github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/test/e2e/run_selinux_test.go (about) 1 package integration 2 3 import ( 4 "os" 5 6 . "github.com/containers/podman/v2/test/utils" 7 . "github.com/onsi/ginkgo" 8 . "github.com/onsi/gomega" 9 "github.com/opencontainers/selinux/go-selinux" 10 ) 11 12 var _ = Describe("Podman run", func() { 13 var ( 14 tempdir string 15 err error 16 podmanTest *PodmanTestIntegration 17 ) 18 19 BeforeEach(func() { 20 tempdir, err = CreateTempDirInTempDir() 21 if err != nil { 22 os.Exit(1) 23 } 24 podmanTest = PodmanTestCreate(tempdir) 25 podmanTest.Setup() 26 podmanTest.SeedImages() 27 if !selinux.GetEnabled() { 28 Skip("SELinux not enabled") 29 } 30 }) 31 32 AfterEach(func() { 33 podmanTest.Cleanup() 34 f := CurrentGinkgoTestDescription() 35 processTestResult(f) 36 37 }) 38 39 It("podman run selinux", func() { 40 session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) 41 session.WaitWithDefaultTimeout() 42 Expect(session.ExitCode()).To(Equal(0)) 43 match, _ := session.GrepString("container_t") 44 Expect(match).Should(BeTrue()) 45 }) 46 47 It("podman run selinux grep test", func() { 48 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 49 session.WaitWithDefaultTimeout() 50 Expect(session.ExitCode()).To(Equal(0)) 51 match, _ := session.GrepString("s0:c1,c2") 52 Expect(match).Should(BeTrue()) 53 }) 54 55 It("podman run selinux disable test", func() { 56 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) 57 session.WaitWithDefaultTimeout() 58 Expect(session.ExitCode()).To(Equal(0)) 59 match, _ := session.GrepString("spc_t") 60 Expect(match).Should(BeTrue()) 61 }) 62 63 It("podman run selinux type check test", func() { 64 session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) 65 session.WaitWithDefaultTimeout() 66 Expect(session.ExitCode()).To(Equal(0)) 67 match1, _ := session.GrepString("container_t") 68 match2, _ := session.GrepString("svirt_lxc_net_t") 69 Expect(match1 || match2).Should(BeTrue()) 70 }) 71 72 It("podman run selinux type setup test", func() { 73 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) 74 session.WaitWithDefaultTimeout() 75 Expect(session.ExitCode()).To(Equal(0)) 76 match, _ := session.GrepString("spc_t") 77 Expect(match).Should(BeTrue()) 78 }) 79 80 It("podman privileged selinux", func() { 81 session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) 82 session.WaitWithDefaultTimeout() 83 Expect(session.ExitCode()).To(Equal(0)) 84 match, _ := session.GrepString("spc_t") 85 Expect(match).Should(BeTrue()) 86 }) 87 88 It("podman test selinux label resolv.conf", func() { 89 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 90 session.WaitWithDefaultTimeout() 91 Expect(session.ExitCode()).To(Equal(0)) 92 match, _ := session.GrepString("container_file_t") 93 Expect(match).Should(BeTrue()) 94 }) 95 96 It("podman test selinux label hosts", func() { 97 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 98 session.WaitWithDefaultTimeout() 99 Expect(session.ExitCode()).To(Equal(0)) 100 match, _ := session.GrepString("container_file_t") 101 Expect(match).Should(BeTrue()) 102 }) 103 104 It("podman test selinux label hostname", func() { 105 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 106 session.WaitWithDefaultTimeout() 107 Expect(session.ExitCode()).To(Equal(0)) 108 match, _ := session.GrepString("container_file_t") 109 Expect(match).Should(BeTrue()) 110 }) 111 112 It("podman test selinux label /run/secrets", func() { 113 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 114 session.WaitWithDefaultTimeout() 115 Expect(session.ExitCode()).To(Equal(0)) 116 match, _ := session.GrepString("container_file_t") 117 Expect(match).Should(BeTrue()) 118 }) 119 120 It("podman test selinux --privileged label resolv.conf", func() { 121 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 122 session.WaitWithDefaultTimeout() 123 Expect(session.ExitCode()).To(Equal(0)) 124 match, _ := session.GrepString("container_file_t") 125 Expect(match).Should(BeTrue()) 126 }) 127 128 It("podman test selinux --privileged label hosts", func() { 129 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 130 session.WaitWithDefaultTimeout() 131 Expect(session.ExitCode()).To(Equal(0)) 132 match, _ := session.GrepString("container_file_t") 133 Expect(match).Should(BeTrue()) 134 }) 135 136 It("podman test selinux --privileged label hostname", func() { 137 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 138 session.WaitWithDefaultTimeout() 139 Expect(session.ExitCode()).To(Equal(0)) 140 match, _ := session.GrepString("container_file_t") 141 Expect(match).Should(BeTrue()) 142 }) 143 144 It("podman test selinux --privileged label /run/secrets", func() { 145 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 146 session.WaitWithDefaultTimeout() 147 Expect(session.ExitCode()).To(Equal(0)) 148 match, _ := session.GrepString("container_file_t") 149 Expect(match).Should(BeTrue()) 150 }) 151 152 It("podman run selinux file type setup test", func() { 153 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"}) 154 session.WaitWithDefaultTimeout() 155 Expect(session.ExitCode()).To(Equal(0)) 156 match, _ := session.GrepString("container_var_lib_t") 157 Expect(match).Should(BeTrue()) 158 159 