Revert "Revert "Add docker exec run a command in privileged mode""

This reverts commit 40b71adee3. Original commit (for which this is effectively a rebased version) is 72a500e9e5 and was provided by Lei Jitang <leijitang@huawei.com>. Signed-off-by: Tim Dettrick <t.dettrick@uq.edu.au>
2025-07-30 18:23:29 +03:00 · 2015-06-19 16:01:50 +10:00
parent 650feb29f1
commit 03f65b3d0d
7 changed files with 53 additions and 15 deletions
--- a/integration-cli/docker_cli_exec_test.go
+++ b/integration-cli/docker_cli_exec_test.go
@ -532,6 +532,31 @@ func (s *DockerSuite) TestExecWithUser(c *check.C) {
 	}
 }

+func (s *DockerSuite) TestExecWithPrivileged(c *check.C) {
+
+	runCmd := exec.Command(dockerBinary, "run", "-d", "--name", "parent", "--cap-drop=ALL", "busybox", "top")
+	if out, _, err := runCommandWithOutput(runCmd); err != nil {
+		c.Fatal(out, err)
+	}
+
+	cmd := exec.Command(dockerBinary, "exec", "parent", "sh", "-c", "mknod /tmp/sda b 8 0")
+	out, _, err := runCommandWithOutput(cmd)
+	if err == nil || !strings.Contains(out, "Operation not permitted") {
+		c.Fatalf("exec mknod in --cap-drop=ALL container without --privileged should failed")
+	}
+
+	cmd = exec.Command(dockerBinary, "exec", "--privileged", "parent", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+	out, _, err = runCommandWithOutput(cmd)
+	if err != nil {
+		c.Fatal(err, out)
+	}
+
+	if actual := strings.TrimSpace(out); actual != "ok" {
+		c.Fatalf("exec mknod in --cap-drop=ALL container with --privileged failed: %v, output: %q", err, out)
+	}
+
+}
+
 func (s *DockerSuite) TestExecWithImageUser(c *check.C) {
 	name := "testbuilduser"
 	_, err := buildImage(name,