mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
seccomp: add additional unit-tests
Add test to verify profile validation, and to verify that the legacy format actually loads the profile as expected (instead of only verifying it doesn't produce an error). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
c1ced23544
commit
c815b86f40
1 changed files with 38 additions and 2 deletions
|
|
@ -100,6 +100,34 @@ func TestLoadProfileWithListenerPath(t *testing.T) {
|
||||||
assert.DeepEqual(t, expected, *p)
|
assert.DeepEqual(t, expected, *p)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TestLoadProfileValidation tests that invalid profiles produce the correct error.
|
||||||
|
func TestLoadProfileValidation(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
doc string
|
||||||
|
profile string
|
||||||
|
expected string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
doc: "conflicting architectures and archMap",
|
||||||
|
profile: `{"defaultAction": "SCMP_ACT_ERRNO", "architectures": ["A", "B", "C"], "archMap": [{"architecture": "A", "subArchitectures": ["B", "C"]}]}`,
|
||||||
|
expected: `use either 'architectures' or 'archMap'`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
doc: "conflicting syscall.name and syscall.names",
|
||||||
|
profile: `{"defaultAction": "SCMP_ACT_ERRNO", "syscalls": [{"name": "accept", "names": ["accept"], "action": "SCMP_ACT_ALLOW"}]}`,
|
||||||
|
expected: `use either 'name' or 'names'`,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, tc := range tests {
|
||||||
|
tc := tc
|
||||||
|
rs := createSpec()
|
||||||
|
t.Run(tc.doc, func(t *testing.T) {
|
||||||
|
_, err := LoadProfile(tc.profile, &rs)
|
||||||
|
assert.ErrorContains(t, err, tc.expected)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// TestLoadLegacyProfile tests loading a seccomp profile in the old format
|
// TestLoadLegacyProfile tests loading a seccomp profile in the old format
|
||||||
// (before https://github.com/docker/docker/pull/24510)
|
// (before https://github.com/docker/docker/pull/24510)
|
||||||
func TestLoadLegacyProfile(t *testing.T) {
|
func TestLoadLegacyProfile(t *testing.T) {
|
||||||
|
|
@ -108,9 +136,17 @@ func TestLoadLegacyProfile(t *testing.T) {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
rs := createSpec()
|
rs := createSpec()
|
||||||
if _, err := LoadProfile(string(f), &rs); err != nil {
|
p, err := LoadProfile(string(f), &rs)
|
||||||
t.Fatal(err)
|
assert.NilError(t, err)
|
||||||
|
assert.Equal(t, p.DefaultAction, specs.ActErrno)
|
||||||
|
assert.DeepEqual(t, p.Architectures, []specs.Arch{"SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"})
|
||||||
|
assert.Equal(t, len(p.Syscalls), 311)
|
||||||
|
expected := specs.LinuxSyscall{
|
||||||
|
Names: []string{"accept"},
|
||||||
|
Action: specs.ActAllow,
|
||||||
|
Args: []specs.LinuxSeccompArg{},
|
||||||
}
|
}
|
||||||
|
assert.DeepEqual(t, p.Syscalls[0], expected)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLoadDefaultProfile(t *testing.T) {
|
func TestLoadDefaultProfile(t *testing.T) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue