github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/test/e2e/run_apparmor_test.go (about) 1 // +build !remote 2 3 package integration 4 5 import ( 6 "fmt" 7 "io/ioutil" 8 "os" 9 "path/filepath" 10 11 "github.com/containers/common/pkg/apparmor" 12 . "github.com/containers/podman/v2/test/utils" 13 . "github.com/onsi/ginkgo" 14 . "github.com/onsi/gomega" 15 ) 16 17 func skipIfAppArmorEnabled() { 18 if apparmor.IsEnabled() { 19 Skip("Apparmor is enabled") 20 } 21 } 22 func skipIfAppArmorDisabled() { 23 if !apparmor.IsEnabled() { 24 Skip("Apparmor is not enabled") 25 } 26 } 27 28 var _ = Describe("Podman run", func() { 29 var ( 30 tempdir string 31 err error 32 podmanTest *PodmanTestIntegration 33 ) 34 35 BeforeEach(func() { 36 tempdir, err = CreateTempDirInTempDir() 37 if err != nil { 38 os.Exit(1) 39 } 40 podmanTest = PodmanTestCreate(tempdir) 41 podmanTest.Setup() 42 podmanTest.SeedImages() 43 }) 44 45 AfterEach(func() { 46 podmanTest.Cleanup() 47 f := CurrentGinkgoTestDescription() 48 processTestResult(f) 49 50 }) 51 52 It("podman run apparmor default", func() { 53 skipIfAppArmorDisabled() 54 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 55 session.WaitWithDefaultTimeout() 56 Expect(session.ExitCode()).To(Equal(0)) 57 58 cid := session.OutputToString() 59 // Verify that apparmor.Profile is being set 60 inspect := podmanTest.InspectContainer(cid) 61 Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile)) 62 }) 63 64 It("podman run no apparmor --privileged", func() { 65 skipIfAppArmorDisabled() 66 session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"}) 67 session.WaitWithDefaultTimeout() 68 Expect(session.ExitCode()).To(Equal(0)) 69 70 cid := session.OutputToString() 71 // Verify that apparmor.Profile is being set 72 inspect := podmanTest.InspectContainer(cid) 73 Expect(inspect[0].AppArmorProfile).To(Equal("")) 74 }) 75 76 It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() { 77 skipIfAppArmorDisabled() 78 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"}) 79 session.WaitWithDefaultTimeout() 80 Expect(session.ExitCode()).To(Equal(0)) 81 82 cid := session.OutputToString() 83 // Verify that apparmor.Profile is being set 84 inspect := podmanTest.InspectContainer(cid) 85 Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile)) 86 }) 87 88 It("podman run apparmor aa-test-profile", func() { 89 skipIfAppArmorDisabled() 90 aaProfile := ` 91 #include <tunables/global> 92 profile aa-test-profile flags=(attach_disconnected,mediate_deleted) { 93 #include <abstractions/base> 94 deny mount, 95 deny /sys/[^f]*/** wklx, 96 deny /sys/f[^s]*/** wklx, 97 deny /sys/fs/[^c]*/** wklx, 98 deny /sys/fs/c[^g]*/** wklx, 99 deny /sys/fs/cg[^r]*/** wklx, 100 deny /sys/firmware/efi/efivars/** rwklx, 101 deny /sys/kernel/security/** rwklx, 102 } 103 ` 104 aaFile := filepath.Join(os.TempDir(), "aaFile") 105 Expect(ioutil.WriteFile(aaFile, []byte(aaProfile), 0755)).To(BeNil()) 106 parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile}) 107 Expect(parse.ExitCode()).To(Equal(0)) 108 109 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"}) 110 session.WaitWithDefaultTimeout() 111 Expect(session.ExitCode()).To(Equal(0)) 112 113 cid := session.OutputToString() 114 // Verify that apparmor.Profile is being set 115 inspect := podmanTest.InspectContainer(cid) 116 Expect(inspect[0].AppArmorProfile).To(Equal("aa-test-profile")) 117 }) 118 119 It("podman run apparmor invalid", func() { 120 skipIfAppArmorDisabled() 121 session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"}) 122 session.WaitWithDefaultTimeout() 123 Expect(session.ExitCode()).ToNot(Equal(0)) 124 }) 125 126 It("podman run apparmor unconfined", func() { 127 skipIfAppArmorDisabled() 128 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 129 session.WaitWithDefaultTimeout() 130 Expect(session.ExitCode()).To(Equal(0)) 131 132 cid := session.OutputToString() 133 // Verify that apparmor.Profile is being set 134 inspect := podmanTest.InspectContainer(cid) 135 Expect(inspect[0].AppArmorProfile).To(Equal("unconfined")) 136 }) 137 138 It("podman run apparmor disabled --security-opt apparmor fails", func() { 139 skipIfAppArmorEnabled() 140 // Should fail if user specifies apparmor on disabled system 141 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"}) 142 session.WaitWithDefaultTimeout() 143 Expect(session.ExitCode()).ToNot(Equal(0)) 144 }) 145 146 It("podman run apparmor disabled no default", func() { 147 skipIfAppArmorEnabled() 148 // Should succeed if user specifies apparmor on disabled system 149 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 150 session.WaitWithDefaultTimeout() 151 Expect(session.ExitCode()).To(Equal(0)) 152 153 cid := session.OutputToString() 154 // Verify that apparmor.Profile is being set 155 inspect := podmanTest.InspectContainer(cid) 156 Expect(inspect[0].AppArmorProfile).To(Equal("")) 157 }) 158 159 It("podman run apparmor disabled unconfined", func() { 160 skipIfAppArmorEnabled() 161 162 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 163 session.WaitWithDefaultTimeout() 164 Expect(session.ExitCode()).To(Equal(0)) 165 166 cid := session.OutputToString() 167 // Verify that apparmor.Profile is being set 168 inspect := podmanTest.InspectContainer(cid) 169 Expect(inspect[0].AppArmorProfile).To(Equal("")) 170 }) 171 })