1
#!/usr/bin/env bats -*- bats -*-
9
function check_label() {
12
local args="$1"; shift
16
run_podman run --rm $args $IMAGE cat -v /proc/self/attr/current
20
remove_same_dev_warning
21
local context="$output"
23
user=$(secon -u $output)
24
role=$(secon -r $output)
29
*--privileged*| *--pid=host* | *--ipc=host* | *"--security-opt label=disable"*)
30
is "$context" "$user:$role:.*" "Non SELinux separated containers role should always be the current user and role"
35
is "$context" ".*_u:system_r:.*" "SELinux separated containers role should always be system_r"
39
type=$(cut -d: -f3 <<<"$context")
40
is "$type" "$1" "SELinux type"
44
range=$(cut -d: -f4,5 <<<"$context")
45
is "$range" "$2^@" "SELinux range"
51
@test "podman selinux: confined container" {
52
check_label "" "container_t"
56
@test "podman selinux: container with label=disable" {
57
check_label "--security-opt label=disable" "spc_t"
61
@test "podman selinux: privileged container" {
62
check_label "--privileged" "spc_t"
65
@test "podman selinux: privileged --userns=host container" {
66
check_label "--privileged --userns=host" "spc_t"
70
@test "podman selinux: --ipc=host container" {
71
check_label "--ipc=host" "spc_t"
75
@test "podman selinux: init container" {
76
check_label "--systemd=always" "container_init_t"
80
@test "podman selinux: init container with --security-opt type" {
81
check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
85
@test "podman selinux: init container with --security-opt level&type" {
86
check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
89
@test "podman selinux: init container with --security-opt level" {
90
check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
94
@test "podman selinux: pid=host" {
98
runtime=$(podman_runtime)
99
test "$runtime" == "crun" \
100
|| skip "runtime is $runtime; this test requires crun"
103
check_label "--pid=host" "spc_t"
106
@test "podman selinux: container with overridden range" {
107
check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
110
@test "podman selinux: inspect kvm labels" {
112
skip_if_remote "runtime flag is not passed over remote"
114
tmpdir=$PODMAN_TMPDIR/kata-test
116
KATA=${tmpdir}/kata-runtime
117
ln -s /bin/true ${KATA}
118
run_podman create --runtime=${KATA} --name myc $IMAGE
119
run_podman inspect --format='{{ .ProcessLabel }}' myc
120
is "$output" ".*container_kvm_t"
126
@test "podman selinux: inspect multiple labels" {
129
run_podman run -d --name myc \
130
--security-opt seccomp=unconfined \
131
--security-opt label=type:spc_t \
132
--security-opt label=level:s0 \
134
run_podman inspect --format='{{ .HostConfig.SecurityOpt }}' myc
135
is "$output" "[label=type:spc_t,label=level:s0 seccomp=unconfined]" \
136
"'podman inspect' preserves all --security-opts"
138
run_podman rm -t 0 -f myc
143
@test "podman selinux: shared context in (some) namespaces" {
148
skip_if_rootless_cgroupsv1
150
if [[ $(podman_runtime) == "runc" ]]; then
151
skip "some sort of runc bug, not worth fixing (issue 11784, wontfix)"
154
run_podman run -d --name myctr $IMAGE top
155
run_podman exec myctr cat -v /proc/self/attr/current
159
run_podman run --name myctr2 --ipc container:myctr $IMAGE cat -v /proc/self/attr/current
160
is "$output" "$context_c1" "new container, run with ipc of existing one "
163
run_podman run --rm --pid container:myctr $IMAGE cat -v /proc/self/attr/current
164
is "$output" "$context_c1" "new container, run with --pid of existing one "
167
run_podman run --rm --net container:myctr $IMAGE cat -v /proc/self/attr/current
168
assert "$output" != "$context_c1" \
169
"run --net : context should != context of running container"
173
run_podman stop -t 0 myctr
174
run_podman 125 rm myctr
175
is "$output" "Error: container .* has dependent containers"
186
@test "podman selinux: containers in pods share full context" {
190
local podname=myselinuxpod_do_share
193
run_podman pod create --name $podname \
194
--infra-image $IMAGE \
195
--infra-command /home/podman/pause
198
run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current
202
run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current
203
is "$output" "$context_c1" "SELinux context of 2nd container matches 1st"
206
run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current
207
is "$output" "$context_c1" "SELinux context of 3rd container matches 1st"
209
run_podman pod rm -f -t0 $podname
213
@test "podman selinux: containers in --no-infra pods do not share context" {
217
local podname=myselinuxpod_dont_share
220
run_podman pod create --name $podname --infra=false
223
