From c815b86f407a7566675ce5a737730ae5754b53e5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 16 Jul 2021 15:50:12 +0200 Subject: [PATCH] seccomp: add additional unit-tests Add test to verify profile validation, and to verify that the legacy format actually loads the profile as expected (instead of only verifying it doesn't produce an error). Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/seccomp_test.go | 40 ++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go index 53ddfaf989..0d3d39852c 100644 --- a/profiles/seccomp/seccomp_test.go +++ b/profiles/seccomp/seccomp_test.go @@ -100,6 +100,34 @@ func TestLoadProfileWithListenerPath(t *testing.T) { assert.DeepEqual(t, expected, *p) } +// TestLoadProfileValidation tests that invalid profiles produce the correct error. +func TestLoadProfileValidation(t *testing.T) { + tests := []struct { + doc string + profile string + expected string + }{ + { + doc: "conflicting architectures and archMap", + profile: `{"defaultAction": "SCMP_ACT_ERRNO", "architectures": ["A", "B", "C"], "archMap": [{"architecture": "A", "subArchitectures": ["B", "C"]}]}`, + expected: `use either 'architectures' or 'archMap'`, + }, + { + doc: "conflicting syscall.name and syscall.names", + profile: `{"defaultAction": "SCMP_ACT_ERRNO", "syscalls": [{"name": "accept", "names": ["accept"], "action": "SCMP_ACT_ALLOW"}]}`, + expected: `use either 'name' or 'names'`, + }, + } + for _, tc := range tests { + tc := tc + rs := createSpec() + t.Run(tc.doc, func(t *testing.T) { + _, err := LoadProfile(tc.profile, &rs) + assert.ErrorContains(t, err, tc.expected) + }) + } +} + // TestLoadLegacyProfile tests loading a seccomp profile in the old format // (before https://github.com/docker/docker/pull/24510) func TestLoadLegacyProfile(t *testing.T) { @@ -108,9 +136,17 @@ func TestLoadLegacyProfile(t *testing.T) { t.Fatal(err) } rs := createSpec() - if _, err := LoadProfile(string(f), &rs); err != nil { - t.Fatal(err) + p, err := LoadProfile(string(f), &rs) + assert.NilError(t, err) + assert.Equal(t, p.DefaultAction, specs.ActErrno) + assert.DeepEqual(t, p.Architectures, []specs.Arch{"SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"}) + assert.Equal(t, len(p.Syscalls), 311) + expected := specs.LinuxSyscall{ + Names: []string{"accept"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, } + assert.DeepEqual(t, p.Syscalls[0], expected) } func TestLoadDefaultProfile(t *testing.T) {