5 년 전 · c3acd082c7
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@@ -1245,6 +1245,14 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *testing.T) {
 
				 
			
 
				 // TODO CAP_SETPCAP
			
 
				 
			
 
				+// sysctlExists checks if a sysctl exists; runc will error if we add any that do not actually
			
 
				+// exist, so do not add the default ones if running on an old kernel.
			
 
				+func sysctlExists(s string) bool {
			
 
				+	f := filepath.Join("/proc", "sys", strings.Replace(s, ".", "/", -1))
			
 
				+	_, err := os.Stat(f)
			
 
				+	return err == nil
			
 
				+}
			
 
				+
			
 
				 func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *testing.T) {
			
 
				 	testRequires(c, DaemonIsLinux, testEnv.IsLocalDaemon)
			
 
				 	ensureSyscallTest(c)
			
@@ -1253,12 +1261,22 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *testing.T
 
				 	dockerCmd(c, "run", "syscall-test", "socket-test")
			
 
				 	// test that non root user does not have default capability CAP_NET_BIND_SERVICE
			
 
				 	// as we allow this via sysctl, also tweak the sysctl back to default
			
 
				-	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024", "syscall-test", "socket-test").Assert(c, icmd.Expected{
			
 
				+	args := []string{"run", "--user", "1000:1000"}
			
 
				+	if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
			
 
				+		args = append(args, "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024")
			
 
				+	}
			
 
				+	args = append(args, "syscall-test", "socket-test")
			
 
				+	icmd.RunCommand(dockerBinary, args...).Assert(c, icmd.Expected{
			
 
				 		ExitCode: 1,
			
 
				 		Err:      "Permission denied",
			
 
				 	})
			
 
				 	// test that root user can drop default capability CAP_NET_BIND_SERVICE
			
 
				-	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_bind_service", "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024", "syscall-test", "socket-test").Assert(c, icmd.Expected{
			
 
				+	args = []string{"run", "--cap-drop", "net_bind_service"}
			
 
				+	if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
			
 
				+		args = append(args, "--sysctl", "net.ipv4.ip_unprivileged_port_start=1024")
			
 
				+	}
			
 
				+	args = append(args, "syscall-test", "socket-test")
			
 
				+	icmd.RunCommand(dockerBinary, args...).Assert(c, icmd.Expected{
			
 
				 		ExitCode: 1,
			
 
				 		Err:      "Permission denied",
			
 
				 	})