github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/test/e2e/run_selinux_test.go (about) 1 package integration 2 3 import ( 4 "os" 5 "path/filepath" 6 7 . "github.com/hanks177/podman/v4/test/utils" 8 . "github.com/onsi/ginkgo" 9 . "github.com/onsi/gomega" 10 . "github.com/onsi/gomega/gexec" 11 "github.com/opencontainers/selinux/go-selinux" 12 ) 13 14 var _ = Describe("Podman run", func() { 15 var ( 16 tempdir string 17 err error 18 podmanTest *PodmanTestIntegration 19 ) 20 21 BeforeEach(func() { 22 tempdir, err = CreateTempDirInTempDir() 23 if err != nil { 24 os.Exit(1) 25 } 26 podmanTest = PodmanTestCreate(tempdir) 27 podmanTest.Setup() 28 if !selinux.GetEnabled() { 29 Skip("SELinux not enabled") 30 } 31 }) 32 33 AfterEach(func() { 34 podmanTest.Cleanup() 35 f := CurrentGinkgoTestDescription() 36 processTestResult(f) 37 38 }) 39 40 It("podman run selinux", func() { 41 session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) 42 session.WaitWithDefaultTimeout() 43 Expect(session).Should(Exit(0)) 44 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 45 }) 46 47 It("podman run selinux grep test", func() { 48 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 49 session.WaitWithDefaultTimeout() 50 Expect(session).Should(Exit(0)) 51 Expect(session.OutputToString()).To(ContainSubstring("s0:c1,c2")) 52 }) 53 54 It("podman run selinux disable test", func() { 55 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) 56 session.WaitWithDefaultTimeout() 57 Expect(session).Should(Exit(0)) 58 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 59 }) 60 61 It("podman run selinux type check test", func() { 62 session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) 63 session.WaitWithDefaultTimeout() 64 Expect(session).Should(Exit(0)) 65 match1, _ := session.GrepString("container_t") 66 match2, _ := session.GrepString("svirt_lxc_net_t") 67 Expect(match1 || match2).Should(BeTrue()) 68 }) 69 70 It("podman run selinux type setup test", func() { 71 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) 72 session.WaitWithDefaultTimeout() 73 Expect(session).Should(Exit(0)) 74 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 75 }) 76 77 It("podman privileged selinux", func() { 78 session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) 79 session.WaitWithDefaultTimeout() 80 Expect(session).Should(Exit(0)) 81 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 82 }) 83 84 It("podman test selinux label resolv.conf", func() { 85 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 86 session.WaitWithDefaultTimeout() 87 Expect(session).Should(Exit(0)) 88 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 89 }) 90 91 It("podman test selinux label hosts", func() { 92 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 93 session.WaitWithDefaultTimeout() 94 Expect(session).Should(Exit(0)) 95 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 96 }) 97 98 It("podman test selinux label hostname", func() { 99 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 100 session.WaitWithDefaultTimeout() 101 Expect(session).Should(Exit(0)) 102 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 103 }) 104 105 It("podman test selinux label /run/secrets", func() { 106 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 107 session.WaitWithDefaultTimeout() 108 Expect(session).Should(Exit(0)) 109 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 110 }) 111 112 It("podman test selinux --privileged label resolv.conf", func() { 113 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 114 session.WaitWithDefaultTimeout() 115 Expect(session).Should(Exit(0)) 116 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 117 }) 118 119 It("podman test selinux --privileged label hosts", func() { 120 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 121 session.WaitWithDefaultTimeout() 122 Expect(session).Should(Exit(0)) 123 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 124 }) 125 126 It("podman test selinux --privileged label hostname", func() { 127 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 128 session.WaitWithDefaultTimeout() 129 Expect(session).Should(Exit(0)) 130 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 131 }) 132 133 It("podman test selinux --privileged label /run/secrets", func() { 134 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 135 session.WaitWithDefaultTimeout() 136 Expect(session).Should(Exit(0)) 137 Expect(session.OutputToString()).To(ContainSubstring("container_file_t")) 138 }) 139 140 It("podman run selinux file type setup test", func() { 141 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"}) 142 session.WaitWithDefaultTimeout() 143 Expect(session).Should(Exit(0)) 144 Expect(session.OutputToString()).To(ContainSubstring("container_var_lib_t")) 145 146 session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"}) 147 session.WaitWithDefaultTimeout() 148 Expect(session).Should(Exit(126)) 149 }) 150 151 It("podman exec selinux check", func() { 152 setup := podmanTest.RunTopContainer("test1") 153 setup.WaitWithDefaultTimeout() 154 Expect(setup).Should(Exit(0)) 155 156 session := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/1/attr/current"}) 157 session.WaitWithDefaultTimeout() 158 session1 := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 159 session1.WaitWithDefaultTimeout() 160 Expect(session.OutputToString()).To(Equal(session1.OutputToString())) 161 }) 162 163 It("podman run --privileged and --security-opt SELinux options", func() { 164 session := podmanTest.Podman([]string{"run", "-it", "--privileged", "--security-opt", "label=type:spc_t", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 165 session.WaitWithDefaultTimeout() 166 Expect(session).Should(Exit(0)) 167 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 168 Expect(session.OutputToString()).To(ContainSubstring("s0:c1,c2")) 169 }) 170 171 It("podman pod container share SELinux labels", func() { 172 session := podmanTest.Podman([]string{"pod", "create"}) 173 session.WaitWithDefaultTimeout() 174 