github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/test/e2e/run_security_labels_test.go (about) 1 package integration 2 3 import ( 4 "fmt" 5 "os" 6 "strings" 7 8 . "github.com/hanks177/podman/v4/test/utils" 9 . "github.com/onsi/ginkgo" 10 . "github.com/onsi/gomega" 11 . "github.com/onsi/gomega/gexec" 12 ) 13 14 var _ = Describe("Podman generate kube", func() { 15 var ( 16 tempdir string 17 err error 18 podmanTest *PodmanTestIntegration 19 ) 20 21 BeforeEach(func() { 22 tempdir, err = CreateTempDirInTempDir() 23 if err != nil { 24 os.Exit(1) 25 } 26 podmanTest = PodmanTestCreate(tempdir) 27 podmanTest.Setup() 28 }) 29 30 AfterEach(func() { 31 podmanTest.Cleanup() 32 f := CurrentGinkgoTestDescription() 33 processTestResult(f) 34 }) 35 36 It("podman security labels", func() { 37 test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"}) 38 test1.WaitWithDefaultTimeout() 39 Expect(test1).Should(Exit(0)) 40 41 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 42 inspect.WaitWithDefaultTimeout() 43 Expect(inspect).Should(Exit(0)) 44 45 ctr := inspect.InspectContainerToJSON() 46 caps := strings.Join(ctr[0].EffectiveCaps, ",") 47 Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID")) 48 }) 49 50 It("podman bad security labels", func() { 51 test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 52 test1.WaitWithDefaultTimeout() 53 Expect(test1).Should(Exit(0)) 54 55 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 56 inspect.WaitWithDefaultTimeout() 57 Expect(inspect).Should(Exit(0)) 58 59 ctr := inspect.InspectContainerToJSON() 60 caps := strings.Join(ctr[0].EffectiveCaps, ",") 61 Expect(caps).To(Not(Equal("CAP_SYS_ADMIN"))) 62 }) 63 64 It("podman --cap-add sys_admin security labels", func() { 65 test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 66 test1.WaitWithDefaultTimeout() 67 Expect(test1).Should(Exit(0)) 68 69 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 70 inspect.WaitWithDefaultTimeout() 71 Expect(inspect).Should(Exit(0)) 72 73 ctr := inspect.InspectContainerToJSON() 74 caps := strings.Join(ctr[0].EffectiveCaps, ",") 75 Expect(caps).To(Equal("CAP_SYS_ADMIN")) 76 }) 77 78 It("podman --cap-drop all sys_admin security labels", func() { 79 test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"}) 80 test1.WaitWithDefaultTimeout() 81 Expect(test1).Should(Exit(0)) 82 83 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 84 inspect.WaitWithDefaultTimeout() 85 Expect(inspect).Should(Exit(0)) 86 87 ctr := inspect.InspectContainerToJSON() 88 caps := strings.Join(ctr[0].EffectiveCaps, ",") 89 Expect(caps).To(Equal("")) 90 }) 91 92 It("podman security labels from image", func() { 93 test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"}) 94 test1.WaitWithDefaultTimeout() 95 Expect(test1).Should(Exit(0)) 96 97 commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=sys_chroot,setuid", "test1", "image1"}) 98 commit.WaitWithDefaultTimeout() 99 Expect(commit).Should(Exit(0)) 100 101 image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"}) 102 image1.WaitWithDefaultTimeout() 103 Expect(image1).Should(Exit(0)) 104 105 inspect := podmanTest.Podman([]string{"inspect", "test2"}) 106 inspect.WaitWithDefaultTimeout() 107 Expect(inspect).Should(Exit(0)) 108 109 ctr := inspect.InspectContainerToJSON() 110 caps := strings.Join(ctr[0].EffectiveCaps, ",") 111 Expect(caps).To(Equal("CAP_SETUID,CAP_SYS_CHROOT")) 112 113 }) 114 115 It("podman --privileged security labels", func() { 116 pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"}) 117 pull.WaitWithDefaultTimeout() 118 Expect(pull).Should(Exit(0)) 119 120 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 121 inspect.WaitWithDefaultTimeout() 122 Expect(inspect).Should(Exit(0)) 123 124 ctr := inspect.InspectContainerToJSON() 125 caps := strings.Join(ctr[0].EffectiveCaps, ",") 126 Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID"))) 127 }) 128 129 It("podman container runlabel (podman --version)", func() { 130 SkipIfRemote("runlabel not supported on podman-remote") 131 PodmanDockerfile := fmt.Sprintf(` 132 FROM %s 133 LABEL io.containers.capabilities=chown,kill`, ALPINE) 134 135 image := "podman-caps:podman" 136 podmanTest.BuildImage(PodmanDockerfile, image, "false") 137 138 test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"}) 139 test1.WaitWithDefaultTimeout() 140 Expect(test1).Should(Exit(0)) 141 142 inspect := podmanTest.Podman([]string{"inspect", "test1"}) 143 inspect.WaitWithDefaultTimeout() 144 Expect(inspect).Should(Exit(0)) 145 146 ctr := inspect.InspectContainerToJSON() 147 caps := strings.Join(ctr[0].EffectiveCaps, ",") 148 Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL")) 149 }) 150 151 })