github.com/containers/podman/v4@v4.9.4/test/e2e/run_security_labels_test.go

github.com/containers/podman/v4@v4.9.4/test/e2e/run_security_labels_test.go (about)

     1  package integration
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  
     7  	. "github.com/containers/podman/v4/test/utils"
     8  	. "github.com/onsi/ginkgo/v2"
     9  	. "github.com/onsi/gomega"
    10  	. "github.com/onsi/gomega/gexec"
    11  )
    12  
    13  var _ = Describe("Podman generate kube", func() {
    14  
    15  	It("podman empty security labels", func() {
    16  		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})
    17  		test1.WaitWithDefaultTimeout()
    18  		Expect(test1).Should(ExitCleanly())
    19  
    20  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
    21  		inspect.WaitWithDefaultTimeout()
    22  		Expect(inspect).Should(ExitCleanly())
    23  
    24  		ctr := inspect.InspectContainerToJSON()
    25  		Expect(ctr[0].EffectiveCaps).To(BeNil())
    26  
    27  		test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})
    28  		test2.WaitWithDefaultTimeout()
    29  		Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))
    30  	})
    31  
    32  	It("podman security labels", func() {
    33  		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
    34  		test1.WaitWithDefaultTimeout()
    35  		Expect(test1).Should(ExitCleanly())
    36  
    37  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
    38  		inspect.WaitWithDefaultTimeout()
    39  		Expect(inspect).Should(ExitCleanly())
    40  
    41  		ctr := inspect.InspectContainerToJSON()
    42  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
    43  		Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))
    44  	})
    45  
    46  	It("podman bad security labels", func() {
    47  		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
    48  		test1.WaitWithDefaultTimeout()
    49  		Expect(test1).Should(Exit(0))
    50  		stderr := test1.ErrorToString()
    51  		if IsRemote() {
    52  			Expect(stderr).To(BeEmpty())
    53  		} else {
    54  			Expect(stderr).To(ContainSubstring("Capabilities requested by user or image are not allowed by default: \\\"CAP_SYS_ADMIN\\\""))
    55  		}
    56  
    57  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
    58  		inspect.WaitWithDefaultTimeout()
    59  		Expect(inspect).Should(ExitCleanly())
    60  
    61  		ctr := inspect.InspectContainerToJSON()
    62  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
    63  		Expect(caps).To(Not(Equal("CAP_SYS_ADMIN")))
    64  	})
    65  
    66  	It("podman --cap-add sys_admin security labels", func() {
    67  		test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
    68  		test1.WaitWithDefaultTimeout()
    69  		Expect(test1).Should(ExitCleanly())
    70  
    71  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
    72  		inspect.WaitWithDefaultTimeout()
    73  		Expect(inspect).Should(ExitCleanly())
    74  
    75  		ctr := inspect.InspectContainerToJSON()
    76  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
    77  		Expect(caps).To(Equal("CAP_SYS_ADMIN"))
    78  	})
    79  
    80  	It("podman --cap-drop all sys_admin security labels", func() {
    81  		test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
    82  		test1.WaitWithDefaultTimeout()
    83  		Expect(test1).Should(Exit(0))
    84  		stderr := test1.ErrorToString()
    85  		if IsRemote() {
    86  			Expect(stderr).To(BeEmpty())
    87  		} else {
    88  			Expect(stderr).To(ContainSubstring("Capabilities requested by user or image are not allowed by default: \\\"CAP_SYS_ADMIN\\\""))
    89  		}
    90  
    91  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
    92  		inspect.WaitWithDefaultTimeout()
    93  		Expect(inspect).Should(ExitCleanly())
    94  
    95  		ctr := inspect.InspectContainerToJSON()
    96  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
    97  		Expect(caps).To(Equal(""))
    98  	})
    99  
   100  	It("podman security labels from image", func() {
   101  		test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"})
   102  		test1.WaitWithDefaultTimeout()
   103  		Expect(test1).Should(ExitCleanly())
   104  
   105  		commit := podmanTest.Podman([]string{"commit", "-q", "-c", "label=io.containers.capabilities=setgid,setuid", "test1", "image1"})
   106  		commit.WaitWithDefaultTimeout()
   107  		Expect(commit).Should(ExitCleanly())
   108  
   109  		image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"})
   110  		image1.WaitWithDefaultTimeout()
   111  		Expect(image1).Should(ExitCleanly())
   112  
   113  		inspect := podmanTest.Podman([]string{"inspect", "test2"})
   114  		inspect.WaitWithDefaultTimeout()
   115  		Expect(inspect).Should(ExitCleanly())
   116  
   117  		ctr := inspect.InspectContainerToJSON()
   118  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
   119  		Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))
   120  
   121  	})
   122  
   123  	It("podman --privileged security labels", func() {
   124  		pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"})
   125  		pull.WaitWithDefaultTimeout()
   126  		Expect(pull).Should(ExitCleanly())
   127  
   128  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
   129  		inspect.WaitWithDefaultTimeout()
   130  		Expect(inspect).Should(ExitCleanly())
   131  
   132  		ctr := inspect.InspectContainerToJSON()
   133  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
   134  		Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID")))
   135  	})
   136  
   137  	It("podman container runlabel (podman --version)", func() {
   138  		SkipIfRemote("runlabel not supported on podman-remote")
   139  		PodmanDockerfile := fmt.Sprintf(`
   140  FROM  %s
   141  LABEL io.containers.capabilities=chown,kill`, ALPINE)
   142  
   143  		image := "podman-caps:podman"
   144  		podmanTest.BuildImage(PodmanDockerfile, image, "false")
   145  
   146  		test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"})
   147  		test1.WaitWithDefaultTimeout()
   148  		Expect(test1).Should(ExitCleanly())
   149  
   150  		inspect := podmanTest.Podman([]string{"inspect", "test1"})
   151  		inspect.WaitWithDefaultTimeout()
   152  		Expect(inspect).Should(ExitCleanly())
   153  
   154  		ctr := inspect.InspectContainerToJSON()
   155  		caps := strings.Join(ctr[0].EffectiveCaps, ",")
   156  		Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL"))
   157  	})
   158  
   159  })