mirror/ udica
1
1
Fork 0
mirror of https://github.com/containers/udica synced 2024-05-26 02:06:12 +02:00
Code Issues

Create basic tests 

Add testing JSON files generated by podman and docker. Add expected
output cil policies. Add tests that run udica on testing JSON files and
compare the result with cil policies.

The tests should be run inside the 'tests' directory using unittest:

    # python3 -m unittest

The tests are intended to be run on Fedora machine as root. Tested on
Fedora 29.
This commit is contained in:
Jan Zarsky 2019-03-11 09:45:12 +01:00 committed by Lukas Vrabec
parent ffbe67245b
commit 742a7b448f
9 changed files with 1777 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

288
tests/test_basic.docker.cil Normal file
View File

@ -0,0 +1,288 @@
(block my_container
(blockinherit container)
(blockinherit restricted_net_container)
(allow process ftp_port_t ( tcp_socket ( name_bind )))
(blockinherit home_container)
(allow process var_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_spool_t ( sock_file ( getattr read write append open )))
(allow process xdm_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process xdm_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process xdm_spool_t ( sock_file ( getattr read write append open )))
(allow process mqueue_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mqueue_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mqueue_spool_t ( sock_file ( getattr read write append open )))
(allow process quota_db_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process quota_db_t ( file ( getattr read write append ioctl lock map open create )))
(allow process quota_db_t ( sock_file ( getattr read write append open )))
(allow process user_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process user_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process user_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_retrace_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_retrace_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_retrace_spool_t ( sock_file ( getattr read write append open )))
(allow process getty_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process getty_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process getty_var_run_t ( sock_file ( getattr read write append open )))
(allow process print_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process print_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process print_spool_t ( sock_file ( getattr read write append open )))
(allow process smsd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process smsd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process smsd_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_var_cache_t ( sock_file ( getattr read write append open )))
(allow process ctdbd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process ctdbd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process ctdbd_spool_t ( sock_file ( getattr read write append open )))
(allow process print_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process print_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process print_spool_t ( sock_file ( getattr read write append open )))
(allow process httpd_sys_rw_content_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process httpd_sys_rw_content_t ( file ( getattr read write append ioctl lock map open create )))
(allow process httpd_sys_rw_content_t ( sock_file ( getattr read write append open )))
(allow process mail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mail_spool_t ( sock_file ( getattr read write append open )))
(allow process mail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mail_spool_t ( sock_file ( getattr read write append open )))
(allow process news_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process news_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process news_spool_t ( sock_file ( getattr read write append open )))
(allow process rwho_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process rwho_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process rwho_spool_t ( sock_file ( getattr read write append open )))
(allow process uucpd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process uucpd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process uucpd_spool_t ( sock_file ( getattr read write append open )))
(allow process exim_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process exim_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process exim_spool_t ( sock_file ( getattr read write append open )))
(allow process audit_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process audit_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process audit_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_var_cache_t ( sock_file ( getattr read write append open )))
(allow process samba_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process samba_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process samba_spool_t ( sock_file ( getattr read write append open )))
(allow process mail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mail_spool_t ( sock_file ( getattr read write append open )))
(allow process spamd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_spool_t ( sock_file ( getattr read write append open )))
(allow process squid_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process squid_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process squid_cache_t ( sock_file ( getattr read write append open )))
(allow process tetex_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process tetex_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process tetex_data_t ( sock_file ( getattr read write append open )))
(allow process getty_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process getty_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process getty_var_run_t ( sock_file ( getattr read write append open )))
(allow process bacula_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process bacula_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process bacula_spool_t ( sock_file ( getattr read write append open )))
(allow process nagios_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process nagios_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process nagios_spool_t ( sock_file ( getattr read write append open )))
(allow process nagios_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process nagios_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process nagios_spool_t ( sock_file ( getattr read write append open )))
(allow process snmpd_var_lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process snmpd_var_lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process snmpd_var_lib_t ( sock_file ( getattr read write append open )))
(allow process spamd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_spool_t ( sock_file ( getattr read write append open )))
(allow process httpd_sys_rw_content_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process httpd_sys_rw_content_t ( file ( getattr read write append ioctl lock map open create )))
(allow process httpd_sys_rw_content_t ( sock_file ( getattr read write append open )))
(allow process quota_db_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process quota_db_t ( file ( getattr read write append ioctl lock map open create )))
(allow process quota_db_t ( sock_file ( getattr read write append open )))
(allow process mailman_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mailman_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mailman_data_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process antivirus_db_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process antivirus_db_t ( file ( getattr read write append ioctl lock map open create )))
(allow process antivirus_db_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process courier_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process courier_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process courier_spool_t ( sock_file ( getattr read write append open )))
(allow process dovecot_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process dovecot_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process dovecot_spool_t ( sock_file ( getattr read write append open )))
(allow process prelude_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process prelude_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process prelude_spool_t ( sock_file ( getattr read write append open )))
