moby--moby/profiles/seccomp/seccomp_test.go

// +build linux

package seccomp // import "github.com/docker/docker/profiles/seccomp"

import (
	"io/ioutil"
	"testing"

	"github.com/opencontainers/runtime-spec/specs-go"
)

func TestLoadProfile(t *testing.T) {
	f, err := ioutil.ReadFile("fixtures/example.json")
	if err != nil {
		t.Fatal(err)
	}
	rs := createSpec()
	if _, err := LoadProfile(string(f), &rs); err != nil {
		t.Fatal(err)
	}
}

// TestLoadLegacyProfile tests loading a seccomp profile in the old format
// (before https://github.com/docker/docker/pull/24510)
func TestLoadLegacyProfile(t *testing.T) {
	f, err := ioutil.ReadFile("fixtures/default-old-format.json")
	if err != nil {
		t.Fatal(err)
	}
	rs := createSpec()
	if _, err := LoadProfile(string(f), &rs); err != nil {
		t.Fatal(err)
	}
}

func TestLoadDefaultProfile(t *testing.T) {
	f, err := ioutil.ReadFile("default.json")
	if err != nil {
		t.Fatal(err)
	}
	rs := createSpec()
	if _, err := LoadProfile(string(f), &rs); err != nil {
		t.Fatal(err)
	}
}

func TestLoadConditional(t *testing.T) {
	f, err := ioutil.ReadFile("fixtures/conditional_include.json")
	if err != nil {
		t.Fatal(err)
	}
	tests := []struct {
		doc      string
		cap      string
		expected []string
	}{
		{doc: "no caps", expected: []string{"chmod", "ptrace"}},
		{doc: "with syslog", cap: "CAP_SYSLOG", expected: []string{"chmod", "syslog", "ptrace"}},
		{doc: "no ptrace", cap: "CAP_SYS_ADMIN", expected: []string{"chmod"}},
	}

	for _, tc := range tests {
		tc := tc
		t.Run(tc.doc, func(t *testing.T) {
			rs := createSpec(tc.cap)
			p, err := LoadProfile(string(f), &rs)
			if err != nil {
				t.Fatal(err)
			}
			if len(p.Syscalls) != len(tc.expected) {
				t.Fatalf("expected %d syscalls in profile, have %d", len(tc.expected), len(p.Syscalls))
			}
			for i, v := range p.Syscalls {
				if v.Names[0] != tc.expected[i] {
					t.Fatalf("expected %s syscall, have %s", tc.expected[i], v.Names[0])
				}
			}
		})
	}
}

// createSpec() creates a minimum spec for testing
func createSpec(caps ...string) specs.Spec {
	rs := specs.Spec{
		Process: &specs.Process{
			Capabilities: &specs.LinuxCapabilities{},
		},
	}
	if caps != nil {
		rs.Process.Capabilities.Bounding = append(rs.Process.Capabilities.Bounding, caps...)
	}
	return rs
}
move default seccomp profile into package Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-01-19 17:57:03 -05:00			`// +build linux`

Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com> 2018-02-05 16:05:59 -05:00			`package seccomp // import "github.com/docker/docker/profiles/seccomp"`
move default seccomp profile into package Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-01-19 17:57:03 -05:00
			`import (`
			`"io/ioutil"`
			`"testing"`
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-13 09:41:30 -04:00
seccomp: remove dependency on oci package rewrite the tests to use a minimal runtime-spec Spec instead Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 08:55:28 -04:00			`"github.com/opencontainers/runtime-spec/specs-go"`
move default seccomp profile into package Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-01-19 17:57:03 -05:00			`)`

