1
//go:build !remote_testing
10
"github.com/containers/common/pkg/apparmor"
11
. "github.com/containers/podman/v5/test/utils"
12
. "github.com/onsi/ginkgo/v2"
13
. "github.com/onsi/gomega"
17
func skipIfAppArmorEnabled() {
18
if apparmor.IsEnabled() {
19
Skip("Apparmor is enabled")
22
func skipIfAppArmorDisabled() {
23
if !apparmor.IsEnabled() {
24
Skip("Apparmor is not enabled")
28
var _ = Describe("Podman run", func() {
30
It("podman run apparmor default", func() {
31
skipIfAppArmorDisabled()
32
session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
33
session.WaitWithDefaultTimeout()
34
Expect(session).Should(ExitCleanly())
36
cid := session.OutputToString()
37
// Verify that apparmor.Profile is being set
38
inspect := podmanTest.InspectContainer(cid)
39
Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile))
42
It("podman run no apparmor --privileged", func() {
43
skipIfAppArmorDisabled()
44
session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"})
45
session.WaitWithDefaultTimeout()
46
Expect(session).Should(ExitCleanly())
48
cid := session.OutputToString()
49
// Verify that apparmor.Profile is being set
50
inspect := podmanTest.InspectContainer(cid)
51
Expect(inspect[0]).To(HaveField("AppArmorProfile", ""))
54
It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() {
55
skipIfAppArmorDisabled()
56
session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"})
57
session.WaitWithDefaultTimeout()
58
Expect(session).Should(ExitCleanly())
60
cid := session.OutputToString()
61
// Verify that apparmor.Profile is being set
62
inspect := podmanTest.InspectContainer(cid)
63
Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile))
66
It("podman run apparmor aa-test-profile", func() {
67
skipIfAppArmorDisabled()
69
#include <tunables/global>
70
profile aa-test-profile flags=(attach_disconnected,mediate_deleted) {
71
#include <abstractions/base>
73
deny /sys/[^f]*/** wklx,
74
deny /sys/f[^s]*/** wklx,
75
deny /sys/fs/[^c]*/** wklx,
76
deny /sys/fs/c[^g]*/** wklx,
77
deny /sys/fs/cg[^r]*/** wklx,
78
deny /sys/firmware/efi/efivars/** rwklx,
79
deny /sys/kernel/security/** rwklx,
82
aaFile := filepath.Join(os.TempDir(), "aaFile")
83
Expect(os.WriteFile(aaFile, []byte(aaProfile), 0755)).To(Succeed())
84
parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile})
85
Expect(parse).Should(ExitCleanly())
87
session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"})
88
session.WaitWithDefaultTimeout()
89
Expect(session).Should(ExitCleanly())
91
cid := session.OutputToString()
92
// Verify that apparmor.Profile is being set
93
inspect := podmanTest.InspectContainer(cid)
94
Expect(inspect[0]).To(HaveField("AppArmorProfile", "aa-test-profile"))
97
It("podman run apparmor invalid", func() {
98
skipIfAppArmorDisabled()
99
session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"})
100
session.WaitWithDefaultTimeout()
101
Expect(session).To(ExitWithError())
104
It("podman run apparmor unconfined", func() {
105
skipIfAppArmorDisabled()
106
session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
107
session.WaitWithDefaultTimeout()
108
Expect(session).Should(ExitCleanly())
110
cid := session.OutputToString()
111
// Verify that apparmor.Profile is being set
112
inspect := podmanTest.InspectContainer(cid)
113
Expect(inspect[0]).To(HaveField("AppArmorProfile", "unconfined"))
116
It("podman run apparmor disabled --security-opt apparmor fails", func() {
117
skipIfAppArmorEnabled()
118
// Should fail if user specifies apparmor on disabled system
119
session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"})
120
session.WaitWithDefaultTimeout()
121
Expect(session).To(ExitWithError())
124
It("podman run apparmor disabled no default", func() {
125
skipIfAppArmorEnabled()
126
// Should succeed if user specifies apparmor on disabled system
127
session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
128
session.WaitWithDefaultTimeout()
129
Expect(session).Should(ExitCleanly())
131
cid := session.OutputToString()
132
// Verify that apparmor.Profile is being set
133
inspect := podmanTest.InspectContainer(cid)
134
Expect(inspect[0]).To(HaveField("AppArmorProfile", ""))
137
It("podman run apparmor disabled unconfined", func() {
138
skipIfAppArmorEnabled()
140
session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
141
session.WaitWithDefaultTimeout()
142
Expect(session).Should(ExitCleanly())
144
cid := session.OutputToString()
145
// Verify that apparmor.Profile is being set
146
inspect := podmanTest.InspectContainer(cid)
147
Expect(inspect[0]).To(HaveField("AppArmorProfile", ""))