2016-11-23 09:41:48 +00:00
|
|
|
#!/usr/bin/env bats
|
|
|
|
|
|
|
|
load helpers
|
|
|
|
|
|
|
|
function teardown() {
|
|
|
|
cleanup_test
|
|
|
|
}
|
|
|
|
|
|
|
|
# 1. test running with ctr unconfined
|
|
|
|
# test that we can run with a syscall which would be otherwise blocked
|
|
|
|
@test "ctr seccomp profiles unconfined" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
2017-05-18 15:47:43 +00:00
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp1-1-testname-0": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
|
|
|
|
run crioctl pod run --name seccomp1 --config "$TESTDIR"/seccomp1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --name testname --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
ctr_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr start --id "$ctr_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# 2. test running with ctr runtime/default
|
|
|
|
# test that we cannot run with a syscall blocked by the default seccomp profile
|
|
|
|
@test "ctr seccomp profiles runtime/default" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp2-1-testname2-0": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
|
|
|
|
run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --name testname2 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
ctr_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr start --id "$ctr_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
2017-04-10 20:59:03 +00:00
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
[[ "$output" =~ "Exit code: 1" ]]
|
2016-11-23 09:41:48 +00:00
|
|
|
[[ "$output" =~ "Operation not permitted" ]]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# 3. test running with ctr wrong profile name
|
|
|
|
@test "ctr seccomp profiles wrong profile name" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp3-1-testname3-1": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
|
|
|
|
run crioctl pod run --name seccomp3 --config "$TESTDIR"/seccomp3.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --name testname3 --config "$TESTDATA"/container_config.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -ne 0 ]
|
|
|
|
[[ "$output" =~ "unknown seccomp profile option:" ]]
|
|
|
|
[[ "$output" =~ "notgood" ]]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# TODO(runcom): need https://issues.k8s.io/36997
|
|
|
|
# 4. test running with ctr localhost/profile_name
|
|
|
|
@test "ctr seccomp profiles localhost/profile_name" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
#sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
#sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
#sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
#start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
|
|
|
skip "need https://issues.k8s.io/36997"
|
|
|
|
}
|
|
|
|
|
|
|
|
# 5. test running with unkwown ctr profile falls back to pod profile
|
|
|
|
# unknown ctr -> unconfined
|
|
|
|
# pod -> runtime/default
|
|
|
|
# result: fail chmod
|
|
|
|
@test "ctr seccomp profiles falls back to pod profile" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp2-1-testname2-0-not-exists": "unconfined", "security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp5.json
|
|
|
|
run crioctl pod run --name seccomp5 --config "$TESTDIR"/seccomp5.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
ctr_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr start --id "$ctr_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
2017-04-10 20:59:03 +00:00
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
[[ "$output" =~ "Exit code: 1" ]]
|
2016-11-23 09:41:48 +00:00
|
|
|
[[ "$output" =~ "Operation not permitted" ]]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# 6. test running with unkwown ctr profile and no pod, falls back to unconfined
|
|
|
|
# unknown ctr -> runtime/default
|
|
|
|
# pod -> NO
|
|
|
|
# result: success, running unconfined
|
|
|
|
@test "ctr seccomp profiles falls back to unconfined" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/redhat\.test\.crio-seccomp6-1-testname6-0-not-exists": "runtime-default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp6.json
|
|
|
|
run crioctl pod run --name seccomp6 --config "$TESTDIR"/seccomp6.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --name testname6 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
ctr_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr start --id "$ctr_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# 1. test running with pod unconfined
|
|
|
|
# test that we can run with a syscall which would be otherwise blocked
|
|
|
|
@test "pod seccomp profiles unconfined" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "unconfined"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp1.json
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl pod run --name seccomp1 --config "$TESTDIR"/seccomp1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
ctr_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr start --id "$ctr_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# 2. test running with pod runtime/default
|
|
|
|
# test that we cannot run with a syscall blocked by the default seccomp profile
|
|
|
|
@test "pod seccomp profiles runtime/default" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "runtime\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
ctr_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr start --id "$ctr_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr execsync --id "$ctr_id" chmod 777 .
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
2017-04-10 20:59:03 +00:00
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
[[ "$output" =~ "Exit code: 1" ]]
|
2016-11-23 09:41:48 +00:00
|
|
|
[[ "$output" =~ "Operation not permitted" ]]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# 3. test running with pod wrong profile name
|
|
|
|
@test "pod seccomp profiles wrong profile name" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
|
|
|
# 3. test running with pod wrong profile name
|
|
|
|
sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/pod": "notgood"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp3.json
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl pod run --name seccomp3 --config "$TESTDIR"/seccomp3.json
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -eq 0 ]
|
|
|
|
pod_id="$output"
|
2017-05-12 13:36:15 +00:00
|
|
|
run crioctl ctr create --config "$TESTDATA"/container_config.json --pod "$pod_id"
|
2016-11-23 09:41:48 +00:00
|
|
|
echo "$output"
|
|
|
|
[ "$status" -ne 0 ]
|
|
|
|
[[ "$output" =~ "unknown seccomp profile option:" ]]
|
|
|
|
[[ "$output" =~ "notgood" ]]
|
|
|
|
|
|
|
|
cleanup_ctrs
|
|
|
|
cleanup_pods
|
2017-05-12 13:36:15 +00:00
|
|
|
stop_crio
|
2016-11-23 09:41:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# TODO(runcom): need https://issues.k8s.io/36997
|
|
|
|
# 4. test running with pod localhost/profile_name
|
|
|
|
@test "pod seccomp profiles localhost/profile_name" {
|
2016-12-02 07:13:41 +00:00
|
|
|
# this test requires seccomp, so skip this test if seccomp is not enabled.
|
2016-12-07 11:32:50 +00:00
|
|
|
enabled=$(is_seccomp_enabled)
|
|
|
|
if [[ "$enabled" -eq 0 ]]; then
|
2016-12-02 07:13:41 +00:00
|
|
|
skip "skip this test since seccomp is not enabled."
|
|
|
|
fi
|
|
|
|
|
2017-05-15 22:05:58 +00:00
|
|
|
#sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
#sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
|
|
|
|
#sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
|
2016-12-02 07:13:41 +00:00
|
|
|
|
2017-05-12 13:36:15 +00:00
|
|
|
#start_crio "$TESTDIR"/seccomp_profile1.json
|
2016-11-23 09:41:48 +00:00
|
|
|
|
|
|
|
skip "need https://issues.k8s.io/36997"
|
|
|
|
}
|