mobi/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2025-12-04 19:23:06 +03:00
Code Activity

Add daemon flag to set no_new_priv as default for unprivileged containers.

Browse Source 
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
This commit is contained in:
Daniel Zhang
2017-01-09 09:22:05 +08:00
parent d26cf30a60
commit d7fda019bb
9 changed files with 67 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
integration-cli/docker_cli_run_unix_test.go
View File

@@ -1140,12 +1140,25 @@ func (s *DockerSuite) TestRunSeccompDefaultProfileNS(c *check.C) {
}
}
// TestRunNoNewPrivSetuid checks that --security-opt=no-new-privileges prevents
// TestRunNoNewPrivSetuid checks that --security-opt='no-new-privileges=true' prevents
// effective uid transtions on executing setuid binaries.
func (s *DockerSuite) TestRunNoNewPrivSetuid(c *check.C) {
testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
ensureNNPTest(c)
// test that running a setuid binary results in no effective uid transition
icmd.RunCommand(dockerBinary, "run", "--security-opt", "no-new-privileges=true", "--user", "1000",
"nnp-test", "/usr/bin/nnp-test").Assert(c, icmd.Expected{
Out: "EUID=1000",
})
}
// TestLegacyRunNoNewPrivSetuid checks that --security-opt=no-new-privileges prevents
// effective uid transtions on executing setuid binaries.
func (s *DockerSuite) TestLegacyRunNoNewPrivSetuid(c *check.C) {
testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
ensureNNPTest(c)
// test that running a setuid binary results in no effective uid transition
icmd.RunCommand(dockerBinary, "run", "--security-opt", "no-new-privileges", "--user", "1000",
"nnp-test", "/usr/bin/nnp-test").Assert(c, icmd.Expected{