7
. "github.com/containers/podman/v5/test/utils"
8
. "github.com/onsi/ginkgo/v2"
9
. "github.com/onsi/gomega"
10
. "github.com/onsi/gomega/gexec"
13
var _ = Describe("Podman generate kube", func() {
15
It("podman empty security labels", func() {
16
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})
17
test1.WaitWithDefaultTimeout()
18
Expect(test1).Should(ExitCleanly())
20
inspect := podmanTest.Podman([]string{"inspect", "test1"})
21
inspect.WaitWithDefaultTimeout()
22
Expect(inspect).Should(ExitCleanly())
24
ctr := inspect.InspectContainerToJSON()
25
Expect(ctr[0].EffectiveCaps).To(BeNil())
27
test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})
28
test2.WaitWithDefaultTimeout()
29
Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))
32
It("podman security labels", func() {
33
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
34
test1.WaitWithDefaultTimeout()
35
Expect(test1).Should(ExitCleanly())
37
inspect := podmanTest.Podman([]string{"inspect", "test1"})
38
inspect.WaitWithDefaultTimeout()
39
Expect(inspect).Should(ExitCleanly())
41
ctr := inspect.InspectContainerToJSON()
42
caps := strings.Join(ctr[0].EffectiveCaps, ",")
43
Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))
46
It("podman bad security labels", func() {
47
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
48
test1.WaitWithDefaultTimeout()
49
Expect(test1).Should(Exit(0))
50
stderr := test1.ErrorToString()
52
Expect(stderr).To(BeEmpty())
54
Expect(stderr).To(ContainSubstring("Capabilities requested by user or image are not allowed by default: \\\"CAP_SYS_ADMIN\\\""))
57
inspect := podmanTest.Podman([]string{"inspect", "test1"})
58
inspect.WaitWithDefaultTimeout()
59
Expect(inspect).Should(ExitCleanly())
61
ctr := inspect.InspectContainerToJSON()
62
caps := strings.Join(ctr[0].EffectiveCaps, ",")
63
Expect(caps).To(Not(Equal("CAP_SYS_ADMIN")))
66
It("podman --cap-add sys_admin security labels", func() {
67
test1 := podmanTest.Podman([]string{"create", "--cap-add", "SYS_ADMIN", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
68
test1.WaitWithDefaultTimeout()
69
Expect(test1).Should(ExitCleanly())
71
inspect := podmanTest.Podman([]string{"inspect", "test1"})
72
inspect.WaitWithDefaultTimeout()
73
Expect(inspect).Should(ExitCleanly())
75
ctr := inspect.InspectContainerToJSON()
76
caps := strings.Join(ctr[0].EffectiveCaps, ",")
77
Expect(caps).To(Equal("CAP_SYS_ADMIN"))
80
It("podman --cap-drop all sys_admin security labels", func() {
81
test1 := podmanTest.Podman([]string{"create", "--cap-drop", "all", "--label", "io.containers.capabilities=sys_admin", "--name", "test1", "alpine", "echo", "test1"})
82
test1.WaitWithDefaultTimeout()
83
Expect(test1).Should(Exit(0))
84
stderr := test1.ErrorToString()
86
Expect(stderr).To(BeEmpty())
88
Expect(stderr).To(ContainSubstring("Capabilities requested by user or image are not allowed by default: \\\"CAP_SYS_ADMIN\\\""))
91
inspect := podmanTest.Podman([]string{"inspect", "test1"})
92
inspect.WaitWithDefaultTimeout()
93
Expect(inspect).Should(ExitCleanly())
95
ctr := inspect.InspectContainerToJSON()
96
caps := strings.Join(ctr[0].EffectiveCaps, ",")
97
Expect(caps).To(Equal(""))
100
It("podman security labels from image", func() {
101
test1 := podmanTest.Podman([]string{"create", "--name", "test1", "alpine", "echo", "test1"})
102
test1.WaitWithDefaultTimeout()
103
Expect(test1).Should(ExitCleanly())
105
commit := podmanTest.Podman([]string{"commit", "-q", "-c", "label=io.containers.capabilities=setgid,setuid", "test1", "image1"})
106
commit.WaitWithDefaultTimeout()
107
Expect(commit).Should(ExitCleanly())
109
image1 := podmanTest.Podman([]string{"create", "--name", "test2", "image1", "echo", "test1"})
110
image1.WaitWithDefaultTimeout()
111
Expect(image1).Should(ExitCleanly())
113
inspect := podmanTest.Podman([]string{"inspect", "test2"})
114
inspect.WaitWithDefaultTimeout()
115
Expect(inspect).Should(ExitCleanly())
117
ctr := inspect.InspectContainerToJSON()
118
caps := strings.Join(ctr[0].EffectiveCaps, ",")
119
Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))
123
It("podman --privileged security labels", func() {
124
pull := podmanTest.Podman([]string{"create", "--privileged", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test"})
125
pull.WaitWithDefaultTimeout()
126
Expect(pull).Should(ExitCleanly())
128
inspect := podmanTest.Podman([]string{"inspect", "test1"})
129
inspect.WaitWithDefaultTimeout()
130
Expect(inspect).Should(ExitCleanly())
132
ctr := inspect.InspectContainerToJSON()
133
caps := strings.Join(ctr[0].EffectiveCaps, ",")
134
Expect(caps).To(Not(Equal("CAP_SETUID,CAP_SETGID")))
137
It("podman container runlabel (podman --version)", func() {
138
SkipIfRemote("runlabel not supported on podman-remote")
139
PodmanDockerfile := fmt.Sprintf(`
141
LABEL io.containers.capabilities=chown,kill`, ALPINE)
143
image := "podman-caps:podman"
144
podmanTest.BuildImage(PodmanDockerfile, image, "false")
146
test1 := podmanTest.Podman([]string{"create", "--name", "test1", image, "echo", "test1"})
147
test1.WaitWithDefaultTimeout()
148
Expect(test1).Should(ExitCleanly())
150
inspect := podmanTest.Podman([]string{"inspect", "test1"})
151
inspect.WaitWithDefaultTimeout()
152
Expect(inspect).Should(ExitCleanly())
154
ctr := inspect.InspectContainerToJSON()
155
caps := strings.Join(ctr[0].EffectiveCaps, ",")
156
Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL"))