From 11435b674b8ed580f8cf401c7cee7d24f59d7a43 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 19 Feb 2016 09:22:36 +0100 Subject: [PATCH] add seccomp default profile fix tests Signed-off-by: Antonio Murdaca Signed-off-by: Jessica Frazelle --- integration-cli/docker_cli_run_unix_test.go | 10 ++++++++++ profiles/seccomp/seccomp_test.go | 11 ++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go index c235cd003d..974249e504 100644 --- a/integration-cli/docker_cli_run_unix_test.go +++ b/integration-cli/docker_cli_run_unix_test.go @@ -909,3 +909,13 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) { c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err) } } + +// make sure the default profile can be successfully parsed (using unshare as it is +// something which we know is blocked in the default profile) +func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) { + testRequires(c, SameHostDaemon, seccompEnabled) + + out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp:../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami") + c.Assert(err, checker.NotNil, check.Commentf(out)) + c.Assert(strings.TrimSpace(out), checker.Equals, "unshare: unshare failed: Operation not permitted") +} diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go index 11df61e94d..2c9929e925 100644 --- a/profiles/seccomp/seccomp_test.go +++ b/profiles/seccomp/seccomp_test.go @@ -12,7 +12,16 @@ func TestLoadProfile(t *testing.T) { if err != nil { t.Fatal(err) } - + if _, err := LoadProfile(string(f)); err != nil { + t.Fatal(err) + } +} + +func TestLoadDefaultProfile(t *testing.T) { + f, err := ioutil.ReadFile("default.json") + if err != nil { + t.Fatal(err) + } if _, err := LoadProfile(string(f)); err != nil { t.Fatal(err) }