github.com/containers/podman/v4@v4.9.4/test/e2e/run_apparmor_test.go (about) 1 //go:build !remote_testing 2 // +build !remote_testing 3 4 package integration 5 6 import ( 7 "fmt" 8 "os" 9 "path/filepath" 10 11 "github.com/containers/common/pkg/apparmor" 12 . "github.com/containers/podman/v4/test/utils" 13 . "github.com/onsi/ginkgo/v2" 14 . "github.com/onsi/gomega" 15 ) 16 17 // wip 18 func skipIfAppArmorEnabled() { 19 if apparmor.IsEnabled() { 20 Skip("Apparmor is enabled") 21 } 22 } 23 func skipIfAppArmorDisabled() { 24 if !apparmor.IsEnabled() { 25 Skip("Apparmor is not enabled") 26 } 27 } 28 29 var _ = Describe("Podman run", func() { 30 31 It("podman run apparmor default", func() { 32 skipIfAppArmorDisabled() 33 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 34 session.WaitWithDefaultTimeout() 35 Expect(session).Should(ExitCleanly()) 36 37 cid := session.OutputToString() 38 // Verify that apparmor.Profile is being set 39 inspect := podmanTest.InspectContainer(cid) 40 Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile)) 41 }) 42 43 It("podman run no apparmor --privileged", func() { 44 skipIfAppArmorDisabled() 45 session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"}) 46 session.WaitWithDefaultTimeout() 47 Expect(session).Should(ExitCleanly()) 48 49 cid := session.OutputToString() 50 // Verify that apparmor.Profile is being set 51 inspect := podmanTest.InspectContainer(cid) 52 Expect(inspect[0]).To(HaveField("AppArmorProfile", "")) 53 }) 54 55 It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() { 56 skipIfAppArmorDisabled() 57 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"}) 58 session.WaitWithDefaultTimeout() 59 Expect(session).Should(ExitCleanly()) 60 61 cid := session.OutputToString() 62 // Verify that apparmor.Profile is being set 63 inspect := podmanTest.InspectContainer(cid) 64 Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile)) 65 }) 66 67 It("podman run apparmor aa-test-profile", func() { 68 skipIfAppArmorDisabled() 69 aaProfile := ` 70 #include <tunables/global> 71 profile aa-test-profile flags=(attach_disconnected,mediate_deleted) { 72 #include <abstractions/base> 73 deny mount, 74 deny /sys/[^f]*/** wklx, 75 deny /sys/f[^s]*/** wklx, 76 deny /sys/fs/[^c]*/** wklx, 77 deny /sys/fs/c[^g]*/** wklx, 78 deny /sys/fs/cg[^r]*/** wklx, 79 deny /sys/firmware/efi/efivars/** rwklx, 80 deny /sys/kernel/security/** rwklx, 81 } 82 ` 83 aaFile := filepath.Join(os.TempDir(), "aaFile") 84 Expect(os.WriteFile(aaFile, []byte(aaProfile), 0755)).To(Succeed()) 85 parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile}) 86 Expect(parse).Should(ExitCleanly()) 87 88 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"}) 89 session.WaitWithDefaultTimeout() 90 Expect(session).Should(ExitCleanly()) 91 92 cid := session.OutputToString() 93 // Verify that apparmor.Profile is being set 94 inspect := podmanTest.InspectContainer(cid) 95 Expect(inspect[0]).To(HaveField("AppArmorProfile", "aa-test-profile")) 96 }) 97 98 It("podman run apparmor invalid", func() { 99 skipIfAppArmorDisabled() 100 session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"}) 101 session.WaitWithDefaultTimeout() 102 Expect(session).To(ExitWithError()) 103 }) 104 105 It("podman run apparmor unconfined", func() { 106 skipIfAppArmorDisabled() 107 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 108 session.WaitWithDefaultTimeout() 109 Expect(session).Should(ExitCleanly()) 110 111 cid := session.OutputToString() 112 // Verify that apparmor.Profile is being set 113 inspect := podmanTest.InspectContainer(cid) 114 Expect(inspect[0]).To(HaveField("AppArmorProfile", "unconfined")) 115 }) 116 117 It("podman run apparmor disabled --security-opt apparmor fails", func() { 118 skipIfAppArmorEnabled() 119 // Should fail if user specifies apparmor on disabled system 120 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"}) 121 session.WaitWithDefaultTimeout() 122 Expect(session).To(ExitWithError()) 123 }) 124 125 It("podman run apparmor disabled no default", func() { 126 skipIfAppArmorEnabled() 127 // Should succeed if user specifies apparmor on disabled system 128 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 129 session.WaitWithDefaultTimeout() 130 Expect(session).Should(ExitCleanly()) 131 132 cid := session.OutputToString() 133 // Verify that apparmor.Profile is being set 134 inspect := podmanTest.InspectContainer(cid) 135 Expect(inspect[0]).To(HaveField("AppArmorProfile", "")) 136 }) 137 138 It("podman run apparmor disabled unconfined", func() { 139 skipIfAppArmorEnabled() 140 141 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 142 session.WaitWithDefaultTimeout() 143 Expect(session).Should(ExitCleanly()) 144 145 cid := session.OutputToString() 146 // Verify that apparmor.Profile is being set 147 inspect := podmanTest.InspectContainer(cid) 148 Expect(inspect[0]).To(HaveField("AppArmorProfile", "")) 149 }) 150 })