(allow process pyicqt_var_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process pyicqt_var_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process pyicqt_var_spool_t ( sock_file ( getattr read write append open )))
(allow process var_log_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_log_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_log_t ( sock_file ( getattr read write append open )))
(allow process rpm_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process rpm_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process rpm_var_cache_t ( sock_file ( getattr read write append open )))
(allow process asterisk_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process asterisk_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process asterisk_spool_t ( sock_file ( getattr read write append open )))
(allow process print_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process print_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process print_spool_t ( sock_file ( getattr read write append open )))
(allow process dkim_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process dkim_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process dkim_milter_data_t ( sock_file ( getattr read write append open )))
(allow process plymouthd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process plymouthd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process plymouthd_spool_t ( sock_file ( getattr read write append open )))
(allow process mqueue_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mqueue_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mqueue_spool_t ( sock_file ( getattr read write append open )))
(allow process dkim_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process dkim_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process dkim_milter_data_t ( sock_file ( getattr read write append open )))
(allow process spamd_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_var_run_t ( sock_file ( getattr read write append open )))
(allow process courier_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process courier_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process courier_spool_t ( sock_file ( getattr read write append open )))
(allow process var_log_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_log_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_log_t ( sock_file ( getattr read write append open )))
(allow process callweaver_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process callweaver_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process callweaver_spool_t ( sock_file ( getattr read write append open )))
(allow process sge_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process sge_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process sge_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_var_cache_t ( sock_file ( getattr read write append open )))
(allow process lpd_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lpd_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lpd_var_run_t ( sock_file ( getattr read write append open )))
(allow process uucpd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process uucpd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process uucpd_spool_t ( sock_file ( getattr read write append open )))
(allow process mscan_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mscan_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mscan_spool_t ( sock_file ( getattr read write append open )))
(allow process public_content_rw_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process public_content_rw_t ( file ( getattr read write append ioctl lock map open create )))
(allow process public_content_rw_t ( sock_file ( getattr read write append open )))
(allow process etc_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process etc_t ( file ( getattr read write append ioctl lock map open create )))
(allow process etc_t ( sock_file ( getattr read write append open )))
(allow process lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lib_t ( sock_file ( getattr read write append open )))
(allow process lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lib_t ( sock_file ( getattr read write append open )))
(allow process postfix_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_var_run_t ( sock_file ( getattr read write append open )))
(allow process abrt_retrace_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_retrace_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_retrace_spool_t ( sock_file ( getattr read write append open )))
(allow process regex_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process regex_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process regex_milter_data_t ( sock_file ( getattr read write append open )))
(allow process spamd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_spool_t ( sock_file ( getattr read write append open )))
(allow process squirrelmail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process squirrelmail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process squirrelmail_spool_t ( sock_file ( getattr read write append open )))
(allow process spamd_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_var_run_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lib_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_bounce_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_bounce_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_bounce_t ( sock_file ( getattr read write append open )))
(allow process postfix_public_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_public_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_public_t ( sock_file ( getattr read write append open )))
(allow process abrt_retrace_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_retrace_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_retrace_spool_t ( sock_file ( getattr read write append open )))
(allow process ld_so_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process ld_so_t ( file ( getattr read write append ioctl lock map open create )))
(allow process ld_so_t ( sock_file ( getattr read write append open )))
(allow process postfix_private_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_private_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_private_t ( sock_file ( getattr read write append open )))
(allow process spamass_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamass_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamass_milter_data_t ( sock_file ( getattr read write append open )))
(allow process prelude_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process prelude_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process prelude_spool_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process postgrey_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postgrey_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postgrey_spool_t ( sock_file ( getattr read write append open )))
(allow process zoneminder_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process zoneminder_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process zoneminder_spool_t ( sock_file ( getattr read write append open )))
(allow process user_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process user_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process user_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process cron_spool_t ( sock_file ( getattr read write append open )))
(allow process device_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process device_t ( file ( getattr read write append ioctl lock map open create )))
(allow process device_t ( sock_file ( getattr read write append open )))
(allow process var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_run_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process cron_spool_t ( sock_file ( getattr read write append open )))
(allow process devlog_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process devlog_t ( file ( getattr read write append ioctl lock map open create )))
(allow process devlog_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process locale_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process locale_t ( file ( getattr read write append ioctl lock map open create )))
(allow process locale_t ( sock_file ( getattr read write append open )))
(allow process var_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_spool_t ( sock_file ( getattr read write append open )))
)

