github.com/containers/podman/v4@v4.9.4/test/e2e/run_selinux_test.go (about) 1 package integration 2 3 import ( 4 "os" 5 "path/filepath" 6 7 . "github.com/containers/podman/v4/test/utils" 8 . "github.com/onsi/ginkgo/v2" 9 . "github.com/onsi/gomega" 10 . "github.com/onsi/gomega/gexec" 11 "github.com/opencontainers/selinux/go-selinux" 12 ) 13 14 var _ = Describe("Podman run", func() { 15 BeforeEach(func() { 16 if !selinux.GetEnabled() { 17 Skip("SELinux not enabled") 18 } 19 }) 20 21 It("podman run selinux", func() { 22 session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) 23 session.WaitWithDefaultTimeout() 24 Expect(session).Should(ExitCleanly()) 25 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 26 }) 27 28 It("podman run selinux grep test", func() { 29 session := podmanTest.Podman([]string{"run", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 30 session.WaitWithDefaultTimeout() 31 Expect(session).Should(ExitCleanly()) 32 Expect(session.OutputToString()).To(ContainSubstring("s0:c1,c2")) 33 }) 34 35 It("podman run selinux disable test", func() { 36 session := podmanTest.Podman([]string{"run", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) 37 session.WaitWithDefaultTimeout() 38 Expect(session).Should(ExitCleanly()) 39 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 40 }) 41 42 It("podman run selinux type check test", func() { 43 session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) 44 session.WaitWithDefaultTimeout() 45 Expect(session).Should(ExitCleanly()) 46 Expect(session.OutputToString()).To(Or(ContainSubstring("container_t"), ContainSubstring("svirt_lxc_net_t"))) 47 }) 48 49 It("podman run selinux type setup test", func() { 50 session := podmanTest.Podman([]string{"run", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) 51 session.WaitWithDefaultTimeout() 52 Expect(session).Should(ExitCleanly()) 53 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 54 }) 55 56 It("podman privileged selinux", func() { 57 session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) 58 session.WaitWithDefaultTimeout() 59 Expect(session).Should(ExitCleanly()) 60 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 61 }) 62 63 It("podman test selinux label resolv.conf", func() { 64 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 65 session.WaitWithDefaultTimeout() 66 Expect(session).Should(ExitCleanly()) 67 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 68 }) 69 70 It("podman test selinux label hosts", func() { 71 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 72 session.WaitWithDefaultTimeout() 73 Expect(session).Should(ExitCleanly()) 74 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 75 }) 76 77 It("podman test selinux label hostname", func() { 78 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 79 session.WaitWithDefaultTimeout() 80 Expect(session).Should(ExitCleanly()) 81 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 82 }) 83 84 It("podman test selinux label /run/secrets", func() { 85 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 86 session.WaitWithDefaultTimeout() 87 Expect(session).Should(ExitCleanly()) 88 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 89 }) 90 91 It("podman test selinux --privileged label resolv.conf", func() { 92 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 93 session.WaitWithDefaultTimeout() 94 Expect(session).Should(ExitCleanly()) 95 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 96 }) 97 98 It("podman test selinux --privileged label hosts", func() { 99 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 100 session.WaitWithDefaultTimeout() 101 Expect(session).Should(ExitCleanly()) 102 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 103 }) 104 105 It("podman test selinux --privileged label hostname", func() { 106 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 107 session.WaitWithDefaultTimeout() 108 Expect(session).Should(ExitCleanly()) 109 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 110 }) 111 112 It("podman test selinux --privileged label /run/secrets", func() { 113 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 114 session.WaitWithDefaultTimeout() 115 Expect(session).Should(ExitCleanly()) 116 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 117 }) 118 119 It("podman run selinux file type setup test", func() { 120 session := podmanTest.Podman([]string{"run", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"}) 121 session.WaitWithDefaultTimeout() 122 Expect(session).Should(ExitCleanly()) 123 Expect(session.OutputToString()).To(ContainSubstring("container_var_lib_t")) 124 125 session = podmanTest.Podman([]string{"run", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"}) 126 session.WaitWithDefaultTimeout() 127 Expect(session).Should(Exit(126)) 128 }) 129 130 It("podman exec selinux check", func() { 131 setup := podmanTest.RunTopContainer("test1") 132 setup.WaitWithDefaultTimeout() 133 Expect(setup).Should(ExitCleanly()) 134 135 session := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/1/attr/current"}) 136 session.WaitWithDefaultTimeout() 137 session1 := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 138 session1.WaitWithDefaultTimeout() 139 Expect(session.OutputToString()).To(Equal(session1.OutputToString())) 140 }) 141 142 It("podman run --privileged and --security-opt SELinux options", func() { 143 session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", "label=type:spc_t", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 144 session.WaitWithDefaultTimeout() 145 Expect(session).Should(ExitCleanly()) 146 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 147 Expect(session.OutputToString()).To(ContainSubstring("s0:c1,c2")) 148 }) 149 150 It("podman pod container share SELinux labels", func() { 151 session := podmanTest.Podman([]string{"pod", "create"}) 152 session.WaitWithDefaultTimeout() 153 Expect(session).Should(ExitCleanly()) 154 podID := session.OutputToString() 155 156 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 157 