Allow non-seccomp platforms to pass integration-cli tests
Since seccomp is still a configurable build-tag, add a requirements entry for seccomp, as well as move seccomp tests to "_unix" given it won't be applicable to other platforms at this time. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This commit is contained in:
Phil Estes
parent
5f1af8da5b
commit
0433e38915
|
|
@ -3812,59 +3812,3 @@ func (s *DockerSuite) TestRunWithOomScoreAdjInvalidRange(c *check.C) {
|
|||
c.Fatalf("Expected output to contain %q, got %q instead", expected, out)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
|
||||
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
|
||||
testRequires(c, SameHostDaemon)
|
||||
jsonData := `{
|
||||
"defaultAction": "SCMP_ACT_ALLOW",
|
||||
"syscalls": [
|
||||
{
|
||||
"name": "unshare",
|
||||
"action": "SCMP_ACT_ERRNO"
|
||||
}
|
||||
]
|
||||
}`
|
||||
tmpFile, err := ioutil.TempFile("", "profile.json")
|
||||
defer tmpFile.Close()
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||
out, _, _ := runCommandWithOutput(runCmd)
|
||||
if !strings.Contains(out, "Operation not permitted") {
|
||||
c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
|
||||
func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
|
||||
testRequires(c, SameHostDaemon)
|
||||
jsonData := `{
|
||||
"defaultAction": "SCMP_ACT_ALLOW",
|
||||
"syscalls": [
|
||||
{
|
||||
"name": "chmod",
|
||||
"action": "SCMP_ACT_ERRNO"
|
||||
}
|
||||
]
|
||||
}`
|
||||
tmpFile, err := ioutil.TempFile("", "profile.json")
|
||||
defer tmpFile.Close()
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname")
|
||||
out, _, _ := runCommandWithOutput(runCmd)
|
||||
if !strings.Contains(out, "Operation not permitted") {
|
||||
c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -468,3 +468,59 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) {
|
|||
c.Fatalf("Should have generated an error saying Duplicate mount points")
|
||||
}
|
||||
}
|
||||
|
||||
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
|
||||
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
|
||||
testRequires(c, SameHostDaemon, seccompEnabled)
|
||||
jsonData := `{
|
||||
"defaultAction": "SCMP_ACT_ALLOW",
|
||||
"syscalls": [
|
||||
{
|
||||
"name": "unshare",
|
||||
"action": "SCMP_ACT_ERRNO"
|
||||
}
|
||||
]
|
||||
}`
|
||||
tmpFile, err := ioutil.TempFile("", "profile.json")
|
||||
defer tmpFile.Close()
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||
out, _, _ := runCommandWithOutput(runCmd)
|
||||
if !strings.Contains(out, "Operation not permitted") {
|
||||
c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
|
||||
func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
|
||||
testRequires(c, SameHostDaemon, seccompEnabled)
|
||||
jsonData := `{
|
||||
"defaultAction": "SCMP_ACT_ALLOW",
|
||||
"syscalls": [
|
||||
{
|
||||
"name": "chmod",
|
||||
"action": "SCMP_ACT_ERRNO"
|
||||
}
|
||||
]
|
||||
}`
|
||||
tmpFile, err := ioutil.TempFile("", "profile.json")
|
||||
defer tmpFile.Close()
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname")
|
||||
out, _, _ := runCommandWithOutput(runCmd)
|
||||
if !strings.Contains(out, "Operation not permitted") {
|
||||
c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,6 +75,12 @@ var (
|
|||
},
|
||||
"Test requires an environment that supports cgroup cpuset.",
|
||||
}
|
||||
seccompEnabled = testRequirement{
|
||||
func() bool {
|
||||
return supportsSeccomp
|
||||
},
|
||||
"Test requires that seccomp support be enabled in the daemon.",
|
||||
}
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
// +build !seccomp
|
||||
|
||||
package main
|
||||
|
||||
const (
|
||||
// indicates docker daemon built with seccomp support
|
||||
supportsSeccomp = false
|
||||
)
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
// +build seccomp
|
||||
|
||||
package main
|
||||
|
||||
const (
|
||||
// indicates docker daemon built with seccomp support
|
||||
supportsSeccomp = true
|
||||
)
|
||||
Loading…
Reference in New Issue