mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
cleanup jess/unshare image
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
parent
102eb03c68
commit
626c933730
4 changed files with 14 additions and 14 deletions
|
@ -198,8 +198,7 @@ COPY contrib/download-frozen-image-v2.sh /go/src/github.com/docker/docker/contri
|
||||||
RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
|
RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
|
||||||
busybox:latest@sha256:eb3c0d4680f9213ee5f348ea6d39489a1f85a318a2ae09e012c426f78252a6d2 \
|
busybox:latest@sha256:eb3c0d4680f9213ee5f348ea6d39489a1f85a318a2ae09e012c426f78252a6d2 \
|
||||||
debian:jessie@sha256:24a900d1671b269d6640b4224e7b63801880d8e3cb2bcbfaa10a5dddcf4469ed \
|
debian:jessie@sha256:24a900d1671b269d6640b4224e7b63801880d8e3cb2bcbfaa10a5dddcf4469ed \
|
||||||
hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7 \
|
hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
|
||||||
jess/unshare:latest@sha256:2e3a8c0591c4690b82d4eba7e5ef8f49f2ddfe9f867f3e865198db9bd1436c5b
|
|
||||||
# see also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is)
|
# see also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is)
|
||||||
|
|
||||||
# Download man page generator
|
# Download man page generator
|
||||||
|
|
|
@ -29,7 +29,6 @@ case "$DOCKER_ENGINE_OSARCH" in
|
||||||
busybox:latest
|
busybox:latest
|
||||||
debian:jessie
|
debian:jessie
|
||||||
hello-world:latest
|
hello-world:latest
|
||||||
jess/unshare:latest
|
|
||||||
)
|
)
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -2858,26 +2858,28 @@ func (s *DockerSuite) TestRunUnshareProc(c *check.C) {
|
||||||
testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
|
testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
|
||||||
|
|
||||||
name := "acidburn"
|
name := "acidburn"
|
||||||
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
|
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
|
||||||
if err == nil ||
|
if err == nil ||
|
||||||
!(strings.Contains(strings.ToLower(out), "permission denied") ||
|
!(strings.Contains(strings.ToLower(out), "permission denied") ||
|
||||||
strings.Contains(strings.ToLower(out), "operation not permitted")) {
|
strings.Contains(strings.ToLower(out), "operation not permitted")) {
|
||||||
c.Fatalf("unshare with --mount-proc should have failed with permission denied, got: %s, %v", out, err)
|
c.Fatalf("unshare with --mount-proc should have failed with 'permission denied' or 'operation not permitted', got: %s, %v", out, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
name = "cereal"
|
name = "cereal"
|
||||||
out, _, err = dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
out, _, err = dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||||
if err == nil ||
|
if err == nil ||
|
||||||
!(strings.Contains(strings.ToLower(out), "permission denied") ||
|
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
|
||||||
strings.Contains(strings.ToLower(out), "operation not permitted")) {
|
strings.Contains(strings.ToLower(out), "permission denied")) {
|
||||||
c.Fatalf("unshare and mount of /proc should have failed with permission denied, got: %s, %v", out, err)
|
c.Fatalf("unshare and mount of /proc should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Ensure still fails if running privileged with the default policy */
|
/* Ensure still fails if running privileged with the default policy */
|
||||||
name = "crashoverride"
|
name = "crashoverride"
|
||||||
out, _, err = dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp:unconfined", "--security-opt", "apparmor:docker-default", "--name", name, "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
out, _, err = dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp:unconfined", "--security-opt", "apparmor:docker-default", "--name", name, "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||||
if err == nil || !(strings.Contains(strings.ToLower(out), "permission denied") || strings.Contains(strings.ToLower(out), "operation not permitted")) {
|
if err == nil ||
|
||||||
c.Fatalf("privileged unshare with apparmor should have failed with permission denied, got: %s, %v", out, err)
|
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
|
||||||
|
strings.Contains(strings.ToLower(out), "permission denied")) {
|
||||||
|
c.Fatalf("privileged unshare with apparmor should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -493,7 +493,7 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
|
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
|
||||||
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
|
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
|
||||||
testRequires(c, SameHostDaemon, seccompEnabled)
|
testRequires(c, SameHostDaemon, seccompEnabled)
|
||||||
jsonData := `{
|
jsonData := `{
|
||||||
|
@ -549,7 +549,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run jess/unshare unshare --map-root-user --user sh -c whoami' with a specific profile to
|
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
|
||||||
// deny unhare of a userns exits with operation not permitted.
|
// deny unhare of a userns exits with operation not permitted.
|
||||||
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
|
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
|
||||||
testRequires(c, SameHostDaemon, seccompEnabled)
|
testRequires(c, SameHostDaemon, seccompEnabled)
|
||||||
|
|
Loading…
Reference in a new issue