Add tests for volume subpath mounts

Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
containers · Mar 15, 2024 · dc75dfb · dc75dfb
1 parent 7a1a9e3
commit dc75dfb
Showing 1 changed file with 82 additions and 0 deletions.
diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
@@ -962,4 +962,86 @@ USER testuser`, CITEST_IMAGE)
 		Expect(run).Should(ExitCleanly())
 		Expect(run.OutputToString()).Should(ContainSubstring(strings.TrimLeft("/vol/", f.Name())))
 	})
+
+	It("podman works with mounted subpath of a named volume", func() {
+		// Create named volume
+		volName := "testVol"
+		volCreate := podmanTest.Podman([]string{"volume", "create", "--opt", volName})
+		volCreate.WaitWithDefaultTimeout()
+		Expect(volCreate).Should(ExitCleanly())
+
+		// Populate volume with sub-directories and files
+		volMount := podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test", volName), ALPINE, "/bin/sh", "-c", "mkdir /test/subdir-ro && mkdir /test/subdir-rw && touch /test/subdir-ro/readonlyfile.txt && touch /test/subdir-rw/writablefile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(ExitCleanly())
+
+		// Mount subpath-ro as readonly
+		mountinfo := getMountInfo(volName + ":subpath=subpath-ro,ro")
+		Expect(mountinfo[5]).To(ContainSubstring("ro"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test:subpath=subpath-ro,ro", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(ExitCleanly())
+		Expect(volMount.OutputToString()).To(Equal("0"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test:subpath=subpath-ro,ro", volName), ALPINE, "stat", "-c", "%s", "/test/writablefile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(1))
+		Expect(volMount.OutputToString()).To(ContainSubstring("no such file"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "--mount", fmt.Sprintf("type=volume,src=%s,dst=/test:subpath=subpath-ro,ro", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(ExitCleanly())
+		Expect(volMount.OutputToString()).To(Equal("0"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "--mount", fmt.Sprintf("type=volume,src=%s,dst=/test,subpath=subpath-ro,ro", volName), ALPINE, "stat", "-c", "%s", "/test/writablefile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(1))
+		Expect(volMount.OutputToString()).To(ContainSubstring("no such file"))
+
+		// Mount subpath-rw as readwrite
+		mountinfo = getMountInfo(volName + ":subpath=subpath-rw,rw")
+		Expect(mountinfo[5]).To(ContainSubstring("rw"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test:subpath=subpath-rw,rw", volName), ALPINE, "stat", "-c", "%s", "/test/writablefile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(ExitCleanly())
+		Expect(volMount.OutputToString()).To(Equal("0"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test:subpath=subpath-rw,rw", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(1))
+		Expect(volMount.OutputToString()).To(ContainSubstring("no such file"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "--mount", fmt.Sprintf("type=volume,src=%s,dst=/test,subpath=subpath-rw,rw", volName), ALPINE, "stat", "-c", "%s", "/test/writablefile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(ExitCleanly())
+		Expect(volMount.OutputToString()).To(Equal("0"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "--mount", fmt.Sprintf("type=volume,src=%s,dst=/test,subpath=subpath-rw,rw", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(1))
+		Expect(volMount.OutputToString()).To(ContainSubstring("no such file"))
+
+		// Prevent directory traversal vulnerabilities in subpath
+		volMount = podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test:subpath=../../../../../../../../../../../../../../etc,rw", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(125))
+		Expect(volMount.OutputToString()).Should(ContainSubstring("is outside"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "-v", fmt.Sprintf("%s:/test:subpath=/../../../../../../../../../../../../../../etc,rw", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(125))
+		Expect(volMount.OutputToString()).Should(ContainSubstring("is outside"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "--mount", fmt.Sprintf("type=volume,src=%s,dst=/test,subpath=../../../../../../../../../../../../../../etc,rw", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(125))
+		Expect(volMount.OutputToString()).Should(ContainSubstring("is outside"))
+
+		volMount = podmanTest.Podman([]string{"run", "--rm", "--mount", fmt.Sprintf("type=volume,src=%s,dst=/test,subpath=/../../../../../../../../../../../../../../etc,rw", volName), ALPINE, "stat", "-c", "%s", "/test/readonlyfile.txt"})
+		volMount.WaitWithDefaultTimeout()
+		Expect(volMount).Should(Exit(125))
+		Expect(volMount.OutputToString()).Should(ContainSubstring("is outside"))
+	})
 })