215
tests/test_basic.docker.json Normal file
View File

@ -0,0 +1,215 @@
[
{
"Id": "28ed0f82f8bca461d0c0e029067042178b3973d461584c76acfad5b877bd3b07",
"Created": "2019-03-06T12:48:02.419991511Z",
"Path": "bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 17574,
"ExitCode": 0,
"Error": "",
"StartedAt": "2019-03-06T12:48:02.984662576Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:d7372e6c93c6c7b925600981b655c94829515a37cf876ff9e6d0287ff2b739d9",
"ResolvConfPath": "/var/lib/docker/containers/28ed0f82f8bca461d0c0e029067042178b3973d461584c76acfad5b877bd3b07/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/28ed0f82f8bca461d0c0e029067042178b3973d461584c76acfad5b877bd3b07/hostname",
"HostsPath": "/var/lib/docker/containers/28ed0f82f8bca461d0c0e029067042178b3973d461584c76acfad5b877bd3b07/hosts",
"LogPath": "",
"Name": "/compassionate_mcclintock",
"RestartCount": 0,
"Driver": "overlay2",
"MountLabel": "system_u:object_r:container_file_t:s0:c648,c780",
"ProcessLabel": "system_u:system_r:container_t:s0:c648,c780",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/home:/home:ro",
"/var/spool:/var/spool:rw"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"21/tcp": [
{
"HostIp": "",
"HostPort": "21"
}
]
},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "oci",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Name": "overlay2",
"Data": {
"LowerDir": "/var/lib/docker/overlay2/53cfa4316fa3f0daff8a2b5bf7d30a1a01f33163b9b1eddfb135188a0590114b-init/diff:/var/lib/docker/overlay2/03335b384d160af8a2d33330b4ea1440f87cbfab559a3ffd3102c031e14f3e20/diff",
"MergedDir": "/var/lib/docker/overlay2/53cfa4316fa3f0daff8a2b5bf7d30a1a01f33163b9b1eddfb135188a0590114b/merged",
"UpperDir": "/var/lib/docker/overlay2/53cfa4316fa3f0daff8a2b5bf7d30a1a01f33163b9b1eddfb135188a0590114b/diff",
"WorkDir": "/var/lib/docker/overlay2/53cfa4316fa3f0daff8a2b5bf7d30a1a01f33163b9b1eddfb135188a0590114b/work"
}
},
"Mounts": [
{
"Type": "bind",
"Source": "/home",
"Destination": "/home",
"Mode": "ro",
"RW": false,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/var/spool",
"Destination": "/var/spool",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "28ed0f82f8bc",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"21/tcp": {}
},
"Tty": true,
"OpenStdin": true,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"DISTTAG=f29container",
"FGC=f29",
"FBR=f29"
],
"Cmd": [
"bash"
],
"Image": "fedora",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "b880939c9e288f0105990445c79626778951846e27aa14a566ad8bebb84501dd",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"21/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "21"
}
]
},
"SandboxKey": "/var/run/docker/netns/b880939c9e28",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "ab0f0ff865e69b01afc1734c53df4a5f14a6b64ed2bb5499539d0f8a3e067f69",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "565ce26d5e6f78b68b4c149109ab422575f2c2842ea5f5ed46977f08fcb75b91",
"EndpointID": "ab0f0ff865e69b01afc1734c53df4a5f14a6b64ed2bb5499539d0f8a3e067f69",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
]

