mobi/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2025-12-06 07:41:18 +03:00
Code Activity

Add support for NoNewPrivileges in docker

Browse Source 
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Add tests for no-new-privileges

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Update documentation for no-new-privileges

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This commit is contained in:
Mrunal Patel
2016-02-21 21:31:21 -08:00
parent 17156ba98f
commit 74bb1ce9e9
13 changed files with 89 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
integration-cli/docker_cli_run_unix_test.go
View File

@@ -895,6 +895,18 @@ func (s *DockerSuite) TestRunSeccompDefaultProfile(c *check.C) {
}
}
// TestRunNoNewPrivSetuid checks that --security-opt=no-new-privileges prevents
// effective uid transtions on executing setuid binaries.
func (s *DockerSuite) TestRunNoNewPrivSetuid(c *check.C) {
testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
// test that running a setuid binary results in no effective uid transition
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "no-new-privileges", "--user", "1000", "nnp-test", "/usr/bin/nnp-test")
if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "EUID=1000") {
c.Fatalf("expected output to contain EUID=1000, got %s: %v", out, err)
}
}
func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
testRequires(c, SameHostDaemon, Apparmor)