1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

cleanup jess/unshare image

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
Jessica Frazelle 2015-12-30 09:49:10 -08:00
parent 102eb03c68
commit 626c933730
No known key found for this signature in database
GPG key ID: 18F3685C0022BFF3
4 changed files with 14 additions and 14 deletions

View file

@ -198,8 +198,7 @@ COPY contrib/download-frozen-image-v2.sh /go/src/github.com/docker/docker/contri
RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
busybox:latest@sha256:eb3c0d4680f9213ee5f348ea6d39489a1f85a318a2ae09e012c426f78252a6d2 \ busybox:latest@sha256:eb3c0d4680f9213ee5f348ea6d39489a1f85a318a2ae09e012c426f78252a6d2 \
debian:jessie@sha256:24a900d1671b269d6640b4224e7b63801880d8e3cb2bcbfaa10a5dddcf4469ed \ debian:jessie@sha256:24a900d1671b269d6640b4224e7b63801880d8e3cb2bcbfaa10a5dddcf4469ed \
hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7 \ hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
jess/unshare:latest@sha256:2e3a8c0591c4690b82d4eba7e5ef8f49f2ddfe9f867f3e865198db9bd1436c5b
# see also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is) # see also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is)
# Download man page generator # Download man page generator

View file

@ -29,7 +29,6 @@ case "$DOCKER_ENGINE_OSARCH" in
busybox:latest busybox:latest
debian:jessie debian:jessie
hello-world:latest hello-world:latest
jess/unshare:latest
) )
;; ;;
esac esac

View file

@ -2858,26 +2858,28 @@ func (s *DockerSuite) TestRunUnshareProc(c *check.C) {
testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace) testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
name := "acidburn" name := "acidburn"
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount") out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
if err == nil || if err == nil ||
!(strings.Contains(strings.ToLower(out), "permission denied") || !(strings.Contains(strings.ToLower(out), "permission denied") ||
strings.Contains(strings.ToLower(out), "operation not permitted")) { strings.Contains(strings.ToLower(out), "operation not permitted")) {
c.Fatalf("unshare with --mount-proc should have failed with permission denied, got: %s, %v", out, err) c.Fatalf("unshare with --mount-proc should have failed with 'permission denied' or 'operation not permitted', got: %s, %v", out, err)
} }
name = "cereal" name = "cereal"
out, _, err = dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc") out, _, err = dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
if err == nil || if err == nil ||
!(strings.Contains(strings.ToLower(out), "permission denied") || !(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
strings.Contains(strings.ToLower(out), "operation not permitted")) { strings.Contains(strings.ToLower(out), "permission denied")) {
c.Fatalf("unshare and mount of /proc should have failed with permission denied, got: %s, %v", out, err) c.Fatalf("unshare and mount of /proc should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
} }
/* Ensure still fails if running privileged with the default policy */ /* Ensure still fails if running privileged with the default policy */
name = "crashoverride" name = "crashoverride"
out, _, err = dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp:unconfined", "--security-opt", "apparmor:docker-default", "--name", name, "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc") out, _, err = dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp:unconfined", "--security-opt", "apparmor:docker-default", "--name", name, "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
if err == nil || !(strings.Contains(strings.ToLower(out), "permission denied") || strings.Contains(strings.ToLower(out), "operation not permitted")) { if err == nil ||
c.Fatalf("privileged unshare with apparmor should have failed with permission denied, got: %s, %v", out, err) !(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
strings.Contains(strings.ToLower(out), "permission denied")) {
c.Fatalf("privileged unshare with apparmor should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
} }
} }

View file

@ -493,7 +493,7 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) {
} }
} }
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted. // TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) { func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
testRequires(c, SameHostDaemon, seccompEnabled) testRequires(c, SameHostDaemon, seccompEnabled)
jsonData := `{ jsonData := `{
@ -549,7 +549,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
} }
} }
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run jess/unshare unshare --map-root-user --user sh -c whoami' with a specific profile to // TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
// deny unhare of a userns exits with operation not permitted. // deny unhare of a userns exits with operation not permitted.
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) { func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
testRequires(c, SameHostDaemon, seccompEnabled) testRequires(c, SameHostDaemon, seccompEnabled)