|
@@ -21,6 +21,7 @@ import (
|
|
|
"github.com/docker/docker/pkg/mount"
|
|
|
"github.com/docker/docker/pkg/parsers"
|
|
|
"github.com/docker/docker/pkg/sysinfo"
|
|
|
+ icmd "github.com/docker/docker/pkg/testutil/cmd"
|
|
|
"github.com/go-check/check"
|
|
|
"github.com/kr/pty"
|
|
|
)
|
|
@@ -884,7 +885,6 @@ func (s *DockerSuite) TestRunTmpfsMountsWithOptions(c *check.C) {
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestRunSysctls(c *check.C) {
|
|
|
-
|
|
|
testRequires(c, DaemonIsLinux)
|
|
|
var err error
|
|
|
|
|
@@ -907,11 +907,11 @@ func (s *DockerSuite) TestRunSysctls(c *check.C) {
|
|
|
c.Assert(err, check.IsNil)
|
|
|
c.Assert(sysctls["net.ipv4.ip_forward"], check.Equals, "0")
|
|
|
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--sysctl", "kernel.foobar=1", "--name", "test2", "busybox", "cat", "/proc/sys/kernel/foobar")
|
|
|
- out, _, _ = runCommandWithOutput(runCmd)
|
|
|
- if !strings.Contains(out, "invalid argument") {
|
|
|
- c.Fatalf("expected --sysctl to fail, got %s", out)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--sysctl", "kernel.foobar=1", "--name", "test2",
|
|
|
+ "busybox", "cat", "/proc/sys/kernel/foobar").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "invalid argument",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
|
|
@@ -935,11 +935,12 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
|
|
|
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
|
|
c.Fatal(err)
|
|
|
}
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(), "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
|
|
- out, _, _ := runCommandWithOutput(runCmd)
|
|
|
- if !strings.Contains(out, "Operation not permitted") {
|
|
|
- c.Fatalf("expected unshare with seccomp profile denied to fail, got %s", out)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--security-opt", "apparmor=unconfined",
|
|
|
+ "--security-opt", "seccomp="+tmpFile.Name(),
|
|
|
+ "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp=/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
|
|
@@ -969,11 +970,11 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
|
|
|
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
|
|
c.Fatal(err)
|
|
|
}
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "400", "/etc/hostname")
|
|
|
- out, _, _ := runCommandWithOutput(runCmd)
|
|
|
- if !strings.Contains(out, "Operation not permitted") {
|
|
|
- c.Fatalf("expected chmod with seccomp profile denied to fail, got %s", out)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp="+tmpFile.Name(),
|
|
|
+ "busybox", "chmod", "400", "/etc/hostname").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
|
|
@@ -1006,11 +1007,12 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
|
|
|
if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
|
|
|
c.Fatal(err)
|
|
|
}
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(), "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
|
|
|
- out, _, _ := runCommandWithOutput(runCmd)
|
|
|
- if !strings.Contains(out, "Operation not permitted") {
|
|
|
- c.Fatalf("expected unshare userns with seccomp profile denied to fail, got %s", out)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run",
|
|
|
+ "--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(),
|
|
|
+ "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
|
|
@@ -1019,11 +1021,10 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
|
|
|
testRequires(c, SameHostDaemon, seccompEnabled)
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "userns-test", "id")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- if err == nil || !strings.Contains(out, "clone failed: Operation not permitted") {
|
|
|
- c.Fatalf("expected clone userns with default seccomp profile denied to fail, got %s: %v", out, err)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "syscall-test", "userns-test", "id").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "clone failed: Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompUnconfinedCloneUserns checks that
|
|
@@ -1033,10 +1034,10 @@ func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// make sure running w privileged is ok
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "syscall-test", "userns-test", "id")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "nobody") {
|
|
|
- c.Fatalf("expected clone userns with --security-opt seccomp=unconfined to succeed, got %s: %v", out, err)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined",
|
|
|
+ "syscall-test", "userns-test", "id").Assert(c, icmd.Expected{
|
|
|
+ Out: "nobody",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged syscall-test'
|
|
@@ -1046,10 +1047,9 @@ func (s *DockerSuite) TestRunSeccompAllowPrivCloneUserns(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// make sure running w privileged is ok
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--privileged", "syscall-test", "userns-test", "id")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "nobody") {
|
|
|
- c.Fatalf("expected clone userns with --privileged to succeed, got %s: %v", out, err)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--privileged", "syscall-test", "userns-test", "id").Assert(c, icmd.Expected{
|
|
|
+ Out: "nobody",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompProfileAllow32Bit checks that 32 bit code can run on x86_64
|
|
@@ -1058,10 +1058,7 @@ func (s *DockerSuite) TestRunSeccompProfileAllow32Bit(c *check.C) {
|
|
|
testRequires(c, SameHostDaemon, seccompEnabled, IsAmd64)
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "exit32-test", "id")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err != nil {
|
|
|
- c.Fatalf("expected to be able to run 32 bit code, got %s: %v", out, err)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "syscall-test", "exit32-test", "id").Assert(c, icmd.Success)
|
|
|
}
|
|
|
|
|
|
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:jessie ulimit -v 1048510' succeeds.
