Skip to content

Commit 88ad593

Browse files
umohnani8umohnani8
committed
Add new test to critest for privileged container
Test ensures that when a privileged container is run, the mount label persists and is in the right format. Also checks the process label. Signed-off-by: Urvashi Mohnani <[email protected]>
1 parent 31e2aec commit 88ad593

File tree

1 file changed

+44
-5
lines changed

1 file changed

+44
-5
lines changed

pkg/validate/security_context.go

+44-5
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
421421
podID, podConfig = createPrivilegedPodSandbox(rc, isPrivileged)
422422

423423
By("create container for security context Privileged is true")
424-
containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-test-", isPrivileged)
424+
containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-test-", isPrivileged, framework.DefaultContainerImage, []string{"top"})
425425

426426
By("start container")
427427
startContainer(rc, containerID)
@@ -439,7 +439,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
439439
podID, podConfig = createPrivilegedPodSandbox(rc, notPrivileged)
440440

441441
By("create container for security context Privileged is true")
442-
containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-notPrivileged-test-", notPrivileged)
442+
containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-notPrivileged-test-", notPrivileged, framework.DefaultContainerImage, []string{"top"})
443443

444444
By("start container")
445445
startContainer(rc, containerID)
@@ -451,6 +451,24 @@ var _ = framework.KubeDescribe("Security Context", func() {
451451
checkNetworkManagement(rc, containerID, notPrivileged)
452452
})
453453

454+
It("selinux mount label should persist when container is privileged", func() {
455+
By("create pod")
456+
privileged := true
457+
podID, podConfig = createPrivilegedPodSandbox(rc, privileged)
458+
459+
By("create container for security context Privileged is true")
460+
containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-mount-and-process-label-test-", privileged, "fedora:latest", []string{"sleep", "1000"})
461+
462+
By("start container")
463+
startContainer(rc, containerID)
464+
Eventually(func() runtimeapi.ContainerState {
465+
return getContainerStatus(rc, containerID).State
466+
}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))
467+
468+
By("check the Privileged container")
469+
checkMountAndProcessLabels(rc, containerID, privileged)
470+
})
471+
454472
It("runtime should support setting Capability", func() {
455473
By("create pod")
456474
podID, podConfig = framework.CreatePodSandboxForContainer(rc)
@@ -891,13 +909,13 @@ func createPrivilegedPodSandbox(rc internalapi.RuntimeService, privileged bool)
891909
}
892910

893911
// createPrivilegedContainer creates container with specified Privileged in ContainerConfig.
894-
func createPrivilegedContainer(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, podID string, podConfig *runtimeapi.PodSandboxConfig, prefix string, privileged bool) string {
912+
func createPrivilegedContainer(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, podID string, podConfig *runtimeapi.PodSandboxConfig, prefix string, privileged bool, image string, cmd []string) string {
895913
By("create Privileged container")
896914
containerName := prefix + framework.NewUUID()
897915
containerConfig := &runtimeapi.ContainerConfig{
898916
Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
899-
Image: &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage},
900-
Command: []string{"top"},
917+
Image: &runtimeapi.ImageSpec{Image: image},
918+
Command: cmd,
901919
Linux: &runtimeapi.LinuxContainerConfig{
902920
SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
903921
Privileged: privileged,
@@ -1133,3 +1151,24 @@ func checkSetHostname(rc internalapi.RuntimeService, containerID string, setable
11331151
Expect(err).To(HaveOccurred(), msg)
11341152
}
11351153
}
1154+
1155+
func checkMountAndProcessLabels(rc internalapi.RuntimeService, containerID string, privileged bool) {
1156+
// Check that the mount label is set for privileged containers
1157+
cmd := []string{"ls", "-lZ", "bin"}
1158+
stdout, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
1159+
msg := fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr)
1160+
Expect(err).NotTo(HaveOccurred(), msg)
1161+
Expect(string(stdout)).To(ContainSubstring("object_r:container_file_t"))
1162+
1163+
// Check that the correct process label is set for privileged and unprivileged containers
1164+
cmd = []string{"cat", "/proc/self/attr/current"}
1165+
stdout, stderr, err = rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
1166+
msg = fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr)
1167+
Expect(err).NotTo(HaveOccurred(), msg)
1168+
1169+
if privileged {
1170+
Expect(string(stdout)).To(ContainSubstring("system_r:spc_t"))
1171+
} else {
1172+
Expect(string(stdout)).To(Not(ContainSubstring("system_r:spc_t")))
1173+
}
1174+
}

0 commit comments

Comments
 (0)