7
. "github.com/containers/podman/v5/test/utils"
8
. "github.com/onsi/ginkgo/v2"
9
. "github.com/onsi/gomega"
10
. "github.com/onsi/gomega/gexec"
13
var _ = Describe("Podman generate kube", func() {15
It("podman empty security labels", func() {16
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})17
test1.WaitWithDefaultTimeout()
18
Expect(test1).Should(ExitCleanly())
20
inspect := podmanTest.Podman([]string{"inspect", "test1"})21
inspect.WaitWithDefaultTimeout()
22
Expect(inspect).Should(ExitCleanly())
24
ctr := inspect.InspectContainerToJSON()
25
Expect(ctr[0].EffectiveCaps).To(BeNil())
27
test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})28
test2.WaitWithDefaultTimeout()
29
Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))32
It("podman security labels", func() {33
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})34
test1.WaitWithDefaultTimeout()
35
Expect(test1).Should(ExitCleanly())
37
inspect := podmanTest.Podman([]string{"inspect", "test1"})38
inspect.WaitWithDefaultTimeout()
39
Expect(inspect).Should(ExitCleanly())
41
ctr := inspect.InspectContainerToJSON()
42
caps := strings.Join(ctr[0].EffectiveCaps, ",")
43
Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))46
It("podman bad security labels", func() {47
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})48
test1.WaitWithDefaultTimeout()
49
Expect(test1).Should(Exit(0))
50
stderr := test1.ErrorToString()
52
Expect(stderr).To(BeEmpty())
54
Expect(stderr).To(ContainSubstring("Capabilities requested by user or image are not allowed by default: \\\"CAP_SYS_ADMIN\\\""))57
inspect := podmanTest.Podman([]string{"inspect", "test1"})58
inspect.WaitWithDefaultTimeout()
59
Expect(inspect).Should(ExitCleanly())
61
ctr := inspect.InspectContainerToJSON()
62
caps := strings.Join(ctr[0].EffectiveCaps, ",")
63
Expect(caps).To(Not(Equal("CAP_SYS_ADMIN")))66
It("podman --cap-add sys_admin security labels", func() {67
test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})68
test1.WaitWithDefaultTimeout()
69
Expect(test1).Should(ExitCleanly())
71
inspect := podmanTest.Podman([]string{"inspect", "test1"})72
inspect.WaitWithDefaultTimeout()
73
Expect(inspect).Should(ExitCleanly())
75
ctr := inspect.InspectContainerToJSON()
76
caps := strings.Join(ctr[0].EffectiveCaps, ",")
77
Expect(caps).To(Equal("CAP_SYS_ADMIN"))80
It("podman --cap-drop all sys_admin security labels", func() {81
test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})82
test1.WaitWithDefaultTimeout()
83
Expect(test1).Should(Exit(0))
84
stderr := test1.ErrorToString()
86
Expect(stderr).To(BeEmpty())
88
Expect(stderr).To(ContainSubstring("Capabilities requested by user or image are not allowed by default: \\\"CAP_SYS_ADMIN\\\""))91
inspect := podmanTest.Podman([]string{"inspect", "test1"})92
inspect.WaitWithDefaultTimeout()
93
Expect(inspect).Should(ExitCleanly())
95
ctr := inspect.InspectContainerToJSON()
96
caps := strings.Join(ctr[0].EffectiveCaps, ",")
97
Expect(caps).To(Equal(""))100
It("podman security labels from image", func() {101
test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"})102
test1.WaitWithDefaultTimeout()
103
Expect(test1).Should(ExitCleanly())
105
commit := podmanTest.Podman([]string{"commit", "-q", "-c", "label=io.containers.capabilities=setgid,setuid", "test1", "image1"})106
commit.WaitWithDefaultTimeout()
107
Expect(commit).Should(ExitCleanly())
109
image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"})110
image1.WaitWithDefaultTimeout()
111
Expect(image1).Should(ExitCleanly())
113
inspect := podmanTest.Podman([]string{"inspect", "test2"})114
inspect.WaitWithDefaultTimeout()
115
Expect(inspect).Should(ExitCleanly())
117
ctr := inspect.InspectContainerToJSON()
118
caps := strings.Join(ctr[0].EffectiveCaps, ",")
119
Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))123
It("podman --privileged security labels", func() {124
pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"})125
pull.WaitWithDefaultTimeout()
126
Expect(pull).Should(ExitCleanly())
128
inspect := podmanTest.Podman([]string{"inspect", "test1"})129
inspect.WaitWithDefaultTimeout()
130
Expect(inspect).Should(ExitCleanly())
132
ctr := inspect.InspectContainerToJSON()
133
caps := strings.Join(ctr[0].EffectiveCaps, ",")
134
Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID")))137
It("podman container runlabel (podman --version)", func() {138
SkipIfRemote("runlabel not supported on podman-remote")139
PodmanDockerfile := fmt.Sprintf(`
141
LABEL io.containers.capabilities=chown,kill`, ALPINE)
143
image := "podman-caps:podman"
144
podmanTest.BuildImage(PodmanDockerfile, image, "false")
146
test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"})147
test1.WaitWithDefaultTimeout()
148
Expect(test1).Should(ExitCleanly())
150
inspect := podmanTest.Podman([]string{"inspect", "test1"})151
inspect.WaitWithDefaultTimeout()
152
Expect(inspect).Should(ExitCleanly())
154
ctr := inspect.InspectContainerToJSON()
155
caps := strings.Join(ctr[0].EffectiveCaps, ",")
156
Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL"))