github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/test/e2e/run_apparmor_test.go (about) 1 //go:build !remote 2 // +build !remote 3 4 package integration 5 6 import ( 7 "fmt" 8 "io/ioutil" 9 "os" 10 "path/filepath" 11 12 "github.com/containers/common/pkg/apparmor" 13 . "github.com/hanks177/podman/v4/test/utils" 14 . "github.com/onsi/ginkgo" 15 . "github.com/onsi/gomega" 16 . "github.com/onsi/gomega/gexec" 17 ) 18 19 // wip 20 func skipIfAppArmorEnabled() { 21 if apparmor.IsEnabled() { 22 Skip("Apparmor is enabled") 23 } 24 } 25 func skipIfAppArmorDisabled() { 26 if !apparmor.IsEnabled() { 27 Skip("Apparmor is not enabled") 28 } 29 } 30 31 var _ = Describe("Podman run", func() { 32 var ( 33 tempdir string 34 err error 35 podmanTest *PodmanTestIntegration 36 ) 37 38 BeforeEach(func() { 39 tempdir, err = CreateTempDirInTempDir() 40 if err != nil { 41 os.Exit(1) 42 } 43 podmanTest = PodmanTestCreate(tempdir) 44 podmanTest.Setup() 45 }) 46 47 AfterEach(func() { 48 podmanTest.Cleanup() 49 f := CurrentGinkgoTestDescription() 50 processTestResult(f) 51 52 }) 53 54 It("podman run apparmor default", func() { 55 skipIfAppArmorDisabled() 56 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 57 session.WaitWithDefaultTimeout() 58 Expect(session).Should(Exit(0)) 59 60 cid := session.OutputToString() 61 // Verify that apparmor.Profile is being set 62 inspect := podmanTest.InspectContainer(cid) 63 Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile)) 64 }) 65 66 It("podman run no apparmor --privileged", func() { 67 skipIfAppArmorDisabled() 68 session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"}) 69 session.WaitWithDefaultTimeout() 70 Expect(session).Should(Exit(0)) 71 72 cid := session.OutputToString() 73 // Verify that apparmor.Profile is being set 74 inspect := podmanTest.InspectContainer(cid) 75 Expect(inspect[0]).To(HaveField("AppArmorProfile", "")) 76 }) 77 78 It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() { 79 skipIfAppArmorDisabled() 80 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"}) 81 session.WaitWithDefaultTimeout() 82 Expect(session).Should(Exit(0)) 83 84 cid := session.OutputToString() 85 // Verify that apparmor.Profile is being set 86 inspect := podmanTest.InspectContainer(cid) 87 Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile)) 88 }) 89 90 It("podman run apparmor aa-test-profile", func() { 91 skipIfAppArmorDisabled() 92 aaProfile := ` 93 #include <tunables/global> 94 profile aa-test-profile flags=(attach_disconnected,mediate_deleted) { 95 #include <abstractions/base> 96 deny mount, 97 deny /sys/[^f]*/** wklx, 98 deny /sys/f[^s]*/** wklx, 99 deny /sys/fs/[^c]*/** wklx, 100 deny /sys/fs/c[^g]*/** wklx, 101 deny /sys/fs/cg[^r]*/** wklx, 102 deny /sys/firmware/efi/efivars/** rwklx, 103 deny /sys/kernel/security/** rwklx, 104 } 105 ` 106 aaFile := filepath.Join(os.TempDir(), "aaFile") 107 Expect(ioutil.WriteFile(aaFile, []byte(aaProfile), 0755)).To(BeNil()) 108 parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile}) 109 Expect(parse).Should(Exit(0)) 110 111 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"}) 112 session.WaitWithDefaultTimeout() 113 Expect(session).Should(Exit(0)) 114 115 cid := session.OutputToString() 116 // Verify that apparmor.Profile is being set 117 inspect := podmanTest.InspectContainer(cid) 118 Expect(inspect[0]).To(HaveField("AppArmorProfile", "aa-test-profile")) 119 }) 120 121 It("podman run apparmor invalid", func() { 122 skipIfAppArmorDisabled() 123 session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"}) 124 session.WaitWithDefaultTimeout() 125 Expect(session).To(ExitWithError()) 126 }) 127 128 It("podman run apparmor unconfined", func() { 129 skipIfAppArmorDisabled() 130 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 131 session.WaitWithDefaultTimeout() 132 Expect(session).Should(Exit(0)) 133 134 cid := session.OutputToString() 135 // Verify that apparmor.Profile is being set 136 inspect := podmanTest.InspectContainer(cid) 137 Expect(inspect[0]).To(HaveField("AppArmorProfile", "unconfined")) 138 }) 139 140 It("podman run apparmor disabled --security-opt apparmor fails", func() { 141 skipIfAppArmorEnabled() 142 // Should fail if user specifies apparmor on disabled system 143 session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"}) 144 session.WaitWithDefaultTimeout() 145 Expect(session).To(ExitWithError()) 146 }) 147 148 It("podman run apparmor disabled no default", func() { 149 skipIfAppArmorEnabled() 150 // Should succeed if user specifies apparmor on disabled system 151 session := podmanTest.Podman([]string{"create", ALPINE, "ls"}) 152 session.WaitWithDefaultTimeout() 153 Expect(session).Should(Exit(0)) 154 155 cid := session.OutputToString() 156 // Verify that apparmor.Profile is being set 157 inspect := podmanTest.InspectContainer(cid) 158 Expect(inspect[0]).To(HaveField("AppArmorProfile", "")) 159 }) 160 161 It("podman run apparmor disabled unconfined", func() { 162 skipIfAppArmorEnabled() 163 164 session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"}) 165 session.WaitWithDefaultTimeout() 166 Expect(session).Should(Exit(0)) 167 168 cid := session.OutputToString() 169 // Verify that apparmor.Profile is being set 170 inspect := podmanTest.InspectContainer(cid) 171 Expect(inspect[0]).To(HaveField("AppArmorProfile", "")) 172 }) 173 })