1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/daemon/seccomp_linux_test.go

203 lines
5.1 KiB
Go
Raw Normal View History

//go:build linux && seccomp
// +build linux,seccomp
package daemon // import "github.com/docker/docker/daemon"
import (
"testing"
coci "github.com/containerd/containerd/oci"
config "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
doci "github.com/docker/docker/oci"
"github.com/docker/docker/pkg/sysinfo"
"github.com/docker/docker/profiles/seccomp"
specs "github.com/opencontainers/runtime-spec/specs-go"
"gotest.tools/v3/assert"
)
func TestWithSeccomp(t *testing.T) {
type expected struct {
daemon *Daemon
c *container.Container
inSpec coci.Spec
outSpec coci.Spec
err string
comment string
}
for _, x := range []expected{
{
comment: "unconfined seccompProfile runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: dconfig.SeccompProfileUnconfined,
HostConfig: &config.HostConfig{
Privileged: false,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: doci.DefaultLinuxSpec(),
},
{
comment: "privileged container w/ custom profile runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
HostConfig: &config.HostConfig{
Privileged: true,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: doci.DefaultLinuxSpec(),
},
{
comment: "privileged container w/ default runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &config.HostConfig{
Privileged: true,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: doci.DefaultLinuxSpec(),
},
{
comment: "privileged container w/ daemon profile runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &config.HostConfig{
Privileged: true,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: doci.DefaultLinuxSpec(),
},
{
comment: "custom profile when seccomp is disabled returns error",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: false},
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
HostConfig: &config.HostConfig{
Privileged: false,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: doci.DefaultLinuxSpec(),
err: "seccomp is not enabled in your kernel, cannot run a custom seccomp profile",
},
{
comment: "empty profile name loads default profile",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &config.HostConfig{
Privileged: false,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := doci.DefaultLinuxSpec()
profile, _ := seccomp.GetDefaultProfile(&s)
s.Linux.Seccomp = profile
return s
}(),
},
{
comment: "load container's profile",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
HostConfig: &config.HostConfig{
Privileged: false,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := doci.DefaultLinuxSpec()
profile := &specs.LinuxSeccomp{
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
}
s.Linux.Seccomp = profile
return s
}(),
},
{
comment: "load daemon's profile",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &config.HostConfig{
Privileged: false,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := doci.DefaultLinuxSpec()
profile := &specs.LinuxSeccomp{
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
}
s.Linux.Seccomp = profile
return s
}(),
},
{
comment: "load prioritise container profile over daemon's",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
HostConfig: &config.HostConfig{
Privileged: false,
},
},
inSpec: doci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := doci.DefaultLinuxSpec()
profile := &specs.LinuxSeccomp{
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_LOG"),
}
s.Linux.Seccomp = profile
return s
}(),
},
} {
x := x
t.Run(x.comment, func(t *testing.T) {
opts := WithSeccomp(x.daemon, x.c)
err := opts(nil, nil, nil, &x.inSpec)
assert.DeepEqual(t, x.inSpec, x.outSpec)
if x.err != "" {
assert.Error(t, err, x.err)
} else {
assert.NilError(t, err)
}
})
}
}