2021-08-23 13:14:53 +00:00
|
|
|
//go:build linux
|
2018-03-02 12:17:56 +00:00
|
|
|
// +build linux
|
|
|
|
|
|
|
|
package daemon
|
|
|
|
|
|
|
|
import (
|
2022-05-10 19:59:00 +00:00
|
|
|
"context"
|
2018-03-02 12:17:56 +00:00
|
|
|
"testing"
|
|
|
|
|
2021-04-08 13:37:13 +00:00
|
|
|
"github.com/containerd/containerd/pkg/apparmor"
|
2018-03-02 12:17:56 +00:00
|
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
|
|
"github.com/docker/docker/container"
|
2021-03-13 20:41:32 +00:00
|
|
|
"github.com/docker/docker/daemon/config"
|
2019-08-05 14:37:47 +00:00
|
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
2020-02-07 13:39:24 +00:00
|
|
|
"gotest.tools/v3/assert"
|
2018-03-02 12:17:56 +00:00
|
|
|
)
|
|
|
|
|
2021-03-13 20:41:32 +00:00
|
|
|
func TestExecSetPlatformOptAppArmor(t *testing.T) {
|
|
|
|
appArmorEnabled := apparmor.HostSupports()
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
doc string
|
|
|
|
privileged bool
|
|
|
|
appArmorProfile string
|
|
|
|
expectedProfile string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
doc: "default options",
|
|
|
|
expectedProfile: defaultAppArmorProfile,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
doc: "custom profile",
|
|
|
|
appArmorProfile: "my-custom-profile",
|
|
|
|
expectedProfile: "my-custom-profile",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
doc: "privileged container",
|
|
|
|
privileged: true,
|
|
|
|
expectedProfile: unconfinedAppArmorProfile,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
doc: "privileged container, custom profile",
|
|
|
|
privileged: true,
|
|
|
|
appArmorProfile: "my-custom-profile",
|
|
|
|
expectedProfile: "my-custom-profile",
|
|
|
|
// FIXME: execSetPlatformOpts prefers custom profiles over "privileged",
|
|
|
|
// which looks like a bug (--privileged on the container should
|
|
|
|
// disable apparmor, seccomp, and selinux); see the code at:
|
|
|
|
// https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40
|
|
|
|
// expectedProfile: unconfinedAppArmorProfile,
|
|
|
|
},
|
2018-03-02 12:17:56 +00:00
|
|
|
}
|
|
|
|
|
2021-03-13 20:41:32 +00:00
|
|
|
d := &Daemon{configStore: &config.Config{}}
|
|
|
|
|
|
|
|
// Currently, `docker exec --privileged` inherits the Privileged configuration
|
|
|
|
// of the container, and does not disable AppArmor.
|
|
|
|
// See https://github.com/moby/moby/pull/31773#discussion_r105586900
|
|
|
|
//
|
|
|
|
// This behavior may change in future, but to verify the current behavior,
|
|
|
|
// we run the test both with "exec" and "exec --privileged", which should
|
|
|
|
// both give the same result.
|
|
|
|
for _, execPrivileged := range []bool{false, true} {
|
|
|
|
for _, tc := range tests {
|
|
|
|
tc := tc
|
|
|
|
doc := tc.doc
|
|
|
|
if !appArmorEnabled {
|
|
|
|
// no profile should be set if the host does not support AppArmor
|
|
|
|
doc += " (apparmor disabled)"
|
|
|
|
tc.expectedProfile = ""
|
|
|
|
}
|
|
|
|
if execPrivileged {
|
|
|
|
doc += " (exec privileged)"
|
|
|
|
}
|
|
|
|
t.Run(doc, func(t *testing.T) {
|
|
|
|
c := &container.Container{
|
|
|
|
AppArmorProfile: tc.appArmorProfile,
|
|
|
|
HostConfig: &containertypes.HostConfig{
|
|
|
|
Privileged: tc.privileged,
|
|
|
|
},
|
|
|
|
}
|
2022-05-10 19:59:00 +00:00
|
|
|
ec := &container.ExecConfig{Container: c, Privileged: execPrivileged}
|
2021-03-13 20:41:32 +00:00
|
|
|
p := &specs.Process{}
|
|
|
|
|
2022-05-10 19:59:00 +00:00
|
|
|
err := d.execSetPlatformOpt(context.Background(), ec, p)
|
2021-03-13 20:41:32 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, p.ApparmorProfile, tc.expectedProfile)
|
|
|
|
})
|
|
|
|
}
|
2018-03-02 12:17:56 +00:00
|
|
|
}
|
|
|
|
}
|