session.WaitWithDefaultTimeout() 158 Expect(session).Should(ExitCleanly()) 159 label1 := session.OutputToString() 160 161 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 162 session.WaitWithDefaultTimeout() 163 Expect(session).Should(ExitCleanly()) 164 Expect(session.OutputToString()).To(Equal(label1)) 165 166 session = podmanTest.Podman([]string{"pod", "rm", "-t", "0", podID, "--force"}) 167 session.WaitWithDefaultTimeout() 168 Expect(session).Should(ExitCleanly()) 169 }) 170 171 It("podman pod container --infra=false doesn't share SELinux labels", func() { 172 session := podmanTest.Podman([]string{"pod", "create", "--infra=false"}) 173 session.WaitWithDefaultTimeout() 174 Expect(session).Should(ExitCleanly()) 175 podID := session.OutputToString() 176 177 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 178 session.WaitWithDefaultTimeout() 179 Expect(session).Should(ExitCleanly()) 180 label1 := session.OutputToString() 181 182 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 183 session.WaitWithDefaultTimeout() 184 Expect(session).Should(ExitCleanly()) 185 Expect(session.OutputToString()).To(Not(Equal(label1))) 186 187 session = podmanTest.Podman([]string{"pod", "rm", "-t", "0", podID, "--force"}) 188 session.WaitWithDefaultTimeout() 189 Expect(session).Should(ExitCleanly()) 190 }) 191 192 It("podman shared IPC NS container share SELinux labels", func() { 193 session := podmanTest.RunTopContainer("test1") 194 session.WaitWithDefaultTimeout() 195 Expect(session).Should(ExitCleanly()) 196 197 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 198 session.WaitWithDefaultTimeout() 199 Expect(session).Should(ExitCleanly()) 200 label1 := session.OutputToString() 201 202 session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 203 session.WaitWithDefaultTimeout() 204 Expect(session).Should(ExitCleanly()) 205 Expect(session.OutputToString()).To(Equal(label1)) 206 }) 207 208 It("podman shared PID NS container share SELinux labels", func() { 209 session := podmanTest.RunTopContainer("test1") 210 session.WaitWithDefaultTimeout() 211 Expect(session).Should(ExitCleanly()) 212 213 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 214 session.WaitWithDefaultTimeout() 215 Expect(session).Should(ExitCleanly()) 216 label1 := session.OutputToString() 217 218 session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 219 session.WaitWithDefaultTimeout() 220 Expect(session).Should(ExitCleanly()) 221 Expect(session.OutputToString()).To(Equal(label1)) 222 }) 223 224 It("podman shared NET NS container doesn't share SELinux labels", func() { 225 session := podmanTest.RunTopContainer("test1") 226 session.WaitWithDefaultTimeout() 227 Expect(session).Should(ExitCleanly()) 228 229 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 230 session.WaitWithDefaultTimeout() 231 Expect(session).Should(ExitCleanly()) 232 label1 := session.OutputToString() 233 234 session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 235 session.WaitWithDefaultTimeout() 236 Expect(session).Should(ExitCleanly()) 237 Expect(session.OutputToString()).To(Not(Equal(label1))) 238 }) 239 240 It("podman test --pid=host", func() { 241 SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") 242 session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) 243 session.WaitWithDefaultTimeout() 244 Expect(session).Should(ExitCleanly()) 245 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 246 }) 247 248 It("podman test --ipc=host", func() { 249 session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"}) 250 session.WaitWithDefaultTimeout() 251 Expect(session).Should(ExitCleanly()) 252 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 253 }) 254 255 It("podman test --ipc=net", func() { 256 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 257 session.WaitWithDefaultTimeout() 258 Expect(session).Should(ExitCleanly()) 259 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 260 }) 261 262 It("podman test --ipc=net", func() { 263 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 264 session.WaitWithDefaultTimeout() 265 Expect(session).Should(ExitCleanly()) 266 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 267 }) 268 269 It("podman test --ipc=net", func() { 270 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 271 session.WaitWithDefaultTimeout() 272 Expect(session).Should(ExitCleanly()) 273 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 274 }) 275 276 It("podman test --runtime=/PATHTO/kata-runtime", func() { 277 runtime := podmanTest.OCIRuntime 278 podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime") 279 err := os.Symlink("/bin/true", podmanTest.OCIRuntime) 280 Expect(err).ToNot(HaveOccurred()) 281 if IsRemote() { 282 podmanTest.StopRemoteService() 283 podmanTest.StartRemoteService() 284 } 285 session := podmanTest.Podman([]string{"create", ALPINE}) 286 session.WaitWithDefaultTimeout() 287 Expect(session).Should(ExitCleanly()) 288 cid := session.OutputToString() 289 session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) 290 session.WaitWithDefaultTimeout() 291 Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t")) 292 293 podmanTest.OCIRuntime = runtime 294 if IsRemote() { 295 podmanTest.StopRemoteService() 296 podmanTest.StartRemoteService() 297 } 298 }) 299 300 It("podman test init labels", func() { 301 session := podmanTest.Podman([]string{"create", SYSTEMD_IMAGE, "/sbin/init"}) 302 session.WaitWithDefaultTimeout() 303 Expect(session).Should(ExitCleanly()) 304 cid := session.OutputToString() 305 session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) 306 session.WaitWithDefaultTimeout() 307 Expect(session.OutputToString()).To(ContainSubstring("container_init_t")) 308 }) 309 310 It("podman relabels named volume with :Z", func() { 311 session := podmanTest.Podman([]string{"run", "-v", "testvol:/test1/test:Z", fedoraMinimal, "ls", "-alZ", "/test1"}) 312 session.WaitWithDefaultTimeout() 313 Expect(session).Should(ExitCleanly()) 314 Expect(session.OutputToString()).To(ContainSubstring(":s0:")) 315 }) 316 })