Expect(session).Should(Exit(0)) 175 podID := session.OutputToString() 176 177 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 178 session.WaitWithDefaultTimeout() 179 Expect(session).Should(Exit(0)) 180 label1 := session.OutputToString() 181 182 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 183 session.WaitWithDefaultTimeout() 184 Expect(session).Should(Exit(0)) 185 Expect(session.OutputToString()).To(Equal(label1)) 186 187 session = podmanTest.Podman([]string{"pod", "rm", "-t", "0", podID, "--force"}) 188 session.WaitWithDefaultTimeout() 189 Expect(session).Should(Exit(0)) 190 }) 191 192 It("podman pod container --infra=false doesn't share SELinux labels", func() { 193 session := podmanTest.Podman([]string{"pod", "create", "--infra=false"}) 194 session.WaitWithDefaultTimeout() 195 Expect(session).Should(Exit(0)) 196 podID := session.OutputToString() 197 198 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 199 session.WaitWithDefaultTimeout() 200 Expect(session).Should(Exit(0)) 201 label1 := session.OutputToString() 202 203 session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"}) 204 session.WaitWithDefaultTimeout() 205 Expect(session).Should(Exit(0)) 206 Expect(session.OutputToString()).To(Not(Equal(label1))) 207 208 session = podmanTest.Podman([]string{"pod", "rm", "-t", "0", podID, "--force"}) 209 session.WaitWithDefaultTimeout() 210 Expect(session).Should(Exit(0)) 211 }) 212 213 It("podman shared IPC NS container share SELinux labels", func() { 214 session := podmanTest.RunTopContainer("test1") 215 session.WaitWithDefaultTimeout() 216 Expect(session).Should(Exit(0)) 217 218 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 219 session.WaitWithDefaultTimeout() 220 Expect(session).Should(Exit(0)) 221 label1 := session.OutputToString() 222 223 session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 224 session.WaitWithDefaultTimeout() 225 Expect(session).Should(Exit(0)) 226 Expect(session.OutputToString()).To(Equal(label1)) 227 }) 228 229 It("podman shared PID NS container share SELinux labels", func() { 230 session := podmanTest.RunTopContainer("test1") 231 session.WaitWithDefaultTimeout() 232 Expect(session).Should(Exit(0)) 233 234 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 235 session.WaitWithDefaultTimeout() 236 Expect(session).Should(Exit(0)) 237 label1 := session.OutputToString() 238 239 session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 240 session.WaitWithDefaultTimeout() 241 Expect(session).Should(Exit(0)) 242 Expect(session.OutputToString()).To(Equal(label1)) 243 }) 244 245 It("podman shared NET NS container doesn't share SELinux labels", func() { 246 session := podmanTest.RunTopContainer("test1") 247 session.WaitWithDefaultTimeout() 248 Expect(session).Should(Exit(0)) 249 250 session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 251 session.WaitWithDefaultTimeout() 252 Expect(session).Should(Exit(0)) 253 label1 := session.OutputToString() 254 255 session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"}) 256 session.WaitWithDefaultTimeout() 257 Expect(session).Should(Exit(0)) 258 Expect(session.OutputToString()).To(Not(Equal(label1))) 259 }) 260 261 It("podman test --pid=host", func() { 262 SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") 263 session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) 264 session.WaitWithDefaultTimeout() 265 Expect(session).Should(Exit(0)) 266 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 267 }) 268 269 It("podman test --ipc=host", func() { 270 session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"}) 271 session.WaitWithDefaultTimeout() 272 Expect(session).Should(Exit(0)) 273 Expect(session.OutputToString()).To(ContainSubstring("spc_t")) 274 }) 275 276 It("podman test --ipc=net", func() { 277 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 278 session.WaitWithDefaultTimeout() 279 Expect(session).Should(Exit(0)) 280 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 281 }) 282 283 It("podman test --ipc=net", func() { 284 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 285 session.WaitWithDefaultTimeout() 286 Expect(session).Should(Exit(0)) 287 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 288 }) 289 290 It("podman test --ipc=net", func() { 291 session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) 292 session.WaitWithDefaultTimeout() 293 Expect(session).Should(Exit(0)) 294 Expect(session.OutputToString()).To(ContainSubstring("container_t")) 295 }) 296 297 It("podman test --runtime=/PATHTO/kata-runtime", func() { 298 runtime := podmanTest.OCIRuntime 299 podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime") 300 err := os.Symlink("/bin/true", podmanTest.OCIRuntime) 301 Expect(err).To(BeNil()) 302 if IsRemote() { 303 podmanTest.StopRemoteService() 304 podmanTest.StartRemoteService() 305 } 306 session := podmanTest.Podman([]string{"create", ALPINE}) 307 session.WaitWithDefaultTimeout() 308 Expect(session).Should(Exit(0)) 309 cid := session.OutputToString() 310 session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) 311 session.WaitWithDefaultTimeout() 312 Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t")) 313 314 podmanTest.OCIRuntime = runtime 315 if IsRemote() { 316 podmanTest.StopRemoteService() 317 podmanTest.StartRemoteService() 318 } 319 }) 320 321 It("podman test init labels", func() { 322 session := podmanTest.Podman([]string{"create", UBI_INIT, "/sbin/init"}) 323 session.WaitWithDefaultTimeout() 324 Expect(session).Should(Exit(0)) 325 cid := session.OutputToString() 326 session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) 327 session.WaitWithDefaultTimeout() 328 Expect(session.OutputToString()).To(ContainSubstring("container_init_t")) 329 }) 330 331 It("podman relabels named volume with :Z", func() { 332 session := podmanTest.Podman([]string{"run", "-v", "testvol:/test1/test:Z", fedoraMinimal, "ls", "-alZ", "/test1"}) 333 session.WaitWithDefaultTimeout() 334 Expect(session).Should(Exit(0)) 335 Expect(session.OutputToString()).To(ContainSubstring(":s0:")) 336 }) 337 })