kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

TestUserNoEffectiveCapabilitiesNetBindService: conditionally set net.ipv4.ip_unprivileged_port_start 

Prevent the test from failng on environments where this sysctl is not supported.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2020-06-22 13:27:52 +02:00
parent 4609153995
commit c3acd082c7
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
integration-cli/docker_cli_run_unix_test.go
View File

@ -1245,6 +1245,14 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *testing.T) {
// TODO CAP_SETPCAP
// sysctlExists checks if a sysctl exists; runc will error if we add any that do not actually
// exist, so do not add the default ones if running on an old kernel.
func sysctlExists(s string) bool {
f := filepath.Join("/proc", "sys", strings.Replace(s, ".", "/", -1))
_, err := os.Stat(f)
return err == nil
}
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *testing.T) {
testRequires(c, DaemonIsLinux, testEnv.IsLocalDaemon)
ensureSyscallTest(c)
@ -1253,12 +1261,22 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *testing.T
dockerCmd(c, "run", "syscall-test", "socket-test")
// test that non root user does not have default capability CAP_NET_BIND_SERVICE
// as we allow this via sysctl, also tweak the sysctl back to default
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024", "syscall-test", "socket-test").Assert(c, icmd.Expected{
args := []string{"run", "--user", "1000:1000"}
if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
args = append(args, "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024")
}
args = append(args, "syscall-test", "socket-test")
icmd.RunCommand(dockerBinary, args...).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Permission denied",
})
// test that root user can drop default capability CAP_NET_BIND_SERVICE
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_bind_service", "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024", "syscall-test", "socket-test").Assert(c, icmd.Expected{
args = []string{"run", "--cap-drop", "net_bind_service"}
if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
args = append(args, "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024")
}
args = append(args, "syscall-test", "socket-test")
icmd.RunCommand(dockerBinary, args...).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Permission denied",
})