290
tests/test_basic.podman.cil Normal file
View File

@ -0,0 +1,290 @@
(block my_container
(blockinherit container)
(blockinherit restricted_net_container)
(allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write )))
(allow process ftp_port_t ( tcp_socket ( name_bind )))
(blockinherit home_container)
(allow process var_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_spool_t ( sock_file ( getattr read write append open )))
(allow process xdm_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process xdm_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process xdm_spool_t ( sock_file ( getattr read write append open )))
(allow process mqueue_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mqueue_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mqueue_spool_t ( sock_file ( getattr read write append open )))
(allow process quota_db_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process quota_db_t ( file ( getattr read write append ioctl lock map open create )))
(allow process quota_db_t ( sock_file ( getattr read write append open )))
(allow process user_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process user_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process user_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_retrace_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_retrace_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_retrace_spool_t ( sock_file ( getattr read write append open )))
(allow process getty_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process getty_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process getty_var_run_t ( sock_file ( getattr read write append open )))
(allow process print_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process print_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process print_spool_t ( sock_file ( getattr read write append open )))
(allow process smsd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process smsd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process smsd_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_var_cache_t ( sock_file ( getattr read write append open )))
(allow process ctdbd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process ctdbd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process ctdbd_spool_t ( sock_file ( getattr read write append open )))
(allow process print_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process print_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process print_spool_t ( sock_file ( getattr read write append open )))
(allow process httpd_sys_rw_content_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process httpd_sys_rw_content_t ( file ( getattr read write append ioctl lock map open create )))
(allow process httpd_sys_rw_content_t ( sock_file ( getattr read write append open )))
(allow process mail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mail_spool_t ( sock_file ( getattr read write append open )))
(allow process mail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mail_spool_t ( sock_file ( getattr read write append open )))
(allow process news_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process news_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process news_spool_t ( sock_file ( getattr read write append open )))
(allow process rwho_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process rwho_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process rwho_spool_t ( sock_file ( getattr read write append open )))
(allow process uucpd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process uucpd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process uucpd_spool_t ( sock_file ( getattr read write append open )))
(allow process exim_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process exim_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process exim_spool_t ( sock_file ( getattr read write append open )))
(allow process audit_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process audit_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process audit_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_var_cache_t ( sock_file ( getattr read write append open )))
(allow process samba_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process samba_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process samba_spool_t ( sock_file ( getattr read write append open )))
(allow process mail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mail_spool_t ( sock_file ( getattr read write append open )))
(allow process spamd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_spool_t ( sock_file ( getattr read write append open )))
(allow process squid_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process squid_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process squid_cache_t ( sock_file ( getattr read write append open )))
(allow process tetex_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process tetex_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process tetex_data_t ( sock_file ( getattr read write append open )))
(allow process getty_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process getty_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process getty_var_run_t ( sock_file ( getattr read write append open )))
(allow process bacula_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process bacula_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process bacula_spool_t ( sock_file ( getattr read write append open )))
(allow process nagios_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process nagios_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process nagios_spool_t ( sock_file ( getattr read write append open )))
(allow process nagios_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process nagios_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process nagios_spool_t ( sock_file ( getattr read write append open )))
(allow process snmpd_var_lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process snmpd_var_lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process snmpd_var_lib_t ( sock_file ( getattr read write append open )))
(allow process spamd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_spool_t ( sock_file ( getattr read write append open )))
(allow process httpd_sys_rw_content_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process httpd_sys_rw_content_t ( file ( getattr read write append ioctl lock map open create )))
(allow process httpd_sys_rw_content_t ( sock_file ( getattr read write append open )))
(allow process quota_db_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process quota_db_t ( file ( getattr read write append ioctl lock map open create )))
(allow process quota_db_t ( sock_file ( getattr read write append open )))
(allow process mailman_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mailman_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mailman_data_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process antivirus_db_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process antivirus_db_t ( file ( getattr read write append ioctl lock map open create )))
(allow process antivirus_db_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process courier_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process courier_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process courier_spool_t ( sock_file ( getattr read write append open )))
(allow process dovecot_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process dovecot_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process dovecot_spool_t ( sock_file ( getattr read write append open )))
(allow process prelude_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process prelude_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process prelude_spool_t ( sock_file ( getattr read write append open )))
(allow process pyicqt_var_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process pyicqt_var_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process pyicqt_var_spool_t ( sock_file ( getattr read write append open )))
(allow process var_log_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_log_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_log_t ( sock_file ( getattr read write append open )))
(allow process rpm_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process rpm_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process rpm_var_cache_t ( sock_file ( getattr read write append open )))
(allow process asterisk_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process asterisk_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process asterisk_spool_t ( sock_file ( getattr read write append open )))
