mobi/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2025-12-06 07:41:18 +03:00
Code Activity

Merge pull request #22554 from justincormack/seccap

Browse Source 
Align default seccomp profile with selected capabilities
This commit is contained in:
Sebastiaan van Stijn
2016-05-20 12:58:28 +02:00
parent 55cc1a2aa4 a01c4dc8f8
commit 0e9009bae3
8 changed files with 464 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
integration-cli/docker_cli_run_unix_test.go
View File

@@ -948,10 +948,10 @@ func (s *DockerSuite) TestRunSeccompDefaultProfile(c *check.C) {
testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
var group sync.WaitGroup
group.Add(4)
group.Add(11)
errChan := make(chan error, 4)
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "acct-test")
out, _, err := dockerCmdWithError("run", "syscall-test", "acct-test")
if err == nil || !strings.Contains(out, "Operation not permitted") {
errChan <- fmt.Errorf("expected Operation not permitted, got: %s", out)
}
@@ -959,13 +959,69 @@ func (s *DockerSuite) TestRunSeccompDefaultProfile(c *check.C) {
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "ns-test", "echo", "hello")
out, _, err := dockerCmdWithError("run", "--cap-add", "sys_admin", "syscall-test", "acct-test")
if err == nil || !strings.Contains(out, "Operation not permitted") {
errChan <- fmt.Errorf("expected Operation not permitted, got: %s", out)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "sys_pacct", "syscall-test", "acct-test")
if err == nil || !strings.Contains(out, "No such file or directory") {
errChan <- fmt.Errorf("expected No such file or directory, got: %s", out)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "acct-test")
if err == nil || !strings.Contains(out, "No such file or directory") {
errChan <- fmt.Errorf("expected No such file or directory, got: %s", out)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-drop", "ALL", "--cap-add", "sys_pacct", "syscall-test", "acct-test")
if err == nil || !strings.Contains(out, "No such file or directory") {
errChan <- fmt.Errorf("expected No such file or directory, got: %s", out)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "syscall-test", "ns-test", "echo", "hello0")
if err == nil || !strings.Contains(out, "Operation not permitted") {
errChan <- fmt.Errorf("expected Operation not permitted, got: %s", out)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "sys_admin", "syscall-test", "ns-test", "echo", "hello1")
if err != nil || !strings.Contains(out, "hello1") {
errChan <- fmt.Errorf("expected hello1, got: %s, %v", out, err)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-drop", "all", "--cap-add", "sys_admin", "syscall-test", "ns-test", "echo", "hello2")
if err != nil || !strings.Contains(out, "hello2") {
errChan <- fmt.Errorf("expected hello2, got: %s, %v", out, err)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "ns-test", "echo", "hello3")
if err != nil || !strings.Contains(out, "hello3") {
errChan <- fmt.Errorf("expected hello3, got: %s, %v", out, err)
}
group.Done()
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "acct-test")
if err == nil || !strings.Contains(out, "No such file or directory") {
@@ -975,9 +1031,9 @@ func (s *DockerSuite) TestRunSeccompDefaultProfile(c *check.C) {
}()
go func() {
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "ns-test", "echo", "hello")
if err != nil || !strings.Contains(out, "hello") {
errChan <- fmt.Errorf("expected hello, got: %s, %v", out, err)
out, _, err := dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "ns-test", "echo", "hello4")
if err != nil || !strings.Contains(out, "hello4") {
errChan <- fmt.Errorf("expected hello4, got: %s, %v", out, err)
}
group.Done()
}()