moby/daemon/seccomp_linux_test.go
Tianon Gravi c9e19a2aa1 Remove "seccomp" build tag
Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library.  That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2022-05-12 14:48:35 -07:00

199 lines
5.2 KiB
Go

package daemon // import "github.com/docker/docker/daemon"
import (
"testing"
coci "github.com/containerd/containerd/oci"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
"github.com/docker/docker/oci"
"github.com/docker/docker/pkg/sysinfo"
"github.com/docker/docker/profiles/seccomp"
specs "github.com/opencontainers/runtime-spec/specs-go"
"gotest.tools/v3/assert"
)
func TestWithSeccomp(t *testing.T) {
type expected struct {
daemon *Daemon
c *container.Container
inSpec coci.Spec
outSpec coci.Spec
err string
comment string
}
for _, x := range []expected{
{
comment: "unconfined seccompProfile runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: dconfig.SeccompProfileUnconfined,
HostConfig: &containertypes.HostConfig{
Privileged: false,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: oci.DefaultLinuxSpec(),
},
{
comment: "privileged container w/ custom profile runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
HostConfig: &containertypes.HostConfig{
Privileged: true,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: oci.DefaultLinuxSpec(),
},
{
comment: "privileged container w/ default runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &containertypes.HostConfig{
Privileged: true,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: oci.DefaultLinuxSpec(),
},
{
comment: "privileged container w/ daemon profile runs unconfined",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &containertypes.HostConfig{
Privileged: true,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: oci.DefaultLinuxSpec(),
},
{
comment: "custom profile when seccomp is disabled returns error",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: false},
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
HostConfig: &containertypes.HostConfig{
Privileged: false,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: oci.DefaultLinuxSpec(),
err: "seccomp is not enabled in your kernel, cannot run a custom seccomp profile",
},
{
comment: "empty profile name loads default profile",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &containertypes.HostConfig{
Privileged: false,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := oci.DefaultLinuxSpec()
profile, _ := seccomp.GetDefaultProfile(&s)
s.Linux.Seccomp = profile
return s
}(),
},
{
comment: "load container's profile",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }",
HostConfig: &containertypes.HostConfig{
Privileged: false,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := oci.DefaultLinuxSpec()
profile := &specs.LinuxSeccomp{
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
}
s.Linux.Seccomp = profile
return s
}(),
},
{
comment: "load daemon's profile",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
},
c: &container.Container{
SeccompProfile: "",
HostConfig: &containertypes.HostConfig{
Privileged: false,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := oci.DefaultLinuxSpec()
profile := &specs.LinuxSeccomp{
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
}
s.Linux.Seccomp = profile
return s
}(),
},
{
comment: "load prioritise container profile over daemon's",
daemon: &Daemon{
sysInfo: &sysinfo.SysInfo{Seccomp: true},
seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"),
},
c: &container.Container{
SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }",
HostConfig: &containertypes.HostConfig{
Privileged: false,
},
},
inSpec: oci.DefaultLinuxSpec(),
outSpec: func() coci.Spec {
s := oci.DefaultLinuxSpec()
profile := &specs.LinuxSeccomp{
DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_LOG"),
}
s.Linux.Seccomp = profile
return s
}(),
},
} {
x := x
t.Run(x.comment, func(t *testing.T) {
opts := WithSeccomp(x.daemon, x.c)
err := opts(nil, nil, nil, &x.inSpec)
assert.DeepEqual(t, x.inSpec, x.outSpec)
if x.err != "" {
assert.Error(t, err, x.err)
} else {
assert.NilError(t, err)
}
})
}
}