1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
// Copyright (c) Contributors to the Apptainer project, established as
// Apptainer a Series of LF Projects LLC.
// For website terms of use, trademark policy, privacy policy and other
// project policies see https://lfprojects.org/policies
// Copyright (c) 2019-2025, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.
package security
import (
"runtime"
"testing"
"github.com/apptainer/apptainer/internal/pkg/security/apparmor"
"github.com/apptainer/apptainer/internal/pkg/security/selinux"
"github.com/apptainer/apptainer/internal/pkg/test"
"github.com/opencontainers/runtime-spec/specs-go"
)
func TestGetParam(t *testing.T) {
paramTests := []struct {
security []string
feature string
result string
}{
{
security: []string{"seccomp:test"},
feature: "seccomp",
result: "test",
},
{
security: []string{"test:test"},
feature: "seccomp",
result: "",
},
{
security: []string{"seccomp:test", "uid:1000"},
feature: "uid",
result: "1000",
},
}
for _, p := range paramTests {
r := GetParam(p.security, p.feature)
if p.result != r {
t.Errorf("unexpected result for param %v, returned %s instead of %s", p.security, r, p.result)
}
}
}
func TestConfigure(t *testing.T) {
test.EnsurePrivilege(t)
specs := []struct {
desc string
spec specs.Spec
expectFailure bool
disabled bool
}{
{
desc: "empty security spec",
spec: specs.Spec{},
},
{
desc: "both SELinux context and apparmor profile",
spec: specs.Spec{
Process: &specs.Process{
SelinuxLabel: "test",
ApparmorProfile: "test",
},
},
expectFailure: true,
},
{
desc: "with bad SELinux context",
spec: specs.Spec{
Process: &specs.Process{
SelinuxLabel: "test",
},
},
expectFailure: true,
disabled: !selinux.Enabled(),
},
{
desc: "with unconfined SELinux context",
spec: specs.Spec{
Process: &specs.Process{
SelinuxLabel: "unconfined_u:unconfined_r:unconfined_t:s0",
},
},
disabled: !selinux.Enabled(),
},
{
desc: "SELinux when not available",
spec: specs.Spec{
Process: &specs.Process{
SelinuxLabel: "unconfined_u:unconfined_r:unconfined_t:s0",
},
},
expectFailure: true,
disabled: selinux.Enabled(),
},
{
desc: "with bad apparmor profile",
spec: specs.Spec{
Process: &specs.Process{
ApparmorProfile: "__test__",
},
},
expectFailure: true,
disabled: !apparmor.Enabled(),
},
{
desc: "with unconfined apparmor profile",
spec: specs.Spec{
Process: &specs.Process{
ApparmorProfile: "unconfined",
},
},
disabled: !apparmor.Enabled(),
},
{
desc: "apparmor when not available",
spec: specs.Spec{
Process: &specs.Process{
ApparmorProfile: "unconfined",
},
},
expectFailure: true,
disabled: apparmor.Enabled(),
},
}
for _, s := range specs {
t.Run(s.desc, func(t *testing.T) {
if s.disabled {
t.Skip("test disabled, security module not enabled on this system")
}
var err error
runtime.LockOSThread()
defer runtime.UnlockOSThread()
err = Configure(&s.spec)
if err != nil && !s.expectFailure {
t.Errorf("unexpected failure %s: %s", s.desc, err)
} else if err == nil && s.expectFailure {
t.Errorf("unexpected success %s", s.desc)
}
})
}
}
|