run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current
227
run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current
228
assert "$output" != "$context_c1" \
229
"context of two separate containers should be different"
231
run_podman pod rm -f -t0 $podname
235
@test "podman with nonexistent labels" {
239
runtime=$(podman_runtime)
244
crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;;
249
runc) expect=".*: \(failed to set\|write\) /proc/self/attr/keycreate.*" ;;
250
*) skip "Unknown runtime '$runtime'";;
255
run_podman 126 run --rm --security-opt label=type:foo.bar $IMAGE true
256
is "$output" "Error.*: $expect" "podman emits useful diagnostic on failure"
260
@test "podman selinux: check relabel" {
263
LABEL="system_u:object_r:tmp_t:s0"
264
RELABEL="system_u:object_r:container_file_t:s0"
265
tmpdir=$PODMAN_TMPDIR/vol
267
chcon -vR ${LABEL} $tmpdir
270
run_podman run --rm -v $tmpdir:/test $IMAGE cat /proc/self/attr/current
272
is "$output" "${LABEL} ${tmpdir}" "No Relabel Correctly"
274
run_podman run --rm -v $tmpdir:/test:z --security-opt label=disable $IMAGE cat /proc/self/attr/current
276
is "$output" "${RELABEL} $tmpdir" "Privileged Relabel Correctly"
278
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE cat /proc/self/attr/current
280
is "$output" "${RELABEL} $tmpdir" "Privileged Relabel Correctly"
282
run_podman run --name label -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current
283
level=$(secon -l $output)
285
is "$output" "system_u:object_r:container_file_t:$level $tmpdir" \
286
"Confined Relabel Correctly"
289
if is_rootless && ! is_remote; then
290
run_podman unshare touch $tmpdir/test1
292
run_podman unshare chcon system_u:object_r:usr_t:s0 $tmpdir
293
run_podman start --attach label
294
newlevel=$(secon -l $output)
295
is "$level" "$newlevel" "start should relabel with same SELinux labels"
297
is "$output" "system_u:object_r:container_file_t:$level $tmpdir" \
298
"Confined Relabel Correctly"
299
run ls -dZ $tmpdir/test1
300
is "$output" "system_u:object_r:container_file_t:$level $tmpdir/test1" \
301
"Start did not Relabel"
304
run_podman unshare chcon system_u:object_r:usr_t:s0 $tmpdir/test1
305
run_podman start --attach label
306
newlevel=$(secon -l $output)
307
is "$level" "$newlevel" "start should use same SELinux labels"
309
run ls -dZ $tmpdir/test1
310
is "$output" "system_u:object_r:usr_t:s0 $tmpdir/test1" \
311
"Start did not Relabel"
315
run_podman run --rm -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current
317
is "$output" "${RELABEL} $tmpdir" "Shared Relabel Correctly"
320
@test "podman selinux nested" {
323
ROOTCONTEXT='rw,rootcontext="system_u:object_r:container_file_t:s0:c1,c2"'
324
SELINUXMNT="selinuxfs.*(rw,nosuid,noexec,relatime)"
326
SELINUXMNT="tmpfs.*selinux.*\(ro"
327
run_podman run --rm --security-opt label=level:s0:c1,c2 $IMAGE mount
328
assert "$output" !~ "${ROOTCONTEXT}" "Don't use rootcontext"
329
assert "$output" =~ "${SELINUXMNT}" "Mount SELinux file system readwrite"
331
run_podman run --rm --security-opt label=nested --security-opt label=level:s0:c1,c2 $IMAGE mount
332
assert "$output" =~ "${ROOTCONTEXT}" "Uses rootcontext"
333
assert "$output" =~ "${SELINUXMNT}" "Mount SELinux file system readwrite"
336
@test "podman EnableLabeledUsers" {
339
overrideConf=$PODMAN_TMPDIR/containers.conf
340
cat >$overrideConf <<EOF
346
user=$(secon -u $output)
347
role=$(secon -r $output)
348
CONTAINERS_CONF_OVERRIDE=$overrideConf run_podman run $IMAGE cat /proc/self/attr/current
349
level=$(secon -l $output)
351
is "$output" "$user:$role:container_t:$level" "Confined label Correctly"
353
CONTAINERS_CONF_OVERRIDE=$overrideConf run_podman run --rm --name label --security-opt label=role:system_r $IMAGE cat /proc/self/attr/current
354
level=$(secon -l $output)
355
is "$output" "$user:system_r:container_t:$level" "Confined with role override label Correctly"
358
@test "podman selinux: check unsupported relabel" {
362
LABEL="system_u:object_r:tmp_t:s0"
363
RELABEL="system_u:object_r:container_file_t:s0"
364
tmpdir=$PODMAN_TMPDIR/vol
367
mount --type tmpfs -o "context=\"$LABEL\"" tmpfs $tmpdir
370
is "$output" "${LABEL} ${tmpdir}" "No Relabel Correctly"
371
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
373
is "$output" "${LABEL} $tmpdir" "Ignored shared relabel Correctly"
375
run_podman run --rm -v $tmpdir:/test:Z --privileged $IMAGE true
377
is "$output" "${LABEL} $tmpdir" "Ignored private relabel Correctly"}
380
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
382
is "$output" "${RELABEL} $tmpdir" "Ignored private relabel Correctly"}