TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone
On Ubuntu and Debian there is a sysctl which allows to block clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0" for unprivileged users that do not have CAP_SYS_ADMIN. See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if "kernel.unprivileged_userns_clone" is set to 0: docker_cli_run_unix_test.go:1040: c.Fatalf("expected clone userns with --security-opt seccomp=unconfined to succeed, got %s: %v", out, err) ... Error: expected clone userns with --security-opt seccomp=unconfined to succeed, got clone failed: Operation not permitted : exit status 1 So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0. Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
This commit is contained in:
parent
3b7ea4d8c3
commit
87e4e3af68
2 changed files with 14 additions and 1 deletions
|
@ -1032,7 +1032,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
|
||||||
// TestRunSeccompUnconfinedCloneUserns checks that
|
// TestRunSeccompUnconfinedCloneUserns checks that
|
||||||
// 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
|
// 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
|
||||||
func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
|
func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
|
||||||
testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace)
|
testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace, unprivilegedUsernsClone)
|
||||||
|
|
||||||
// make sure running w privileged is ok
|
// make sure running w privileged is ok
|
||||||
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "syscall-test", "userns-test", "id")
|
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "syscall-test", "userns-test", "id")
|
||||||
|
|
|
@ -3,6 +3,9 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"io/ioutil"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/docker/docker/pkg/sysinfo"
|
"github.com/docker/docker/pkg/sysinfo"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -99,6 +102,16 @@ var (
|
||||||
},
|
},
|
||||||
"Test requires that bridge-nf-call-ip6tables support be enabled in the daemon.",
|
"Test requires that bridge-nf-call-ip6tables support be enabled in the daemon.",
|
||||||
}
|
}
|
||||||
|
unprivilegedUsernsClone = testRequirement{
|
||||||
|
func() bool {
|
||||||
|
content, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
|
||||||
|
if err == nil && strings.Contains(string(content), "0") {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
},
|
||||||
|
"Test cannot be run with 'sysctl kernel.unprivileged_userns_clone' = 0",
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
|
Loading…
Reference in a new issue