mirror of
https://github.com/containers/podman-compose.git
synced 2025-05-01 21:04:49 +02:00
Merge pull request #1138 from mokibit/automate-seccomp-test
tests/integration: Automate manual `seccomp` test
This commit is contained in:
Povilas Kanapickas
GitHub
commit
593d7c825e
10
tests/integration/seccomp/default.json
Normal file
10
tests/integration/seccomp/default.json
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{
|
||||||
|
"defaultAction": "SCMP_ACT_ALLOW",
|
||||||
|
"syscalls": [
|
||||||
|
{
|
||||||
|
"name": "mkdir",
|
||||||
|
"action": "SCMP_ACT_ERRNO",
|
||||||
|
"args": []
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
@ -2,11 +2,8 @@ version: "3"
|
|||||||
services:
|
services:
|
||||||
web1:
|
web1:
|
||||||
image: busybox
|
image: busybox
|
||||||
command: httpd -f -p 80 -h /var/www/html
|
command: sh -c "mkdir /tmp_test"
|
||||||
volumes:
|
|
||||||
- ./docker-compose.yml:/var/www/html/index.html
|
|
||||||
ports:
|
|
||||||
- "8080:80"
|
|
||||||
security_opt:
|
security_opt:
|
||||||
- seccomp:unconfined
|
# Currently only absolute path works, like this:
|
||||||
|
# - seccomp:/.../tests/integration/seccomp/default.json
|
||||||
|
- seccomp:./default.json
|
||||||
|
|||||||
40
tests/integration/seccomp/test_podman_compose_seccomp.py
Normal file
40
tests/integration/seccomp/test_podman_compose_seccomp.py
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
# SPDX-License-Identifier: GPL-2.0
|
||||||
|
|
||||||
|
import os
|
||||||
|
import unittest
|
||||||
|
|
||||||
|
from tests.integration.test_utils import RunSubprocessMixin
|
||||||
|
from tests.integration.test_utils import podman_compose_path
|
||||||
|
from tests.integration.test_utils import test_path
|
||||||
|
|
||||||
|
|
||||||
|
def compose_yaml_path():
|
||||||
|
return os.path.join(os.path.join(test_path(), "seccomp"), "docker-compose.yml")
|
||||||
|
|
||||||
|
|
||||||
|
class TestComposeSeccomp(unittest.TestCase, RunSubprocessMixin):
|
||||||
|
@unittest.skip(
|
||||||
|
"Skip till security_opt seccomp from 'docker-compose.yml' will be able to accept a "
|
||||||
|
"relative path of 'default.json' file. Now test works as expected but only with the "
|
||||||
|
"absolute path."
|
||||||
|
)
|
||||||
|
# test if seccomp uses custom seccomp profile file 'default.json' where command mkdir is not
|
||||||
|
# allowed
|
||||||
|
def test_seccomp(self):
|
||||||
|
try:
|
||||||
|
output, _, return_code = self.run_subprocess(
|
||||||
|
[podman_compose_path(), "-f", compose_yaml_path(), "run", "--rm", "web1"],
|
||||||
|
)
|
||||||
|
self.assertEqual(return_code, 1)
|
||||||
|
self.assertIn(
|
||||||
|
b"mkdir: can't create directory '/tmp_test': Operation not permitted", output
|
||||||
|
)
|
||||||
|
finally:
|
||||||
|
self.run_subprocess_assert_returncode([
|
||||||
|
podman_compose_path(),
|
||||||
|
"-f",
|
||||||
|
compose_yaml_path(),
|
||||||
|
"down",
|
||||||
|
"-t",
|
||||||
|
"0",
|
||||||
|
])
|
||||||
Loading…
Reference in New Issue
Block a user