session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"}) 160 session.WaitWithDefaultTimeout() 161 Expect(session.ExitCode()).To(Equal(126)) 162 }) 163 164 It("podman exec selinux check", func() { 165 setup := podmanTest.RunTopContainer("test1") 166 setup.WaitWithDefaultTimeout() 167 Expect(setup.ExitCode()).To(Equal(0)) 168 169 session := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/1/attr/current"}) 170 session.WaitWithDefaultTimeout() 171 session1 := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 172 session1.WaitWithDefaultTimeout() 173 Expect(session.OutputToString()).To(Equal(session1.OutputToString())) 174 }) 175 176 It("podman run --privileged and --security-opt SELinux options", func() { 177 session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", "label=type:spc_t", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 178 session.WaitWithDefaultTimeout() 179 Expect(session.ExitCode()).To(Equal(0)) 180 match, _ := session.GrepString("spc_t") 181 Expect(match).To(BeTrue()) 182 match2, _ := session.GrepString("s0:c1,c2") 183 Expect(match2).To(BeTrue()) 184 }) 185 186 It("podman pod container share SELinux labels", func() { 187 session := podmanTest.Podman([]string{"pod", "create"}) 188 session.WaitWithDefaultTimeout() 189 Expect(session.ExitCode()).To(Equal(0)) 190 podID := session.OutputToString() 191 192 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 193 session.WaitWithDefaultTimeout() 194 Expect(session.ExitCode()).To(Equal(0)) 195 label1 := session.OutputToString() 196 197 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 198 session.WaitWithDefaultTimeout() 199 Expect(session.ExitCode()).To(Equal(0)) 200 Expect(session.OutputToString()).To(Equal(label1)) 201 202 session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"}) 203 session.WaitWithDefaultTimeout() 204 Expect(session.ExitCode()).To(Equal(0)) 205 }) 206 207 It("podman pod container --infra=false doesn't share SELinux labels", func() { 208 session := podmanTest.Podman([]string{"pod", "create", "--infra=false"}) 209 session.WaitWithDefaultTimeout() 210 Expect(session.ExitCode()).To(Equal(0)) 211 podID := session.OutputToString() 212 213 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 214 session.WaitWithDefaultTimeout() 215 Expect(session.ExitCode()).To(Equal(0)) 216 label1 := session.OutputToString() 217 218 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 219 session.WaitWithDefaultTimeout() 220 Expect(session.ExitCode()).To(Equal(0)) 221 Expect(session.OutputToString()).To(Not(Equal(label1))) 222 223 session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"}) 224 session.WaitWithDefaultTimeout() 225 Expect(session.ExitCode()).To(Equal(0)) 226 }) 227 228 It("podman shared IPC NS container share SELinux labels", func() { 229 session := podmanTest.RunTopContainer("test1") 230 session.WaitWithDefaultTimeout() 231 Expect(session.ExitCode()).To(Equal(0)) 232 233 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 234 session.WaitWithDefaultTimeout() 235 Expect(session.ExitCode()).To(Equal(0)) 236 label1 := session.OutputToString() 237 238 session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 239 session.WaitWithDefaultTimeout() 240 Expect(session.ExitCode()).To(Equal(0)) 241 Expect(session.OutputToString()).To(Equal(label1)) 242 }) 243 244 It("podman shared PID NS container share SELinux labels", func() { 245 session := podmanTest.RunTopContainer("test1") 246 session.WaitWithDefaultTimeout() 247 Expect(session.ExitCode()).To(Equal(0)) 248 249 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 250 session.WaitWithDefaultTimeout() 251 Expect(session.ExitCode()).To(Equal(0)) 252 label1 := session.OutputToString() 253 254 session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 255 session.WaitWithDefaultTimeout() 256 Expect(session.ExitCode()).To(Equal(0)) 257 Expect(session.OutputToString()).To(Equal(label1)) 258 }) 259 260 It("podman shared NET NS container doesn't share SELinux labels", func() { 261 session := podmanTest.RunTopContainer("test1") 262 session.WaitWithDefaultTimeout() 263 Expect(session.ExitCode()).To(Equal(0)) 264 265 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 266 session.WaitWithDefaultTimeout() 267 Expect(session.ExitCode()).To(Equal(0)) 268 label1 := session.OutputToString() 269 270 session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 271 session.WaitWithDefaultTimeout() 272 Expect(session.ExitCode()).To(Equal(0)) 273 Expect(session.OutputToString()).To(Not(Equal(label1))) 274 }) 275 276 It("podman test --pid=host", func() { 277 session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) 278 session.WaitWithDefaultTimeout() 279 Expect(session.ExitCode()).To(Equal(0)) 280 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 281 }) 282 283 It("podman test --ipc=host", func() { 284 session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"}) 285 session.WaitWithDefaultTimeout() 286 Expect(session.ExitCode()).To(Equal(0)) 287 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 288 }) 289 290 It("podman test --ipc=net", func() { 291 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 292 session.WaitWithDefaultTimeout() 293 Expect(session.ExitCode()).To(Equal(0)) 294 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 295 }) 296 })