|
|
@@ -1069,10 +1066,7 @@ func (s *DockerSuite) TestRunSeccompAllowSetrlimit(c *check.C) {
|
|
|
testRequires(c, SameHostDaemon, seccompEnabled)
|
|
|
|
|
|
// ulimit uses setrlimit, so we want to make sure we don't break it
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "debian:jessie", "bash", "-c", "ulimit -v 1048510")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err != nil {
|
|
|
- c.Fatalf("expected ulimit with seccomp to succeed, got %s: %v", out, err)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "debian:jessie", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success)
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestRunSeccompDefaultProfileAcct(c *check.C) {
|
|
@@ -1147,10 +1141,10 @@ func (s *DockerSuite) TestRunNoNewPrivSetuid(c *check.C) {
|
|
|
ensureNNPTest(c)
|
|
|
|
|
|
// test that running a setuid binary results in no effective uid transition
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--security-opt", "no-new-privileges", "--user", "1000", "nnp-test", "/usr/bin/nnp-test")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "EUID=1000") {
|
|
|
- c.Fatalf("expected output to contain EUID=1000, got %s: %v", out, err)
|
|
|
- }
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--security-opt", "no-new-privileges", "--user", "1000",
|
|
|
+ "nnp-test", "/usr/bin/nnp-test").Assert(c, icmd.Expected{
|
|
|
+ Out: "EUID=1000",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChown(c *check.C) {
|
|
@@ -1158,19 +1152,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChown(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_CHOWN
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "busybox", "chown", "100", "/tmp")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "busybox", "chown", "100", "/tmp")
|
|
|
// test that non root user does not have default capability CAP_CHOWN
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "chown", "100", "/tmp")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chown", "100", "/tmp").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_CHOWN
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "chown", "busybox", "chown", "100", "/tmp")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "chown", "busybox", "chown", "100", "/tmp").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesDacOverride(c *check.C) {
|
|
@@ -1178,15 +1170,12 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesDacOverride(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_DAC_OVERRIDE
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo test > /etc/passwd")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "busybox", "sh", "-c", "echo test > /etc/passwd")
|
|
|
// test that non root user does not have default capability CAP_DAC_OVERRIDE
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "sh", "-c", "echo test > /etc/passwd")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Permission denied")
|
|
|
- // TODO test that root user can drop default capability CAP_DAC_OVERRIDE
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "sh", "-c", "echo test > /etc/passwd").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Permission denied",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesFowner(c *check.C) {
|
|
@@ -1194,14 +1183,12 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesFowner(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_FOWNER
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "busybox", "chmod", "777", "/etc/passwd")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "busybox", "chmod", "777", "/etc/passwd")
|
|
|
// test that non root user does not have default capability CAP_FOWNER
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "chmod", "777", "/etc/passwd")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chmod", "777", "/etc/passwd").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// TODO test that root user can drop default capability CAP_FOWNER
|
|
|
}
|
|
|
|
|
@@ -1212,19 +1199,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetuid(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_SETUID
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "setuid-test")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "syscall-test", "setuid-test")
|
|
|
// test that non root user does not have default capability CAP_SETUID
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setuid-test")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setuid-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_SETUID
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "setuid", "syscall-test", "setuid-test")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "setuid", "syscall-test", "setuid-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *check.C) {
|
|
@@ -1232,19 +1217,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_SETGID
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "setgid-test")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "syscall-test", "setgid-test")
|
|
|
// test that non root user does not have default capability CAP_SETGID
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setgid-test")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setgid-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_SETGID
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "setgid", "syscall-test", "setgid-test")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "setgid", "syscall-test", "setgid-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TODO CAP_SETPCAP
|
|
@@ -1254,19 +1237,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *check.C)
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_NET_BIND_SERVICE
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "socket-test")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "syscall-test", "socket-test")