(allow process print_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process print_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process print_spool_t ( sock_file ( getattr read write append open )))
(allow process dkim_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process dkim_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process dkim_milter_data_t ( sock_file ( getattr read write append open )))
(allow process plymouthd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process plymouthd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process plymouthd_spool_t ( sock_file ( getattr read write append open )))
(allow process mqueue_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mqueue_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mqueue_spool_t ( sock_file ( getattr read write append open )))
(allow process dkim_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process dkim_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process dkim_milter_data_t ( sock_file ( getattr read write append open )))
(allow process spamd_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_var_run_t ( sock_file ( getattr read write append open )))
(allow process courier_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process courier_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process courier_spool_t ( sock_file ( getattr read write append open )))
(allow process var_log_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_log_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_log_t ( sock_file ( getattr read write append open )))
(allow process callweaver_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process callweaver_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process callweaver_spool_t ( sock_file ( getattr read write append open )))
(allow process sge_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process sge_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process sge_spool_t ( sock_file ( getattr read write append open )))
(allow process abrt_var_cache_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_var_cache_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_var_cache_t ( sock_file ( getattr read write append open )))
(allow process lpd_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lpd_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lpd_var_run_t ( sock_file ( getattr read write append open )))
(allow process uucpd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process uucpd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process uucpd_spool_t ( sock_file ( getattr read write append open )))
(allow process mscan_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process mscan_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process mscan_spool_t ( sock_file ( getattr read write append open )))
(allow process public_content_rw_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process public_content_rw_t ( file ( getattr read write append ioctl lock map open create )))
(allow process public_content_rw_t ( sock_file ( getattr read write append open )))
(allow process etc_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process etc_t ( file ( getattr read write append ioctl lock map open create )))
(allow process etc_t ( sock_file ( getattr read write append open )))
(allow process lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lib_t ( sock_file ( getattr read write append open )))
(allow process lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lib_t ( sock_file ( getattr read write append open )))
(allow process postfix_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_var_run_t ( sock_file ( getattr read write append open )))
(allow process abrt_retrace_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_retrace_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_retrace_spool_t ( sock_file ( getattr read write append open )))
(allow process regex_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process regex_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process regex_milter_data_t ( sock_file ( getattr read write append open )))
(allow process spamd_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_spool_t ( sock_file ( getattr read write append open )))
(allow process squirrelmail_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process squirrelmail_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process squirrelmail_spool_t ( sock_file ( getattr read write append open )))
(allow process spamd_var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamd_var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamd_var_run_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process lib_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process lib_t ( file ( getattr read write append ioctl lock map open create )))
(allow process lib_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_bounce_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_bounce_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_bounce_t ( sock_file ( getattr read write append open )))
(allow process postfix_public_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_public_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_public_t ( sock_file ( getattr read write append open )))
(allow process abrt_retrace_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process abrt_retrace_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process abrt_retrace_spool_t ( sock_file ( getattr read write append open )))
(allow process ld_so_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process ld_so_t ( file ( getattr read write append ioctl lock map open create )))
(allow process ld_so_t ( sock_file ( getattr read write append open )))
(allow process postfix_private_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_private_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_private_t ( sock_file ( getattr read write append open )))
(allow process spamass_milter_data_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process spamass_milter_data_t ( file ( getattr read write append ioctl lock map open create )))
(allow process spamass_milter_data_t ( sock_file ( getattr read write append open )))
(allow process prelude_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process prelude_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process prelude_spool_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process postfix_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postfix_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postfix_spool_t ( sock_file ( getattr read write append open )))
(allow process postgrey_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process postgrey_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process postgrey_spool_t ( sock_file ( getattr read write append open )))
(allow process zoneminder_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process zoneminder_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process zoneminder_spool_t ( sock_file ( getattr read write append open )))
(allow process user_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process user_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process user_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process cron_spool_t ( sock_file ( getattr read write append open )))
(allow process device_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process device_t ( file ( getattr read write append ioctl lock map open create )))
(allow process device_t ( sock_file ( getattr read write append open )))
(allow process var_run_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_run_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_run_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process cron_spool_t ( sock_file ( getattr read write append open )))
(allow process devlog_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process devlog_t ( file ( getattr read write append ioctl lock map open create )))
(allow process devlog_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process system_cron_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process system_cron_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process system_cron_spool_t ( sock_file ( getattr read write append open )))
(allow process locale_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process locale_t ( file ( getattr read write append ioctl lock map open create )))
(allow process locale_t ( sock_file ( getattr read write append open )))
(allow process var_spool_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process var_spool_t ( file ( getattr read write append ioctl lock map open create )))
(allow process var_spool_t ( sock_file ( getattr read write append open )))
)

