From 31e2acc7eca444677c9170e4c661d42c227ae80b Mon Sep 17 00:00:00 2001 From: Denis Pynkin <denis.pynkin@collabora.com> Date: Tue, 5 Mar 2019 13:41:15 +0300 Subject: [PATCH] Add cases for Tiny container seccomp testing Test that the custom seccomp profile is applied and works for Tiny containers. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com> --- test-cases/tiny-container-system-seccomp.yaml | 33 +++++++++++++++ test-cases/tiny-container-user-seccomp.yaml | 40 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 test-cases/tiny-container-system-seccomp.yaml create mode 100644 test-cases/tiny-container-user-seccomp.yaml diff --git a/test-cases/tiny-container-system-seccomp.yaml b/test-cases/tiny-container-system-seccomp.yaml new file mode 100644 index 0000000..e28a459 --- /dev/null +++ b/test-cases/tiny-container-system-seccomp.yaml @@ -0,0 +1,33 @@ +metadata: + name: tiny-container-system-seccomp + format: "Apertis Test Definition 1.0" + image-types: + tiny-lxc: [ armhf-internal, arm64, amd64 ] + image-deployment: + - APT + type: functional + exec-type: automated + priority: medium + maintainer: "Apertis Project" + description: "Test that the custom seccomp profile could be applied for system-wide + privileged container" + + expected: + - "Test command should report \"pass\"." + +install: + git-repos: + - url: https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git + branch: apertis/v2019dev0 + +run: + steps: + - "# Enter test directory:" + - cd tiny-image-recipes + - "# Setup the AppArmor profile for container:" + - sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-system/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr + - "# Check that the simple seccomp profile for the container is loaded and works" + - lavatests/test-seccomp-policy -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-userns" -p "--seccomp $PWD/lavatests/test-minimal-policy.seccomp" + +parse: + pattern: "(?P<test_case_id>.*-*):\\s+(?P<result>(pass|fail))" diff --git a/test-cases/tiny-container-user-seccomp.yaml b/test-cases/tiny-container-user-seccomp.yaml new file mode 100644 index 0000000..158c87a --- /dev/null +++ b/test-cases/tiny-container-user-seccomp.yaml @@ -0,0 +1,40 @@ +metadata: + name: tiny-container-user-seccomp + format: "Apertis Test Definition 1.0" + image-types: + tiny-lxc: [ armhf-internal, arm64, amd64 ] + image-deployment: + - APT + type: functional + exec-type: automated + priority: medium + maintainer: "Apertis Project" + description: "Test that the custom seccomp profile could be applied for + unprivileged container started as user" + + expected: + - "Test command should report \"pass\"." + +install: + git-repos: + - url: https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git + branch: apertis/v2019dev0 + +run: + steps: + - "# Enter test directory:" + - cd tiny-image-recipes + - "# Ensure we allow user mapping:" + - sysctl -w kernel.unprivileged_userns_clone=1 + - "# Setup the AppArmor profile for container:" + - sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-userns/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr + - "# Make sure user have correct mappings for test:" + - usermod --add-subuids 1000-1000 user + - usermod --add-subuids 100000-165535 user + - usermod --add-subgids 1000-1000 user + - usermod --add-subgids 100000-165535 user + - "# Check that the simple seccomp profile for the container is loaded and works" + - sudo -u user -H lavatests/test-seccomp-policy -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-userns" -p "--seccomp $PWD/lavatests/test-minimal-policy.seccomp" + +parse: + pattern: "(?P<test_case_id>.*-*):\\s+(?P<result>(pass|fail))" -- GitLab