|
|
|
// test that non root user does not have default capability CAP_NET_BIND_SERVICE
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "socket-test")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Permission denied")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "socket-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Permission denied",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_NET_BIND_SERVICE
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "net_bind_service", "syscall-test", "socket-test")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Permission denied")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_bind_service", "syscall-test", "socket-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Permission denied",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetRaw(c *check.C) {
|
|
@@ -1274,19 +1255,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetRaw(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_NET_RAW
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "syscall-test", "raw-test")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "syscall-test", "raw-test")
|
|
|
// test that non root user does not have default capability CAP_NET_RAW
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "raw-test")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "raw-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_NET_RAW
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "net_raw", "syscall-test", "raw-test")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_raw", "syscall-test", "raw-test").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChroot(c *check.C) {
|
|
@@ -1294,19 +1273,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChroot(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_SYS_CHROOT
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "/bin/true")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "busybox", "chroot", "/", "/bin/true")
|
|
|
// test that non root user does not have default capability CAP_SYS_CHROOT
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "chroot", "/", "/bin/true")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chroot", "/", "/bin/true").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_SYS_CHROOT
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "sys_chroot", "busybox", "chroot", "/", "/bin/true")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "sys_chroot", "busybox", "chroot", "/", "/bin/true").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
func (s *DockerSuite) TestUserNoEffectiveCapabilitiesMknod(c *check.C) {
|
|
@@ -1314,19 +1291,18 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesMknod(c *check.C) {
|
|
|
ensureSyscallTest(c)
|
|
|
|
|
|
// test that a root user has default capability CAP_MKNOD
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "busybox", "mknod", "/tmp/node", "b", "1", "2")
|
|
|
- _, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, check.IsNil)
|
|
|
+ dockerCmd("run", "busybox", "mknod", "/tmp/node", "b", "1", "2")
|
|
|
// test that non root user does not have default capability CAP_MKNOD
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "mknod", "/tmp/node", "b", "1", "2")
|
|
|
- out, _, err := runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ // test that root user can drop default capability CAP_SYS_CHROOT
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "mknod", "/tmp/node", "b", "1", "2").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
// test that root user can drop default capability CAP_MKNOD
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "mknod", "busybox", "mknod", "/tmp/node", "b", "1", "2")
|
|
|
- out, _, err = runCommandWithOutput(runCmd)
|
|
|
- c.Assert(err, checker.NotNil, check.Commentf(out))
|
|
|
- c.Assert(out, checker.Contains, "Operation not permitted")
|
|
|
+ icmd.RunCommand(dockerBinary, "run", "--cap-drop", "mknod", "busybox", "mknod", "/tmp/node", "b", "1", "2").Assert(c, icmd.Expected{
|
|
|
+ ExitCode: 1,
|
|
|
+ Err: "Operation not permitted",
|
|
|
+ })
|
|
|
}
|
|
|
|
|
|
// TODO CAP_AUDIT_WRITE
|
|
@@ -1336,14 +1312,16 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
|
|
|
testRequires(c, SameHostDaemon, Apparmor)
|
|
|
|
|
|
// running w seccomp unconfined tests the apparmor profile
|
|
|
- runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/cgroup")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err == nil || !(strings.Contains(out, "Permission denied") || strings.Contains(out, "Operation not permitted")) {
|
|
|
- c.Fatalf("expected chmod 777 /proc/1/cgroup to fail, got %s: %v", out, err)
|
|
|
+ result := icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/cgroup")
|
|
|
+ result.Assert(c, icmd.Expected{ExitCode: 1})
|
|
|
+ if !(strings.Contains(result.Combined(), "Permission denied") || strings.Contains(result.Combined(), "Operation not permitted")) {
|
|
|
+ c.Fatalf("expected chmod 777 /proc/1/cgroup to fail, got %s: %v", result.Combined(), err)
|
|
|
}
|
|
|
|
|
|
- runCmd = exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/attr/current")
|
|
|
- if out, _, err := runCommandWithOutput(runCmd); err == nil || !(strings.Contains(out, "Permission denied") || strings.Contains(out, "Operation not permitted")) {
|
|
|
- c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err)
|
|
|
+ result = icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/attr/current")
|
|
|
+ result.Assert(c, icmd.Expected{ExitCode: 1})
|
|
|
+ if !(strings.Contains(result.Combined(), "Permission denied") || strings.Contains(result.Combined(), "Operation not permitted")) {
|
|
|
+ c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", result.Combined(), err)
|
|
|
}
|
|
|
}
|
|
|
|