From 0433e3891532a9783b77d6b02c041bab359b0d91 Mon Sep 17 00:00:00 2001 From: Phil Estes Date: Mon, 7 Dec 2015 20:14:52 -0500 Subject: [PATCH] Allow non-seccomp platforms to pass integration-cli tests Since seccomp is still a configurable build-tag, add a requirements entry for seccomp, as well as move seccomp tests to "_unix" given it won't be applicable to other platforms at this time. Docker-DCO-1.1-Signed-off-by: Phil Estes (github: estesp) --- integration-cli/docker_cli_run_test.go | 56 --------------------- integration-cli/docker_cli_run_unix_test.go | 56 +++++++++++++++++++++ integration-cli/requirements_unix.go | 6 +++ integration-cli/test_vars_noseccomp.go | 8 +++ integration-cli/test_vars_seccomp.go | 8 +++ 5 files changed, 78 insertions(+), 56 deletions(-) create mode 100644 integration-cli/test_vars_noseccomp.go create mode 100644 integration-cli/test_vars_seccomp.go diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 5fb6f9a76b..22ce9c1ae9 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -3812,59 +3812,3 @@ func (s *DockerSuite) TestRunWithOomScoreAdjInvalidRange(c *check.C) { c.Fatalf("Expected output to contain %q, got %q instead", expected, out) } } - -// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted. -func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) { - testRequires(c, SameHostDaemon) - jsonData := `{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "unshare", - "action": "SCMP_ACT_ERRNO" - } - ] -}` - tmpFile, err := ioutil.TempFile("", "profile.json") - defer tmpFile.Close() - if err != nil { - c.Fatal(err) - } - - if _, err := tmpFile.Write([]byte(jsonData)); err != nil { - c.Fatal(err) - } - runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc") - out, _, _ := runCommandWithOutput(runCmd) - if !strings.Contains(out, "Operation not permitted") { - c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out) - } -} - -// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted. -func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) { - testRequires(c, SameHostDaemon) - jsonData := `{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "chmod", - "action": "SCMP_ACT_ERRNO" - } - ] -}` - tmpFile, err := ioutil.TempFile("", "profile.json") - defer tmpFile.Close() - if err != nil { - c.Fatal(err) - } - - if _, err := tmpFile.Write([]byte(jsonData)); err != nil { - c.Fatal(err) - } - runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname") - out, _, _ := runCommandWithOutput(runCmd) - if !strings.Contains(out, "Operation not permitted") { - c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out) - } -} diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go index 2b6bcd5dac..b6cd0534a5 100644 --- a/integration-cli/docker_cli_run_unix_test.go +++ b/integration-cli/docker_cli_run_unix_test.go @@ -468,3 +468,59 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) { c.Fatalf("Should have generated an error saying Duplicate mount points") } } + +// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted. +func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) { + testRequires(c, SameHostDaemon, seccompEnabled) + jsonData := `{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "unshare", + "action": "SCMP_ACT_ERRNO" + } + ] +}` + tmpFile, err := ioutil.TempFile("", "profile.json") + defer tmpFile.Close() + if err != nil { + c.Fatal(err) + } + + if _, err := tmpFile.Write([]byte(jsonData)); err != nil { + c.Fatal(err) + } + runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc") + out, _, _ := runCommandWithOutput(runCmd) + if !strings.Contains(out, "Operation not permitted") { + c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out) + } +} + +// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp:/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted. +func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) { + testRequires(c, SameHostDaemon, seccompEnabled) + jsonData := `{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "chmod", + "action": "SCMP_ACT_ERRNO" + } + ] +}` + tmpFile, err := ioutil.TempFile("", "profile.json") + defer tmpFile.Close() + if err != nil { + c.Fatal(err) + } + + if _, err := tmpFile.Write([]byte(jsonData)); err != nil { + c.Fatal(err) + } + runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:"+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname") + out, _, _ := runCommandWithOutput(runCmd) + if !strings.Contains(out, "Operation not permitted") { + c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out) + } +} diff --git a/integration-cli/requirements_unix.go b/integration-cli/requirements_unix.go index 72c396f3a7..5110b9bda3 100644 --- a/integration-cli/requirements_unix.go +++ b/integration-cli/requirements_unix.go @@ -75,6 +75,12 @@ var ( }, "Test requires an environment that supports cgroup cpuset.", } + seccompEnabled = testRequirement{ + func() bool { + return supportsSeccomp + }, + "Test requires that seccomp support be enabled in the daemon.", + } ) func init() { diff --git a/integration-cli/test_vars_noseccomp.go b/integration-cli/test_vars_noseccomp.go new file mode 100644 index 0000000000..2f47ab07a0 --- /dev/null +++ b/integration-cli/test_vars_noseccomp.go @@ -0,0 +1,8 @@ +// +build !seccomp + +package main + +const ( + // indicates docker daemon built with seccomp support + supportsSeccomp = false +) diff --git a/integration-cli/test_vars_seccomp.go b/integration-cli/test_vars_seccomp.go new file mode 100644 index 0000000000..00cf697209 --- /dev/null +++ b/integration-cli/test_vars_seccomp.go @@ -0,0 +1,8 @@ +// +build seccomp + +package main + +const ( + // indicates docker daemon built with seccomp support + supportsSeccomp = true +)