Skip to content

I
iSulad

openeuler / iSulad

通知 15
Star 0
Fork 0
I
iSulad

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
security_selinux.bash 9.7 KB
Newer Older
W
add selinux testcase  
wujing 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 
#!/bin/bash
#
# attributes: isulad basic container security selinux
# concurrent: NA
# spend time: 15

# Manual Testcase Remarks:
# SELinux is not namespaced, so individual containers cannot have their own separate SELinux policies.
# SELinux will always appear to be “disabled” in a container, though it is running on the host.
# If your application requires SELinux, you cannot use it inside Docker. You will need to use a regular virtual machine.

# Prepare SELinux Environment
# 1. enable selinux on host machine
# 2. set container selinux policy
#  contos/fedora:
#        dnf install container-selinux
#  ubuntu:
#        clone https://github.com/containers/container-selinux.git
#        make install
#        make install-policy
# 3. reference the perpare_selinux_environment function to set selinux context for some dirctory
# 4. restart daemon with --selinux-enabled

#######################################################################
##- @Copyright (C) Huawei Technologies., Ltd. 2020. All rights reserved.
# - iSulad licensed under the Mulan PSL v2.
# - You can use this software according to the terms and conditions of the Mulan PSL v2.
# - You may obtain a copy of Mulan PSL v2 at:
# -     http://license.coscl.org.cn/MulanPSL2
# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# - PURPOSE.
# - See the Mulan PSL v2 for more details.
##- @Description:CI
##- @Author: WuJing
##- @Create: 2020-07-16
#######################################################################

declare -r curr_path=$(dirname $(readlink -f "$0"))
source ../helpers.bash

function perpare_selinux_environment()
{
  chcon -R system_u:object_r:container_home_t:s0 /root/.iSulad
  chcon system_u:object_r:container_runtime_exec_t:s0 /usr/bin/isula
  chcon system_u:object_r:container_runtime_exec_t:s0 /usr/local/bin/isula
  chcon system_u:object_r:container_runtime_exec_t:s0 /usr/local/bin/lxc-*
  chcon system_u:object_r:container_unit_file_t:s0 /usr/lib/systemd/system/isulad.service
  chcon -R system_u:object_r:container_var_lib_t:s0 /var/lib/isulad
  chcon -R system_u:object_r:container_log_t:s0 /var/lib/isulad/engines/*/*/*.log
  chcon -R system_u:object_r:container_ro_file_t:s0 /var/lib/isulad/engines/*/*/hostname
  chcon -R system_u:object_r:container_ro_file_t:s0 /var/lib/isulad/engines/*/*/hosts
  if [[ ! -d /var/lib/isulad/storage/overlay ]]; then
    mkdir -p /var/lib/isulad/storage/overlay
  fi
  chcon -R system_u:object_r:container_ro_file_t:s0 /var/lib/isulad/storage/overlay
  if [[ ! -d /var/lib/isulad/storage/overlay2 ]]; then
    mkdir -p /var/lib/isulad/storage/overlay2
  fi
  chcon -R system_u:object_r:container_ro_file_t:s0 /var/lib/isulad/storage/overlay2
  if [[ ! -d /var/lib/isulad/storage/devicemapper ]]; then
    mkdir -p /var/lib/isulad/storage/devicemapper
  fi
  chcon -R system_u:object_r:container_ro_file_t:s0 /var/lib/isulad/storage/devicemapper
  chcon -R system_u:object_r:container_var_run_t:s0 /var/run/isula
  chcon -R system_u:object_r:container_var_run_t:s0 /var/run/isulad 
  chcon system_u:object_r:container_var_run_t:s0 /var/run/isulad.pid 
  chcon system_u:object_r:container_var_run_t:s0 /var/run/isulad.sock
}

function daemon_enable_selinux()
{
  check_valgrind_log
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - memory leak" && return ${FAILURE}

  start_isulad_with_valgrind --selinux-enabled
}

function daemon_disable_selinux()
{
  check_valgrind_log
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - memory leak" && return ${FAILURE}

  start_isulad_with_valgrind
}

function test_isulad_selinux_file_label()
{
  local ret=0
  local image="centos"
  local test="isulad selinux file label test => (${FUNCNAME[@]})"

  msg_info "${test} starting..."

