c9e19a2aa1
Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does. Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
199 lines
5.2 KiB
Go
199 lines
5.2 KiB
Go
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"testing"
|
|
|
|
coci "github.com/containerd/containerd/oci"
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/container"
|
|
dconfig "github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/oci"
|
|
"github.com/docker/docker/pkg/sysinfo"
|
|
"github.com/docker/docker/profiles/seccomp"
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
|
"gotest.tools/v3/assert"
|
|
)
|
|
|
|
func TestWithSeccomp(t *testing.T) {
|
|
|
|
type expected struct {
|
|
daemon *Daemon
|
|
c *container.Container
|
|
inSpec coci.Spec
|
|
outSpec coci.Spec
|
|
err string
|
|
comment string
|
|
}
|
|
|
|
for _, x := range []expected{
|
|
{
|
|
comment: "unconfined seccompProfile runs unconfined",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: dconfig.SeccompProfileUnconfined,
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: false,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: oci.DefaultLinuxSpec(),
|
|
},
|
|
{
|
|
comment: "privileged container w/ custom profile runs unconfined",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: true,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: oci.DefaultLinuxSpec(),
|
|
},
|
|
{
|
|
comment: "privileged container w/ default runs unconfined",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: true,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: oci.DefaultLinuxSpec(),
|
|
},
|
|
{
|
|
comment: "privileged container w/ daemon profile runs unconfined",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: true,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: oci.DefaultLinuxSpec(),
|
|
},
|
|
{
|
|
comment: "custom profile when seccomp is disabled returns error",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: false},
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: false,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: oci.DefaultLinuxSpec(),
|
|
err: "seccomp is not enabled in your kernel, cannot run a custom seccomp profile",
|
|
},
|
|
{
|
|
comment: "empty profile name loads default profile",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: false,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: func() coci.Spec {
|
|
s := oci.DefaultLinuxSpec()
|
|
profile, _ := seccomp.GetDefaultProfile(&s)
|
|
s.Linux.Seccomp = profile
|
|
return s
|
|
}(),
|
|
},
|
|
{
|
|
comment: "load container's profile",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: false,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: func() coci.Spec {
|
|
s := oci.DefaultLinuxSpec()
|
|
profile := &specs.LinuxSeccomp{
|
|
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
|
|
}
|
|
s.Linux.Seccomp = profile
|
|
return s
|
|
}(),
|
|
},
|
|
{
|
|
comment: "load daemon's profile",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: false,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: func() coci.Spec {
|
|
s := oci.DefaultLinuxSpec()
|
|
profile := &specs.LinuxSeccomp{
|
|
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
|
|
}
|
|
s.Linux.Seccomp = profile
|
|
return s
|
|
}(),
|
|
},
|
|
{
|
|
comment: "load prioritise container profile over daemon's",
|
|
daemon: &Daemon{
|
|
sysInfo: &sysinfo.SysInfo{Seccomp: true},
|
|
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
|
|
},
|
|
c: &container.Container{
|
|
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: false,
|
|
},
|
|
},
|
|
inSpec: oci.DefaultLinuxSpec(),
|
|
outSpec: func() coci.Spec {
|
|
s := oci.DefaultLinuxSpec()
|
|
profile := &specs.LinuxSeccomp{
|
|
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_LOG"),
|
|
}
|
|
s.Linux.Seccomp = profile
|
|
return s
|
|
}(),
|
|
},
|
|
} {
|
|
x := x
|
|
t.Run(x.comment, func(t *testing.T) {
|
|
opts := WithSeccomp(x.daemon, x.c)
|
|
err := opts(nil, nil, nil, &x.inSpec)
|
|
|
|
assert.DeepEqual(t, x.inSpec, x.outSpec)
|
|
if x.err != "" {
|
|
assert.Error(t, err, x.err)
|
|
} else {
|
|
assert.NilError(t, err)
|
|
}
|
|
})
|
|
}
|
|
}
|