367
tests/test_basic.podman.json Normal file
View File

@ -0,0 +1,367 @@
[
{
"ID": "2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5",
"Created": "2019-03-06T06:42:58.980482153-05:00",
"Path": "bash",
"Args": [
"bash"
],
"State": {
"OciVersion": "1.0.1-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 17574,
"ExitCode": 0,
"Error": "",
"StartedAt": "2019-03-06T06:42:59.548275334-05:00",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "d7372e6c93c6c7b925600981b655c94829515a37cf876ff9e6d0287ff2b739d9",
"ImageName": "docker.io/library/fedora:latest",
"Rootfs": "",
"ResolvConfPath": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/resolv.conf",
"HostnamePath": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/hostname",
"HostsPath": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/hosts",
"StaticDir": "/var/lib/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata",
"LogPath": "/var/lib/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/ctr.log",
"Name": "upbeat_stonebraker",
"RestartCount": 0,
"Driver": "overlay",
"MountLabel": "system_u:object_r:container_file_t:s0:c444,c729",
"ProcessLabel": "system_u:system_r:container_t:s0:c444,c729",
"AppArmorProfile": "",
"EffectiveCaps": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"BoundingCaps": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"ExecIDs": [],
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/var/lib/containers/storage/overlay/97b94d418dac4ec6da11f188c162831ddf674b08c496d1fd9ebaf5d497f94e08/diff",
"MergedDir": "/var/lib/containers/storage/overlay/a728e123baab45644fbd970ac95c5ebe064f4935149f0f1ea964e28de457bd16/merged",
"UpperDir": "/var/lib/containers/storage/overlay/a728e123baab45644fbd970ac95c5ebe064f4935149f0f1ea964e28de457bd16/diff",
"WorkDir": "/var/lib/containers/storage/overlay/a728e123baab45644fbd970ac95c5ebe064f4935149f0f1ea964e28de457bd16/work"
}
},
"Mounts": [
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/home",
"type": "bind",
"source": "/home",
"options": [
"ro",
"rbind",
"rprivate"
]
},
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/run/.containerenv",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/.containerenv",
"options": [
"bind",
"private"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/var/spool",
"type": "bind",
"source": "/var/spool",
"options": [
"rw",
"rbind",
"rprivate"
]
},
{
"destination": "/run/secrets",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/run/secrets",
"options": [
"bind",
"private"
]
},
{
"destination": "/etc/resolv.conf",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/resolv.conf",
"options": [
"bind",
"private"
]
},
{
"destination": "/etc/hosts",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/hosts",
"options": [
"bind",
"private"
]
},
{
"destination": "/dev/shm",
"type": "bind",
"source": "overlay-containers",
"options": [
"bind",
"private"
]
},
{
"destination": "/etc/hostname",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5/userdata/hostname",
"options": [
"bind",
"private"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"rprivate",
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"Dependencies": [],
"NetworkSettings": {
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": [
{
"hostPort": 21,
"containerPort": 21,
"protocol": "tcp",
"hostIP": ""
}
],
"SandboxKey": "/var/run/netns/cni-0da27677-107f-73c8-9198-9b7db9318de3",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "10.88.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "10.88.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "a6:04:2c:f4:e3:74"
},
"ExitCommand": [
"/usr/bin/podman",
"--root",
"",
"--runroot",
"",
"--log-level",
"error",
"--cgroup-manager",
"systemd",
"--tmpdir",
"/var/run/libpod",
"container",
"cleanup",
"2bff3f4b191a0a34a1c48fb80eb456143c38cf9330a89683e9c093d2b27cb7a5"
],
"Namespace": "",
"IsInfra": false,
"HostConfig": {
"ContainerIDFile": "",
"LogConfig": null,
"NetworkMode": "bridge",
"PortBindings": null,
"AutoRemove": false,
"CapAdd": [],
"CapDrop": [],
"DNS": [],
"DNSOptions": [],
"DNSSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "host",
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": [],
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 65536000,
"Runtime": "runc",
"ConsoleSize": null,
"CpuShares": null,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": null,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": null,
"CpuQuota": null,
"CpuRealtimePeriod": null,
"CpuRealtimeRuntime": null,
"CpuSetCpus": "",
"CpuSetMems": "",
"Devices": null,
"DiskQuota": 0,
"KernelMemory": null,
"MemoryReservation": null,
"MemorySwap": null,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": [],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"Tmpfs": []
},
"Config": {
"Hostname": "2bff3f4b191a",
"Domainname": "",
"User": {
"uid": 0,
"gid": 0
},
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": true,
"OpenStdin": true,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"HOSTNAME=2bff3f4b191a",
"container=podman",
"DISTTAG=f29container",
"FGC=f29",
"FBR=f29"
],
"Cmd": [
"bash"
],
"Image": "docker.io/library/fedora:latest",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": "",
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
},
"Annotations": {
"io.kubernetes.cri-o.ContainerType": "sandbox",
"io.kubernetes.cri-o.Created": "2019-03-06T06:42:58.980482153-05:00",
"io.kubernetes.cri-o.TTY": "true",
"org.opencontainers.image.stopSignal": "15"
},
"StopSignal": 15
}
}
]

3
tests/test_default.docker.cil Normal file
View File

@ -0,0 +1,3 @@
(block my_container
(blockinherit container)
)

