github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/test/e2e/run_security_labels_test.go (about) 1 package integration 2 3 import ( 4 "os" 5 "strings" 6 7 . "github.com/containers/podman/v2/test/utils" 8 . "github.com/onsi/ginkgo" 9 . "github.com/onsi/gomega" 10 ) 11 12 var _ = Describe("Podman generate kube", func() { 13 var ( 14 tempdir string 15 err error 16 podmanTest *PodmanTestIntegration 17 ) 18 19 BeforeEach(func() { 20 tempdir, err = CreateTempDirInTempDir() 21 if err != nil { 22 os.Exit(1) 23 } 24 podmanTest = PodmanTestCreate(tempdir) 25 podmanTest.Setup() 26 podmanTest.SeedImages() 27 28 }) 29 30 AfterEach(func() { 31 podmanTest.Cleanup() 32 f := CurrentGinkgoTestDescription() 33 processTestResult(f) 34 }) 35 36 It("podman security labels", func() { 37 test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"}) 38 test1.WaitWithDefaultTimeout() 39 Expect(test1.ExitCode()).To(BeZero()) 40 41 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 42 inspect.WaitWithDefaultTimeout() 43 Expect(inspect.ExitCode()).To(Equal(0)) 44 45 ctr := inspect.InspectContainerToJSON() 46 caps := strings.Join(ctr[0].EffectiveCaps, ",") 47 Expect(caps).To(Equal("CAP_SETUID,CAP_SETGID")) 48 }) 49 50 It("podman bad security labels", func() { 51 test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 52 test1.WaitWithDefaultTimeout() 53 Expect(test1.ExitCode()).To(BeZero()) 54 55 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 56 inspect.WaitWithDefaultTimeout() 57 Expect(inspect.ExitCode()).To(Equal(0)) 58 59 ctr := inspect.InspectContainerToJSON() 60 caps := strings.Join(ctr[0].EffectiveCaps, ",") 61 Expect(caps).To(Not(Equal("CAP_SYS_ADMIN"))) 62 }) 63 64 It("podman --cap-add sys_admin security labels", func() { 65 test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 66 test1.WaitWithDefaultTimeout() 67 Expect(test1.ExitCode()).To(BeZero()) 68 69 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 70 inspect.WaitWithDefaultTimeout() 71 Expect(inspect.ExitCode()).To(Equal(0)) 72 73 ctr := inspect.InspectContainerToJSON() 74 caps := strings.Join(ctr[0].EffectiveCaps, ",") 75 Expect(caps).To(Equal("CAP_SYS_ADMIN")) 76 }) 77 78 It("podman --cap-drop all sys_admin security labels", func() { 79 test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 80 test1.WaitWithDefaultTimeout() 81 Expect(test1.ExitCode()).To(BeZero()) 82 83 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 84 inspect.WaitWithDefaultTimeout() 85 Expect(inspect.ExitCode()).To(Equal(0)) 86 87 ctr := inspect.InspectContainerToJSON() 88 caps := strings.Join(ctr[0].EffectiveCaps, ",") 89 Expect(caps).To(Equal("")) 90 }) 91 92 It("podman security labels from image", func() { 93 test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"}) 94 test1.WaitWithDefaultTimeout() 95 Expect(test1.ExitCode()).To(BeZero()) 96 97 commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=sys_chroot,setuid", "test1", "image1"}) 98 commit.WaitWithDefaultTimeout() 99 Expect(commit.ExitCode()).To(BeZero()) 100 101 image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"}) 102 image1.WaitWithDefaultTimeout() 103 Expect(image1.ExitCode()).To(BeZero()) 104 105 inspect := podmanTest.Podman([]string{"inspect", "test2"}) 106 inspect.WaitWithDefaultTimeout() 107 Expect(inspect.ExitCode()).To(Equal(0)) 108 109 ctr := inspect.InspectContainerToJSON() 110 caps := strings.Join(ctr[0].EffectiveCaps, ",") 111 Expect(caps).To(Equal("CAP_SYS_CHROOT,CAP_SETUID")) 112 113 }) 114 115 It("podman --privileged security labels", func() { 116 pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"}) 117 pull.WaitWithDefaultTimeout() 118 Expect(pull.ExitCode()).To(BeZero()) 119 120 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 121 inspect.WaitWithDefaultTimeout() 122 Expect(inspect.ExitCode()).To(Equal(0)) 123 124 ctr := inspect.InspectContainerToJSON() 125 caps := strings.Join(ctr[0].EffectiveCaps, ",") 126 Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID"))) 127 }) 128 129 It("podman container runlabel (podman --version)", func() { 130 SkipIfRemote("runlabel not supported on podman-remote") 131 PodmanDockerfile := ` 132 FROM alpine:latest 133 LABEL io.containers.capabilities=chown,kill` 134 135 image := "podman-caps:podman" 136 podmanTest.BuildImage(PodmanDockerfile, image, "false") 137 138 test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"}) 139 test1.WaitWithDefaultTimeout() 140 Expect(test1.ExitCode()).To(BeZero()) 141 142 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 143 inspect.WaitWithDefaultTimeout() 144 Expect(inspect.ExitCode()).To(Equal(0)) 145 146 ctr := inspect.InspectContainerToJSON() 147 caps := strings.Join(ctr[0].EffectiveCaps, ",") 148 Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL")) 149 }) 150 151 })