Merge pull request #18483 from estesp/seccomp-test-requirement

Allow non-seccomp platforms to pass integration-cli tests
2022-11-09 12:21:53 -05:00 · 2015-12-08 08:38:06 +01:00 · 2015-12-08 08:38:06 +01:00 · ee7a599351
commit ee7a599351
parent b36b492039 0433e38915
5 changed files with 78 additions and 56 deletions
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -3812,59 +3812,3 @@ func (s *DockerSuite) TestRunWithOomScoreAdjInvalidRange(c *check.C) {
 		c.Fatalf("Expected output to contain %q, got %q instead", expected, out)
 	}
 }
-
-// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
-func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
-	testRequires(c, SameHostDaemon)
-	jsonData := `{
-	"defaultAction": "SCMP_ACT_ALLOW",
-	"syscalls": [
-		{
-			"name": "unshare",
-			"action": "SCMP_ACT_ERRNO"
-		}
-	]
-}`
-	tmpFile, err := ioutil.TempFile("", "profile.json")
-	defer tmpFile.Close()
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
-		c.Fatal(err)
-	}
-	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
-	out, _, _ := runCommandWithOutput(runCmd)
-	if !strings.Contains(out, "Operation not permitted") {
-		c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out)
-	}
-}
-
-// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
-func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
-	testRequires(c, SameHostDaemon)
-	jsonData := `{
-	"defaultAction": "SCMP_ACT_ALLOW",
-	"syscalls": [
-		{
-			"name": "chmod",
-			"action": "SCMP_ACT_ERRNO"
-		}
-	]
-}`
-	tmpFile, err := ioutil.TempFile("", "profile.json")
-	defer tmpFile.Close()
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
-		c.Fatal(err)
-	}
-	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname")
-	out, _, _ := runCommandWithOutput(runCmd)
-	if !strings.Contains(out, "Operation not permitted") {
-		c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out)
-	}
-}
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@ -468,3 +468,59 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) {
 		c.Fatalf("Should have generated an error saying Duplicate mount  points")
 	}
 }
+
+// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
+func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "unshare",
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	defer tmpFile.Close()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
+		c.Fatal(err)
+	}
+	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
+	out, _, _ := runCommandWithOutput(runCmd)
+	if !strings.Contains(out, "Operation not permitted") {
+		c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out)
+	}
+}
+
+// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
+func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "chmod",
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	defer tmpFile.Close()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
+		c.Fatal(err)
+	}
+	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname")
+	out, _, _ := runCommandWithOutput(runCmd)
+	if !strings.Contains(out, "Operation not permitted") {
+		c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out)
+	}
+}
--- a/integration-cli/requirements_unix.go
+++ b/integration-cli/requirements_unix.go
@ -75,6 +75,12 @@ var (
 		},
 		"Test requires an environment that supports cgroup cpuset.",
 	}
+	seccompEnabled = testRequirement{
+		func() bool {
+			return supportsSeccomp
+		},
+		"Test requires that seccomp support be enabled in the daemon.",
+	}
 )

 func init() {
--- a/integration-cli/test_vars_noseccomp.go
+++ b/integration-cli/test_vars_noseccomp.go
@ -0,0 +1,8 @@
+// +build !seccomp
+
+package main
+
+const (
+	// indicates docker daemon built with seccomp support
+	supportsSeccomp = false
+)
--- a/integration-cli/test_vars_seccomp.go
+++ b/integration-cli/test_vars_seccomp.go
@ -0,0 +1,8 @@
+// +build seccomp
+
+package main
+
+const (
+	// indicates docker daemon built with seccomp support
+	supportsSeccomp = true
+)