@@ -1361,6 +1361,8 @@ _EOF
13611361 RUN --mount=type=cache,id=${cacheid} ,target=/var/tmp,uid=1000,gid=1000 stat / /var/tmp
13621362 RUN --mount=type=cache,id=${cacheid} ,target=/var/tmp,uid=1000,gid=1000 test \` stat -c %u /var/tmp\` -eq 1000
13631363 RUN --mount=type=cache,id=${cacheid} ,target=/var/tmp,uid=1000,gid=1000 touch /var/tmp/should-be-able-to-write
1364+ RUN --mount=type=cache,id=${cacheid} ,target=/new-parent/var/tmp,uid=1000,gid=1000 touch /var/tmp/should-be-able-to-write
1365+ RUN --mount=type=cache,id=${cacheid} ,target=/var/new-parent/tmp,uid=1000,gid=1000 touch /var/tmp/should-be-able-to-write
13641366EOF
13651367 run_buildah build $WITH_POLICY_JSON ${contextdir}
13661368
@@ -1372,6 +1374,8 @@ EOF
13721374 RUN --mount=type=cache,id=${cacheid} ,target=/var/tmp,uid=1000,gid=1000 stat / /var/tmp
13731375 RUN --mount=type=cache,id=${cacheid} ,target=/var/tmp,uid=1000,gid=1000 test \` stat -c %u /var/tmp\` -eq 1000
13741376 RUN --mount=type=cache,id=${cacheid} ,target=/var/tmp,uid=1000,gid=1000 touch /var/tmp/should-be-able-to-write
1377+ RUN --mount=type=cache,id=${cacheid} ,target=/new/parent/var/tmp,uid=1000,gid=1000 touch /new/parent/var/tmp/should-be-able-to-write
1378+ RUN --mount=type=cache,id=${cacheid} ,target=/var/new/parent/tmp,uid=1000,gid=1000 touch /var/new/parent/tmp/should-be-able-to-write
13751379EOF
13761380 if test ` id -u` ; then
13771381 run_buildah build --userns-uid-map 0:1:1023 --userns-gid-map 0:1:1023 $WITH_POLICY_JSON ${contextdir}
@@ -1380,6 +1384,55 @@ EOF
13801384 fi
13811385}
13821386
1387+ @test " build-mount-cache-writeable-as-unprivileged-user"
1388+ _prefetch busybox
1389+ local contextdir=${TEST_SCRATCH_DIR} /context
1390+ mkdir ${contextdir}
1391+
1392+ cat > ${contextdir} /Dockerfile << EOF
1393+ FROM busybox
1394+ USER 1000:1000
1395+ RUN --mount=type=cache,target=/usr/local/bin,id=/usr/local/bin/$$ ,uid=1000,gid=1000 touch /usr/local/bin/new-file
1396+ RUN --mount=type=cache,target=/var/not/already/there,id=/var/not/already/there/$$ ,uid=1000,gid=1000 touch /var/not/already/there/new-file
1397+ EOF
1398+ run_buildah build $WITH_POLICY_JSON ${contextdir}
1399+ }
1400+
1401+ @test " build-mount-bind-readable-as-unprivileged-user"
1402+ _prefetch busybox
1403+ local contextdir=${TEST_SCRATCH_DIR} /context
1404+ mkdir ${contextdir}
1405+
1406+ cat > ${contextdir} /Dockerfile << EOF
1407+ FROM busybox
1408+ USER 1000:1000
1409+ RUN --mount=type=bind,target=/usr/local,from=busybox busybox ls /usr/local/bin/busybox
1410+ RUN --mount=type=bind,target=/var/not/already/there,from=busybox busybox ls /var/not/already/there/bin/busybox
1411+ EOF
1412+ run_buildah build $WITH_POLICY_JSON ${contextdir}
1413+ }
1414+
1415+ @test " build-mount-secret-readable-as-unprivileged-user"
1416+ _prefetch busybox
1417+ local contextdir=${TEST_SCRATCH_DIR} /context
1418+ mkdir ${contextdir}
1419+ local secretfile=${TEST_SCRATCH_DIR} /secret.txt
1420+
1421+ echo -n hidingInPlainSight > ${secretfile}
1422+ cat > ${contextdir} /Dockerfile << EOF
1423+ FROM busybox
1424+ USER 1000:1000
1425+ RUN --mount=type=secret,id=theSecret,target=/var/not/already/there,uid=1000,gid=1000 wc -c /var/not/already/there
1426+ EOF
1427+ run_buildah build --secret id=theSecret,type=file,src=${secretfile} $WITH_POLICY_JSON ${contextdir}
1428+ cat > ${contextdir} /Dockerfile << EOF
1429+ FROM busybox
1430+ USER 1000:1000
1431+ RUN --mount=type=secret,id=theSecret,target=/top/var/tmp/there,uid=1000,gid=1000 wc -c /top/var/tmp/there
1432+ EOF
1433+ run_buildah build --secret id=theSecret,type=file,src=${secretfile} $WITH_POLICY_JSON ${contextdir}
1434+ }
1435+
13831436@test " build test if supplemental groups has gid with --isolation chroot"
13841437 test " ${BUILDAH_ISOLATION} " ! = chroot || skip " BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
13851438
0 commit comments