1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/hack/make/.ensure-syscall-test
Justin Cormack 93bbc76ee5 Add a test that the default seccomp profile allows execution of 32 bit binaries
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.

This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.

There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-07-27 18:42:34 +01:00

26 lines
934 B
Bash

#!/bin/bash
set -e
# Build a C binary for cloning a userns for seccomp tests
# and compile it for target daemon
if [ "$DOCKER_ENGINE_GOOS" = "linux" ]; then
if [ "$DOCKER_ENGINE_OSARCH" = "$DOCKER_CLIENT_OSARCH" ]; then
tmpdir=$(mktemp -d)
gcc -g -Wall -static contrib/syscall-test/userns.c -o "${tmpdir}/userns-test"
gcc -g -Wall -static contrib/syscall-test/ns.c -o "${tmpdir}/ns-test"
gcc -g -Wall -static contrib/syscall-test/acct.c -o "${tmpdir}/acct-test"
if [ "$DOCKER_ENGINE_OSARCH" = "linux/amd64" ]; then
gcc -s -m32 -nostdlib contrib/syscall-test/exit32.s -o "${tmpdir}/exit32-test"
fi
dockerfile="${tmpdir}/Dockerfile"
cat <<-EOF > "$dockerfile"
FROM debian:jessie
COPY . /usr/bin/
EOF
docker build --force-rm ${DOCKER_BUILD_ARGS} -qt syscall-test "${tmpdir}" > /dev/null
rm -rf "${tmpdir}"
else
docker build ${DOCKER_BUILD_ARGS} -qt syscall-test contrib/syscall-test > /dev/null
fi
fi