From 6d30b026baed6e1906f96e7b982e7c205be7430d Mon Sep 17 00:00:00 2001 From: Filipe Brandenburger Date: Wed, 24 Jan 2018 15:17:45 -0800 Subject: [PATCH] Skip NoNewPrivileges test when SELinux is enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A bug in the SELinux policy prevented NoNewPrivileges from working on Docker with SELinux support enabled. The problem has been fixed upstream: https://github.com/projectatomic/container-selinux/issues/45 But hasn't been backported yet (a fix might come in RHEL 7.5) For now, let's skip the NoNewPrivileges test when SELinux support is enabled in Docker. Tested: - Before this commit, the test fails: $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation" (on a host with SELinux enabled) • [SLOW TEST:22.798 seconds] (passed) [k8s.io] Security Context when creating containers with AllowPrivilegeEscalation should allow privilege escalation when true • Failure [16.539 seconds] [k8s.io] Security Context when creating containers with AllowPrivilegeEscalation should not allow privilege escalation when false [It] wait for pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" to success Expected success, but got an error: <*errors.errorString | 0xc4204e26d0>: { s: "pod \"alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009\" failed with reason: \"\", message: \"\"", } pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" failed with reason: "", message: "" • [SLOW TEST:26.572 seconds] (passed) [k8s.io] Security Context when creating containers with AllowPrivilegeEscalation should allow privilege escalation when not explicitly set and uid != 0 Ran 3 of 257 Specs in 45.364 seconds FAIL! -- 2 Passed | 1 Failed | 0 Pending | 254 Skipped Ginkgo ran 1 suite in 49.389123442s Test Suite Failed - After this commit, the test is skipped: $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation" (on a host with SELinux enabled) S [SKIPPING] in Spec Setup (BeforeEach) [12.452 seconds] S [SKIPPING] in Spec Setup (BeforeEach) [16.298 seconds] S [SKIPPING] in Spec Setup (BeforeEach) [18.183 seconds] Ran 0 of 257 Specs in 39.174 seconds SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 257 Skipped Ginkgo ran 1 suite in 43.570630357s Test Suite Passed - No changes when SELinux is disabled: $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation" (on a host with SELinux disabled) • [SLOW TEST:15.013 seconds] [k8s.io] Security Context when creating containers with AllowPrivilegeEscalation should not allow privilege escalation when false • [SLOW TEST:19.155 seconds] [k8s.io] Security Context when creating containers with AllowPrivilegeEscalation should allow privilege escalation when true • [SLOW TEST:21.087 seconds] [k8s.io] Security Context when creating containers with AllowPrivilegeEscalation should allow privilege escalation when not explicitly set and uid != 0 Ran 3 of 259 Specs in 38.560 seconds SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 256 Skipped Ginkgo ran 1 suite in 41.937918928s Test Suite Passed --- test/e2e_node/security_context_test.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index 7e30d167fc..af67c721df 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -373,6 +373,18 @@ var _ = framework.KubeDescribe("Security Context", func() { if !isSupported { framework.Skipf("Skipping because no_new_privs is not supported in this docker") } + // It turns out SELinux policy in RHEL 7 does not play well with + // the "NoNewPrivileges" flag. So let's skip this test when running + // with SELinux support enabled. + // + // TODO(filbranden): Remove this after the fix for + // https://github.com/projectatomic/container-selinux/issues/45 + // has been backported to RHEL 7 (expected on RHEL 7.5) + selinuxEnabled, err := isDockerSELinuxSupportEnabled() + framework.ExpectNoError(err) + if selinuxEnabled { + framework.Skipf("Skipping because Docker daemon is running with SELinux support enabled") + } } })