179
tests/test_default.docker.json Normal file
View File

@ -0,0 +1,179 @@
[
{
"Id": "f35680f1c518032516e38688654c226d09582bc8e780cf062063f91612ffff17",
"Created": "2019-03-06T13:43:14.838743431Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2866,
"ExitCode": 0,
"Error": "",
"StartedAt": "2019-03-06T13:43:15.262353177Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:d7372e6c93c6c7b925600981b655c94829515a37cf876ff9e6d0287ff2b739d9",
"ResolvConfPath": "/var/lib/docker/containers/f35680f1c518032516e38688654c226d09582bc8e780cf062063f91612ffff17/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/f35680f1c518032516e38688654c226d09582bc8e780cf062063f91612ffff17/hostname",
"HostsPath": "/var/lib/docker/containers/f35680f1c518032516e38688654c226d09582bc8e780cf062063f91612ffff17/hosts",
"LogPath": "",
"Name": "/agitated_keller",
"RestartCount": 0,
"Driver": "overlay2",
"MountLabel": "system_u:object_r:container_file_t:s0:c374,c775",
"ProcessLabel": "system_u:system_r:container_t:s0:c374,c775",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "oci",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Name": "overlay2",
"Data": {
"LowerDir": "/var/lib/docker/overlay2/0b383cce0b2a34ece910e582fb43b9a0fb737ca63a497315c7918f481c55836e-init/diff:/var/lib/docker/overlay2/e6634b68fb3e2ab903f94af0418aa43834c987b41c5b0c2faec92c98a6c6cbed/diff",
"MergedDir": "/var/lib/docker/overlay2/0b383cce0b2a34ece910e582fb43b9a0fb737ca63a497315c7918f481c55836e/merged",
"UpperDir": "/var/lib/docker/overlay2/0b383cce0b2a34ece910e582fb43b9a0fb737ca63a497315c7918f481c55836e/diff",
"WorkDir": "/var/lib/docker/overlay2/0b383cce0b2a34ece910e582fb43b9a0fb737ca63a497315c7918f481c55836e/work"
}
},
"Mounts": [],
"Config": {
"Hostname": "f35680f1c518",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": true,
"OpenStdin": true,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"DISTTAG=f29container",
"FGC=f29",
"FBR=f29"
],
"Cmd": [
"/bin/bash"
],
"ArgsEscaped": true,
"Image": "fedora",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "4ea8182a58cfa68b384f26ca50cd6137d9ed9a7832f882244e9e822d1af29095",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/var/run/docker/netns/4ea8182a58cf",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "7efdef721e4aecde64e4279a20240d7cf33c15d3cb008b6f9e414ab6d77b9c4e",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "7bb2c1062ca330fd53fc336340bc2def615d85bb73f7cae1aba8303286ed8e03",
"EndpointID": "7efdef721e4aecde64e4279a20240d7cf33c15d3cb008b6f9e414ab6d77b9c4e",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
]

5
tests/test_default.podman.cil Normal file
View File

@ -0,0 +1,5 @@
(block my_container
(blockinherit container)
(allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write )))
)

340
tests/test_default.podman.json Normal file
View File

@ -0,0 +1,340 @@
[
{
"ID": "fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182",
"Created": "2019-03-06T08:40:10.064115993-05:00",
"Path": "/bin/bash",
"Args": [
"/bin/bash"
],
"State": {
"OciVersion": "1.0.1-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2649,
"ExitCode": 0,
"Error": "",
"StartedAt": "2019-03-06T08:40:10.651921161-05:00",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "d7372e6c93c6c7b925600981b655c94829515a37cf876ff9e6d0287ff2b739d9",
"ImageName": "docker.io/library/fedora:latest",
"Rootfs": "",
"ResolvConfPath": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/resolv.conf",
"HostnamePath": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/hostname",
"HostsPath": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/hosts",
"StaticDir": "/var/lib/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata",
"LogPath": "/var/lib/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/ctr.log",
"Name": "heuristic_feynman",
"RestartCount": 0,
"Driver": "overlay",
"MountLabel": "system_u:object_r:container_file_t:s0:c156,c522",
"ProcessLabel": "system_u:system_r:container_t:s0:c156,c522",
"AppArmorProfile": "",
"EffectiveCaps": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"BoundingCaps": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"ExecIDs": [],
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/var/lib/containers/storage/overlay/97b94d418dac4ec6da11f188c162831ddf674b08c496d1fd9ebaf5d497f94e08/diff",
"MergedDir": "/var/lib/containers/storage/overlay/a9ceb308dc45a5340088341d7dade039fa0db57952c2666a93a0fe4098dc8cd6/merged",
"UpperDir": "/var/lib/containers/storage/overlay/a9ceb308dc45a5340088341d7dade039fa0db57952c2666a93a0fe4098dc8cd6/diff",
"WorkDir": "/var/lib/containers/storage/overlay/a9ceb308dc45a5340088341d7dade039fa0db57952c2666a93a0fe4098dc8cd6/work"
}
},
"Mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/shm",
"type": "bind",
"source": "overlay-containers",
"options": [
"bind",
"private"
]
},
{
"destination": "/etc/hostname",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/hostname",
"options": [
"bind",
"private"
]
},
{
"destination": "/run/.containerenv",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/.containerenv",
"options": [
"bind",
"private"
]
},
{
"destination": "/run/secrets",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/run/secrets",
"options": [
"bind",
"private"
]
},
{
"destination": "/etc/resolv.conf",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/resolv.conf",
"options": [
"bind",
"private"
]
},
{
"destination": "/etc/hosts",
"type": "bind",
"source": "/var/run/containers/storage/overlay-containers/fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182/userdata/hosts",
"options": [
"bind",
"private"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"rprivate",
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"Dependencies": [],
"NetworkSettings": {
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": [],
"SandboxKey": "/var/run/netns/cni-afb97397-a958-89d0-5c3d-5ab08455535f",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "10.88.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "10.88.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "fa:2e:6c:74:8a:7c"
},
"ExitCommand": [
"/usr/bin/podman",
"--root",
"",
"--runroot",
"",
"--log-level",
"error",
"--cgroup-manager",
"systemd",
"--tmpdir",
"/var/run/libpod",
"container",
"cleanup",
"fc8ddf1cd56bd05910406f7ef30f4a7f7adc7927ff530e2245773f64ec0cd182"
],
"Namespace": "",
"IsInfra": false,
"HostConfig": {
"ContainerIDFile": "",
"LogConfig": null,
"NetworkMode": "bridge",
"PortBindings": null,
"AutoRemove": false,
"CapAdd": [],
"CapDrop": [],
"DNS": [],
"DNSOptions": [],
"DNSSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "host",
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": [],
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 65536000,
"Runtime": "runc",
"ConsoleSize": null,
"CpuShares": null,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": null,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": null,
"CpuQuota": null,
"CpuRealtimePeriod": null,
"CpuRealtimeRuntime": null,
"CpuSetCpus": "",
"CpuSetMems": "",
"Devices": null,
"DiskQuota": 0,
"KernelMemory": null,
"MemoryReservation": null,
"MemorySwap": null,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": [],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"Tmpfs": []
},
"Config": {
"Hostname": "fc8ddf1cd56b",
"Domainname": "",
"User": {
"uid": 0,
"gid": 0
},
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": true,
"OpenStdin": true,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"HOSTNAME=fc8ddf1cd56b",
"container=podman",
"DISTTAG=f29container",
"FGC=f29",
"FBR=f29"
],
"Cmd": [
"/bin/bash"
],
"Image": "docker.io/library/fedora:latest",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": "",
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
},
"Annotations": {
"io.kubernetes.cri-o.ContainerType": "sandbox",
"io.kubernetes.cri-o.Created": "2019-03-06T08:40:10.064115993-05:00",
"io.kubernetes.cri-o.TTY": "true",
"org.opencontainers.image.stopSignal": "15"
},
"StopSignal": 15
}
}
]

