diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 5fb6f9a76b..22ce9c1ae9 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -3812,59 +3812,3 @@ func (s *DockerSuite) TestRunWithOomScoreAdjInvalidRange(c *check.C) { c.Fatalf("Expected output to contain %q, got %q instead", expected, out) } } - -// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted. -func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) { - testRequires(c, SameHostDaemon) - jsonData := `{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "unshare", - "action": "SCMP_ACT_ERRNO" - } - ] -}` - tmpFile, err := ioutil.TempFile("", "profile.json") - defer tmpFile.Close() - if err != nil { - c.Fatal(err) - } - - if _, err := tmpFile.Write([]byte(jsonData)); err != nil { - c.Fatal(err) - } - runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc") - out, _, _ := runCommandWithOutput(runCmd) - if !strings.Contains(out, "Operation not permitted") { - c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out) - } -} - -// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted. -func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) { - testRequires(c, SameHostDaemon) - jsonData := `{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "chmod", - "action": "SCMP_ACT_ERRNO" - } - ] -}` - tmpFile, err := ioutil.TempFile("", "profile.json") - defer tmpFile.Close() - if err != nil { - c.Fatal(err) - } - - if _, err := tmpFile.Write([]byte(jsonData)); err != nil { - c.Fatal(err) - } - runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname") - out, _, _ := runCommandWithOutput(runCmd) - if !strings.Contains(out, "Operation not permitted") { - c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out) - } -} diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go index 2b6bcd5dac..b6cd0534a5 100644 --- a/integration-cli/docker_cli_run_unix_test.go +++ b/integration-cli/docker_cli_run_unix_test.go @@ -468,3 +468,59 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) { c.Fatalf("Should have generated an error saying Duplicate mount points") } } + +// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted. +func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) { + testRequires(c, SameHostDaemon, seccompEnabled) + jsonData := `{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "unshare", + "action": "SCMP_ACT_ERRNO" + } + ] +}` + tmpFile, err := ioutil.TempFile("", "profile.json") + defer tmpFile.Close() + if err != nil { + c.Fatal(err) + } + + if _, err := tmpFile.Write([]byte(jsonData)); err != nil { + c.Fatal(err) + } + runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc") + out, _, _ := runCommandWithOutput(runCmd) + if !strings.Contains(out, "Operation not permitted") { + c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out) + } +} + +// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted. +func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) { + testRequires(c, SameHostDaemon, seccompEnabled) + jsonData := `{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "chmod", + "action": "SCMP_ACT_ERRNO" + } + ] +}` + tmpFile, err := ioutil.TempFile("", "profile.json") + defer tmpFile.Close() + if err != nil { + c.Fatal(err) + } + + if _, err := tmpFile.Write([]byte(jsonData)); err != nil { + c.Fatal(err) + } + runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname") + out, _, _ := runCommandWithOutput(runCmd) + if !strings.Contains(out, "Operation not permitted") { + c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out) + } +} diff --git a/integration-cli/requirements_unix.go b/integration-cli/requirements_unix.go index 72c396f3a7..5110b9bda3 100644 --- a/integration-cli/requirements_unix.go +++ b/integration-cli/requirements_unix.go @@ -75,6 +75,12 @@ var ( }, "Test requires an environment that supports cgroup cpuset.", } + seccompEnabled = testRequirement{ + func() bool { + return supportsSeccomp + }, + "Test requires that seccomp support be enabled in the daemon.", + } ) func init() { diff --git a/integration-cli/test_vars_noseccomp.go b/integration-cli/test_vars_noseccomp.go new file mode 100644 index 0000000000..2f47ab07a0 --- /dev/null +++ b/integration-cli/test_vars_noseccomp.go @@ -0,0 +1,8 @@ +// +build !seccomp + +package main + +const ( + // indicates docker daemon built with seccomp support + supportsSeccomp = false +) diff --git a/integration-cli/test_vars_seccomp.go b/integration-cli/test_vars_seccomp.go new file mode 100644 index 0000000000..00cf697209 --- /dev/null +++ b/integration-cli/test_vars_seccomp.go @@ -0,0 +1,8 @@ +// +build seccomp + +package main + +const ( + // indicates docker daemon built with seccomp support + supportsSeccomp = true +)