(match).Should(BeTrue())
   145  	})
   146  
   147  	It("podman test selinux --privileged label /run/secrets", func() {
   148  		SkipIfRootless()
   149  		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"})
   150  		session.WaitWithDefaultTimeout()
   151  		Expect(session.ExitCode()).To(Equal(0))
   152  		match, _ := session.GrepString("container_file_t")
   153  		Expect(match).Should(BeTrue())
   154  	})
   155  
   156  	It("podman run selinux file type setup test", func() {
   157  		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"})
   158  		session.WaitWithDefaultTimeout()
   159  		Expect(session.ExitCode()).To(Equal(0))
   160  		match, _ := session.GrepString("container_var_lib_t")
   161  		Expect(match).Should(BeTrue())
   162  
   163  		session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"})
   164  		session.WaitWithDefaultTimeout()
   165  		Expect(session.ExitCode()).To(Equal(126))
   166  	})
   167  
   168  	It("podman exec selinux check", func() {
   169  		setup := podmanTest.RunTopContainer("test1")
   170  		setup.WaitWithDefaultTimeout()
   171  		Expect(setup.ExitCode()).To(Equal(0))
   172  
   173  		session := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/1/attr/current"})
   174  		session.WaitWithDefaultTimeout()
   175  		session1 := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
   176  		session1.WaitWithDefaultTimeout()
   177  		Expect(session.OutputToString()).To(Equal(session1.OutputToString()))
   178  	})
   179  
   180  })