/
balmaster
/
podman
GigaCode
beta
ОбзорЦентр заботыВойти

podman

Форк
0
Ветки: 55Коммиты: 22365Теги: 216
podman
/test
/e2e
/
run_apparmor_test.go 
149 строк · 4.8 Кб
1
//go:build !remote_testing
2


3
package integration
4


5
import (
6
	"fmt"
7
	"os"
8
	"path/filepath"
9


10
	"github.com/containers/common/pkg/apparmor"
11
	. "github.com/containers/podman/v5/test/utils"
12
	. "github.com/onsi/ginkgo/v2"
13
	. "github.com/onsi/gomega"
14
)
15


16
// wip
17
func skipIfAppArmorEnabled() {
18
	if apparmor.IsEnabled() {
19
		Skip("Apparmor is enabled")
20
	}
21
}
22
func skipIfAppArmorDisabled() {
23
	if !apparmor.IsEnabled() {
24
		Skip("Apparmor is not enabled")
25
	}
26
}
27


28
var _ = Describe("Podman run", func() {
29


30
	It("podman run apparmor default", func() {
31
		skipIfAppArmorDisabled()
32
		session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
33
		session.WaitWithDefaultTimeout()
34
		Expect(session).Should(ExitCleanly())
35


36
		cid := session.OutputToString()
37
		// Verify that apparmor.Profile is being set
38
		inspect := podmanTest.InspectContainer(cid)
39
		Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile))
40
	})
41


42
	It("podman run no apparmor --privileged", func() {
43
		skipIfAppArmorDisabled()
44
		session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"})
45
		session.WaitWithDefaultTimeout()
46
		Expect(session).Should(ExitCleanly())
47


48
		cid := session.OutputToString()
49
		// Verify that apparmor.Profile is being set
50
		inspect := podmanTest.InspectContainer(cid)
51
		Expect(inspect[0]).To(HaveField("AppArmorProfile", ""))
52
	})
53


54
	It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() {
55
		skipIfAppArmorDisabled()
56
		session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"})
57
		session.WaitWithDefaultTimeout()
58
		Expect(session).Should(ExitCleanly())
59


60
		cid := session.OutputToString()
61
		// Verify that apparmor.Profile is being set
62
		inspect := podmanTest.InspectContainer(cid)
63
		Expect(inspect[0]).To(HaveField("AppArmorProfile", apparmor.Profile))
64
	})
65


66
	It("podman run apparmor aa-test-profile", func() {
67
		skipIfAppArmorDisabled()
68
		aaProfile := `
69
#include <tunables/global>
70
profile aa-test-profile flags=(attach_disconnected,mediate_deleted) {
71
  #include <abstractions/base>
72
  deny mount,
73
  deny /sys/[^f]*/** wklx,
74
  deny /sys/f[^s]*/** wklx,
75
  deny /sys/fs/[^c]*/** wklx,
76
  deny /sys/fs/c[^g]*/** wklx,
77
  deny /sys/fs/cg[^r]*/** wklx,
78
  deny /sys/firmware/efi/efivars/** rwklx,
79
  deny /sys/kernel/security/** rwklx,
80
}
81
`
82
		aaFile := filepath.Join(os.TempDir(), "aaFile")
83
		Expect(os.WriteFile(aaFile, []byte(aaProfile), 0755)).To(Succeed())
84
		parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile})
85
		Expect(parse).Should(ExitCleanly())
86


87
		session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"})
88
		session.WaitWithDefaultTimeout()
89
		Expect(session).Should(ExitCleanly())
90


91
		cid := session.OutputToString()
92
		// Verify that apparmor.Profile is being set
93
		inspect := podmanTest.InspectContainer(cid)
94
		Expect(inspect[0]).To(HaveField("AppArmorProfile", "aa-test-profile"))
95
	})
96


97
	It("podman run apparmor invalid", func() {
98
		skipIfAppArmorDisabled()
99
		session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"})
100
		session.WaitWithDefaultTimeout()
101
		Expect(session).To(ExitWithError())
102
	})
103


104
	It("podman run apparmor unconfined", func() {
105
		skipIfAppArmorDisabled()
106
		session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
107
		session.WaitWithDefaultTimeout()
108
		Expect(session).Should(ExitCleanly())
109


110
		cid := session.OutputToString()
111
		// Verify that apparmor.Profile is being set
112
		inspect := podmanTest.InspectContainer(cid)
113
		Expect(inspect[0]).To(HaveField("AppArmorProfile", "unconfined"))
114
	})
115


116
	It("podman run apparmor disabled --security-opt apparmor fails", func() {
117
		skipIfAppArmorEnabled()
118
		// Should fail if user specifies apparmor on disabled system
119
		session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"})
120
		session.WaitWithDefaultTimeout()
121
		Expect(session).To(ExitWithError())
122
	})
123


124
	It("podman run apparmor disabled no default", func() {
125
		skipIfAppArmorEnabled()
126
		// Should succeed if user specifies apparmor on disabled system
127
		session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
128
		session.WaitWithDefaultTimeout()
129
		Expect(session).Should(ExitCleanly())
130


131
		cid := session.OutputToString()
132
		// Verify that apparmor.Profile is being set
133
		inspect := podmanTest.InspectContainer(cid)
134
		Expect(inspect[0]).To(HaveField("AppArmorProfile", ""))
135
	})
136


137
	It("podman run apparmor disabled unconfined", func() {
138
		skipIfAppArmorEnabled()
139


140
		session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
141
		session.WaitWithDefaultTimeout()
142
		Expect(session).Should(ExitCleanly())
143


144
		cid := session.OutputToString()
145
		// Verify that apparmor.Profile is being set
146
		inspect := podmanTest.InspectContainer(cid)
147
		Expect(inspect[0]).To(HaveField("AppArmorProfile", ""))
148
	})
149
})
150

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.