90
tests/test_main.py Normal file
View File

@ -0,0 +1,90 @@
# Copyright (C) 2019 Jan Zarsky, <jzarsky@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
import os
import sys
import unittest
from unittest.mock import patch
sys.path.insert(0, os.path.abspath('..'))
import udica.__main__
class TestMain(unittest.TestCase):
"""Test basic functionality of udica"""
def test_basic_podman(self):
"""podman run -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 fedora"""
args = ['udica', '-j', 'test_basic.podman.json', 'my_container']
self.helper(args, 'test_basic.podman.cil',
'{base_container.cil,net_container.cil,home_container.cil}')
def test_basic_docker(self):
"""docker run -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 fedora"""
args = ['udica', '-j', 'test_basic.docker.json', 'my_container']
self.helper(args, 'test_basic.docker.cil',
'{base_container.cil,net_container.cil,home_container.cil}')
def test_default_podman(self):
"""podman run fedora"""
args = ['udica', '-j', 'test_default.podman.json', 'my_container']
self.helper(args, 'test_default.podman.cil', 'base_container.cil')
def test_default_docker(self):
"""docker run fedora"""
args = ['udica', '-j', 'test_default.docker.json', 'my_container']
self.helper(args, 'test_default.docker.cil', 'base_container.cil')
def helper(self, args, policy_file=None, templates=None):
"""Run udica with args, check output and used templates.
Arguments:
args -- list of program arguments (the first one is an executable name)
policy_file -- check that output of udica matches this file
templates -- check that these templates are part of udica output, e.g. 'base_container.cil'
or '{base_container.cil,net_container.cil}'
"""
# FIXME: the policy module is using global variable which must be reset to []
udica.policy.templates_to_load = []
# FIXME: the load_policy function is not properly restoring current working directory
self.cwd = os.getcwd()
with patch('sys.argv', args):
with patch('sys.stderr.write') as mock_err, patch('sys.stdout.write') as mock_out:
mock_out.output = ""
def store_output(output):
mock_out.output += output
mock_out.side_effect = store_output
udica.__main__.main()
mock_err.assert_not_called()
self.assertRegex(mock_out.output, 'Policy my_container created')
self.assertRegex(mock_out.output, '--security-opt label=type:my_container.process')
self.assertRegex(mock_out.output, 'semodule -i my_container')
if templates:
self.assertRegex(mock_out.output, udica.policy.TEMPLATES_STORE + '/' + templates)
os.chdir(self.cwd)
self.assertTrue(os.path.isfile('my_container.cil'))
if policy_file:
with open('my_container.cil') as cont:
policy = cont.read().strip()
with open(policy_file) as cont:
exp_policy = cont.read().strip()
self.assertMultiLineEqual(policy, exp_policy)
os.unlink('my_container.cil')