			`func TestLoadProfile(t *testing.T) {`
			`f, err := ioutil.ReadFile("fixtures/example.json")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
seccomp: remove dependency on oci package rewrite the tests to use a minimal runtime-spec Spec instead Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 08:55:28 -04:00			`rs := createSpec()`
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-13 09:41:30 -04:00			`if _, err := LoadProfile(string(f), &rs); err != nil {`
add seccomp default profile fix tests Signed-off-by: Antonio Murdaca <runcom@redhat.com> Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-02-19 03:22:36 -05:00			`t.Fatal(err)`
			`}`
			`}`
move default seccomp profile into package Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-01-19 17:57:03 -05:00
seccomp: add test for loading old JSON format Commit 5ff21add06ce0e502b41a194077daad311901996 changed the (JSON) format that's used for seccomp profiles, but keeping the code backward compatible to allow both the old or new format. This patch adds a new test, which loads the old format. It takes the default seccomp profile before the format was changed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 03:50:03 -04:00			`// TestLoadLegacyProfile tests loading a seccomp profile in the old format`
			`// (before https://github.com/docker/docker/pull/24510)`
			`func TestLoadLegacyProfile(t *testing.T) {`
			`f, err := ioutil.ReadFile("fixtures/default-old-format.json")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
seccomp: remove dependency on oci package rewrite the tests to use a minimal runtime-spec Spec instead Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 08:55:28 -04:00			`rs := createSpec()`
seccomp: add test for loading old JSON format Commit 5ff21add06ce0e502b41a194077daad311901996 changed the (JSON) format that's used for seccomp profiles, but keeping the code backward compatible to allow both the old or new format. This patch adds a new test, which loads the old format. It takes the default seccomp profile before the format was changed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 03:50:03 -04:00			`if _, err := LoadProfile(string(f), &rs); err != nil {`
			`t.Fatal(err)`
			`}`
			`}`

add seccomp default profile fix tests Signed-off-by: Antonio Murdaca <runcom@redhat.com> Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-02-19 03:22:36 -05:00			`func TestLoadDefaultProfile(t *testing.T) {`
			`f, err := ioutil.ReadFile("default.json")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
seccomp: remove dependency on oci package rewrite the tests to use a minimal runtime-spec Spec instead Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 08:55:28 -04:00			`rs := createSpec()`
New seccomp format Signed-off-by: Antonio Murdaca <runcom@redhat.com> 2016-07-13 09:41:30 -04:00			`if _, err := LoadProfile(string(f), &rs); err != nil {`
move default seccomp profile into package Signed-off-by: Jessica Frazelle <acidburn@docker.com> 2016-01-19 17:57:03 -05:00			`t.Fatal(err)`
			`}`
			`}`
seccomp: remove dependency on oci package rewrite the tests to use a minimal runtime-spec Spec instead Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-09-28 08:55:28 -04:00
			`func TestLoadConditional(t *testing.T) {`
			`f, err := ioutil.ReadFile("fixtures/conditional_include.json")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`tests := []struct {`
			`doc string`
			`cap string`
			`expected []string`
			`}{`
			`{doc: "no caps", expected: []string{"chmod", "ptrace"}},`
			`{doc: "with syslog", cap: "CAP_SYSLOG", expected: []string{"chmod", "syslog", "ptrace"}},`
			`{doc: "no ptrace", cap: "CAP_SYS_ADMIN", expected: []string{"chmod"}},`
			`}`

			`for _, tc := range tests {`
			`tc := tc`
			`t.Run(tc.doc, func(t *testing.T) {`
			`rs := createSpec(tc.cap)`
			`p, err := LoadProfile(string(f), &rs)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(p.Syscalls) != len(tc.expected) {`
			`t.Fatalf("expected %d syscalls in profile, have %d", len(tc.expected), len(p.Syscalls))`
			`}`
			`for i, v := range p.Syscalls {`
			`if v.Names[0] != tc.expected[i] {`
			`t.Fatalf("expected %s syscall, have %s", tc.expected[i], v.Names[0])`
			`}`
			`}`
			`})`
			`}`
			`}`

			`// createSpec() creates a minimum spec for testing`
			`func createSpec(caps ...string) specs.Spec {`
			`rs := specs.Spec{`
			`Process: &specs.Process{`
			`Capabilities: &specs.LinuxCapabilities{},`
			`},`
			`}`
			`if caps != nil {`
			`rs.Process.Capabilities.Bounding = append(rs.Process.Capabilities.Bounding, caps...)`
			`}`
			`return rs`
			`}`