seccomp: remove dependency on oci package

rewrite the tests to use a minimal runtime-spec Spec instead Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-28 14:55:28 +02:00 · 2020-09-28 14:55:28 +02:00 · 56e7bc4b78
commit 56e7bc4b78
parent cca82921a4
2 changed files with 75 additions and 4 deletions
--- a/profiles/seccomp/fixtures/conditional_include.json
+++ b/profiles/seccomp/fixtures/conditional_include.json
@ -0,0 +1,23 @@
+{
+  "defaultAction": "SCMP_ACT_ERRNO",
+  "syscalls": [
+    {
+      "names": ["chmod"],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "names": ["syslog"],
+      "action": "SCMP_ACT_ALLOW",
+      "includes": {
+        "caps": ["CAP_SYSLOG"]
+      }
+    },
+    {
+      "names": ["ptrace"],
+      "action": "SCMP_ACT_ALLOW",
+      "excludes": {
+        "caps": ["CAP_SYS_ADMIN"]
+      }
+    }
+  ]
+}
--- a/profiles/seccomp/seccomp_test.go
+++ b/profiles/seccomp/seccomp_test.go
@ -6,7 +6,7 @@ import (
 	"io/ioutil"
 	"testing"

-	"github.com/docker/docker/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
 )

 func TestLoadProfile(t *testing.T) {
@ -14,7 +14,7 @@ func TestLoadProfile(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	rs := oci.DefaultSpec()
+	rs := createSpec()
 	if _, err := LoadProfile(string(f), &rs); err != nil {
 		t.Fatal(err)
 	}
@ -27,7 +27,7 @@ func TestLoadLegacyProfile(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	rs := oci.DefaultSpec()
+	rs := createSpec()
 	if _, err := LoadProfile(string(f), &rs); err != nil {
 		t.Fatal(err)
 	}
@ -38,8 +38,56 @@ func TestLoadDefaultProfile(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	rs := oci.DefaultSpec()
+	rs := createSpec()
 	if _, err := LoadProfile(string(f), &rs); err != nil {
 		t.Fatal(err)
 	}
 }
+
+func TestLoadConditional(t *testing.T) {
+	f, err := ioutil.ReadFile("fixtures/conditional_include.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	tests := []struct {
+		doc      string
+		cap      string
+		expected []string
+	}{
+		{doc: "no caps", expected: []string{"chmod", "ptrace"}},
+		{doc: "with syslog", cap: "CAP_SYSLOG", expected: []string{"chmod", "syslog", "ptrace"}},
+		{doc: "no ptrace", cap: "CAP_SYS_ADMIN", expected: []string{"chmod"}},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			rs := createSpec(tc.cap)
+			p, err := LoadProfile(string(f), &rs)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if len(p.Syscalls) != len(tc.expected) {
+				t.Fatalf("expected %d syscalls in profile, have %d", len(tc.expected), len(p.Syscalls))
+			}
+			for i, v := range p.Syscalls {
+				if v.Names[0] != tc.expected[i] {
+					t.Fatalf("expected %s syscall, have %s", tc.expected[i], v.Names[0])
+				}
+			}
+		})
+	}
+}
+
+// createSpec() creates a minimum spec for testing
+func createSpec(caps ...string) specs.Spec {
+	rs := specs.Spec{
+		Process: &specs.Process{
+			Capabilities: &specs.LinuxCapabilities{},
+		},
+	}
+	if caps != nil {
+		rs.Process.Capabilities.Bounding = append(rs.Process.Capabilities.Bounding, caps...)
+	}
+	return rs
+}