Add new test to critest for privileged container

Test ensures that when a privileged container is run, the mount label persists and is in the right format. Also checks the process label. Signed-off-by: Urvashi Mohnani <[email protected]>
kubernetes-sigs · Sep 12, 2018 · 88ad593 · 88ad593
1 parent 31e2aec
commit 88ad593
Showing 1 changed file with 44 additions and 5 deletions.
diff --git a/pkg/validate/security_context.go b/pkg/validate/security_context.go
@@ -421,7 +421,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
 			podID, podConfig = createPrivilegedPodSandbox(rc, isPrivileged)
 
 			By("create container for security context Privileged is true")
-			containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-test-", isPrivileged)
+			containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-test-", isPrivileged, framework.DefaultContainerImage, []string{"top"})
 
 			By("start container")
 			startContainer(rc, containerID)
@@ -439,7 +439,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
 			podID, podConfig = createPrivilegedPodSandbox(rc, notPrivileged)
 
 			By("create container for security context Privileged is true")
-			containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-notPrivileged-test-", notPrivileged)
+			containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-notPrivileged-test-", notPrivileged, framework.DefaultContainerImage, []string{"top"})
 
 			By("start container")
 			startContainer(rc, containerID)
@@ -451,6 +451,24 @@ var _ = framework.KubeDescribe("Security Context", func() {
 			checkNetworkManagement(rc, containerID, notPrivileged)
 		})
 
+		It("selinux mount label should persist when container is privileged", func() {
+			By("create pod")
+			privileged := true
+			podID, podConfig = createPrivilegedPodSandbox(rc, privileged)
+
+			By("create container for security context Privileged is true")
+			containerID := createPrivilegedContainer(rc, ic, podID, podConfig, "container-with-isPrivileged-mount-and-process-label-test-", privileged, "fedora:latest", []string{"sleep", "1000"})
+
+			By("start container")
+			startContainer(rc, containerID)
+			Eventually(func() runtimeapi.ContainerState {
+				return getContainerStatus(rc, containerID).State
+			}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))
+
+			By("check the Privileged container")
+			checkMountAndProcessLabels(rc, containerID, privileged)
+		})
+
 		It("runtime should support setting Capability", func() {
 			By("create pod")
 			podID, podConfig = framework.CreatePodSandboxForContainer(rc)
@@ -891,13 +909,13 @@ func createPrivilegedPodSandbox(rc internalapi.RuntimeService, privileged bool)
 }
 
 // createPrivilegedContainer creates container with specified Privileged in ContainerConfig.
-func createPrivilegedContainer(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, podID string, podConfig *runtimeapi.PodSandboxConfig, prefix string, privileged bool) string {
+func createPrivilegedContainer(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, podID string, podConfig *runtimeapi.PodSandboxConfig, prefix string, privileged bool, image string, cmd []string) string {
 	By("create Privileged container")
 	containerName := prefix + framework.NewUUID()
 	containerConfig := &runtimeapi.ContainerConfig{
 		Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
-		Image:    &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage},
-		Command:  []string{"top"},
+		Image:    &runtimeapi.ImageSpec{Image: image},
+		Command:  cmd,
 		Linux: &runtimeapi.LinuxContainerConfig{
 			SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
 				Privileged: privileged,
@@ -1133,3 +1151,24 @@ func checkSetHostname(rc internalapi.RuntimeService, containerID string, setable
 		Expect(err).To(HaveOccurred(), msg)
 	}
 }
+
+func checkMountAndProcessLabels(rc internalapi.RuntimeService, containerID string, privileged bool) {
+	// Check that the mount label is set for privileged containers
+	cmd := []string{"ls", "-lZ", "bin"}
+	stdout, stderr, err := rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
+	msg := fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr)
+	Expect(err).NotTo(HaveOccurred(), msg)
+	Expect(string(stdout)).To(ContainSubstring("object_r:container_file_t"))
+
+	// Check that the correct process label is set for privileged and unprivileged containers
+	cmd = []string{"cat", "/proc/self/attr/current"}
+	stdout, stderr, err = rc.ExecSync(containerID, cmd, time.Duration(defaultExecSyncTimeout)*time.Second)
+	msg = fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr)
+	Expect(err).NotTo(HaveOccurred(), msg)
+
+	if privileged {
+		Expect(string(stdout)).To(ContainSubstring("system_r:spc_t"))
+	} else {
+		Expect(string(stdout)).To(Not(ContainSubstring("system_r:spc_t")))
+	}
+}