  isula pull ${image}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}

  isula images | grep ${image}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && return ${FAILURE}

  container=`isula run -itd --security-opt="label=type:container_t" ${image} /bin/bash`
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container with image: ${image}" && ((ret++))

  mount_label=$(isula inspect -f "{{.MountLabel}}" ${container})
  selinux_context_type=$(echo ${mount_label} | awk -F: '{print $3}')

  cat /etc/selinux/targeted/contexts/lxc_contexts | grep file | grep ${selinux_context_type} 
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - invalid selinux context type: ${image}" && ((ret++))

  isula exec -it ${container} ls -l -Z / | grep dev | grep ${mount_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for root" && ((ret++))

  isula exec -it ${container} ls -l -Z /dev | grep console | grep ${mount_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for /dev/console" && ((ret++))

  isula exec -it ${container} ls -l -Z /dev | grep shm | grep ${mount_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for /dev/shm" && ((ret++))

  isula exec -it ${container} ls -l -Z /dev | grep mqueue | grep ${mount_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for /dev/mqueue" && ((ret++))

  isula exec -it ${container} ls -l -Z /etc/hostname | grep ${mount_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for hostname" && ((ret++))

  isula exec -it ${container} ls -l -Z /etc/hosts | grep ${mount_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for hosts" && ((ret++))

  isula exec -it ${container} ls -l -Z /etc/resolv.conf | grep ${mount_label} 
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux mount label for resolv.conf" && ((ret++))

  isula exec -it ${container} ls -l -Z / | grep proc | grep system_u:object_r:proc_t:s0
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - the selinux context type of proc file system should be proc_t" && ((ret++))

  isula exec -it ${container} ls -l -Z / | grep sys | grep system_u:object_r:sysfs_t:s0
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - the selinux context type of sys file system should be sysfs_t" && ((ret++))

  isula rm -f ${container}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove container" && ((ret++))

  msg_info "${test} finished with return ${ret}..."
  return ${ret}
}

function test_isulad_selinux_process_label()
{
  local ret=0
  local image="centos"
  local test="isulad selinux process label test => (${FUNCNAME[@]})"

  msg_info "${test} starting..."

  isula pull ${image}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}

  isula images | grep ${image}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && return ${FAILURE}

  container=`isula run -itd --security-opt="label=type:container_t" ${image} /bin/bash`
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container with image: ${image}" && ((ret++))

  process_label=$(isula inspect -f "{{.ProcessLabel}}" ${container})
  isula exec -it ${container} ps Z | grep /bin/bash | grep ${process_label}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to set selinux process label" && ((ret++))

  isula rm -f ${container}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove container" && ((ret++))

  msg_info "${test} finished with return ${ret}..."
  return ${ret}
}

function test_isulad_selinux_mount_mode()
{
  local ret=0
  local image="centos"
  local test="isulad selinux mount mode test => (${FUNCNAME[@]})"

  msg_info "${test} starting..."

  isula pull ${image}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}

  isula images | grep ${image}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && ((ret++))

  mkdir -p /tmp/isulad_selinux_share
  container=`isula run -itd --security-opt="label=type:container_t" -v /tmp/isulad_selinux_share:/tmp:z ${image} /bin/bash`
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container with image: ${image}" && ((ret++))

  mount_label=$(isula inspect -f "{{.MountLabel}}" ${container})

  tmp_file_context=$(stat -c "%C" /tmp/isulad_selinux_share)
  [[ ${tmp_file_context: -2} != "s0" ]] && msg_err "${FUNCNAME[0]}:${LINENO} - /tmp/isulad_selinux_share should be shared mode" && ((ret++))

  isula rm -f ${container}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove container" && ((ret++))


  container=`isula run -itd --security-opt="label=type:container_t" -v /tmp/isulad_selinux_share:/tmp:Z ${image} /bin/bash`
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container with image: ${image}" && ((ret++))

  mount_label=$(isula inspect -f "{{.MountLabel}}" ${container})

  tmp_file_context=$(stat -c "%C" /tmp/isulad_selinux_share)
  [[ ${tmp_file_context} != ${mount_label} ]] && msg_err "${FUNCNAME[0]}:${LINENO} - /tmp/isulad_selinux_share should be exclude mode" && ((ret++))

  isula rm -f ${container}
  [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove container" && ((ret++))

  rm -rf /tmp/isulad_selinux_share

  msg_info "${test} finished with return ${ret}..."
  return ${ret}
}

declare -i ans=0

daemon_enable_selinux || ((ans++))

perpare_selinux_environment

test_isulad_selinux_file_label || ((ans++))

test_isulad_selinux_process_label || ((ans++))

test_isulad_selinux_mount_mode || ((ans++))

daemon_disable_selinux || ((ans++))

show_result ${ans} "${curr_path}/${0}"