github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/daemon/seccomp_linux_test.go (about) 1 package daemon // import "github.com/docker/docker/daemon" 2 3 import ( 4 "testing" 5 6 coci "github.com/containerd/containerd/oci" 7 containertypes "github.com/docker/docker/api/types/container" 8 "github.com/docker/docker/container" 9 dconfig "github.com/docker/docker/daemon/config" 10 "github.com/docker/docker/oci" 11 "github.com/docker/docker/pkg/sysinfo" 12 "github.com/docker/docker/profiles/seccomp" 13 specs "github.com/opencontainers/runtime-spec/specs-go" 14 "gotest.tools/v3/assert" 15 ) 16 17 func TestWithSeccomp(t *testing.T) { 18 type expected struct { 19 daemon *Daemon 20 c *container.Container 21 inSpec coci.Spec 22 outSpec coci.Spec 23 err string 24 comment string 25 } 26 27 for _, x := range []expected{ 28 { 29 comment: "unconfined seccompProfile runs unconfined", 30 daemon: &Daemon{ 31 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 32 }, 33 c: &container.Container{ 34 SeccompProfile: dconfig.SeccompProfileUnconfined, 35 HostConfig: &containertypes.HostConfig{ 36 Privileged: false, 37 }, 38 }, 39 inSpec: oci.DefaultLinuxSpec(), 40 outSpec: oci.DefaultLinuxSpec(), 41 }, 42 { 43 comment: "privileged container w/ custom profile runs unconfined", 44 daemon: &Daemon{ 45 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 46 }, 47 c: &container.Container{ 48 SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }", 49 HostConfig: &containertypes.HostConfig{ 50 Privileged: true, 51 }, 52 }, 53 inSpec: oci.DefaultLinuxSpec(), 54 outSpec: oci.DefaultLinuxSpec(), 55 }, 56 { 57 comment: "privileged container w/ default runs unconfined", 58 daemon: &Daemon{ 59 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 60 }, 61 c: &container.Container{ 62 SeccompProfile: "", 63 HostConfig: &containertypes.HostConfig{ 64 Privileged: true, 65 }, 66 }, 67 inSpec: oci.DefaultLinuxSpec(), 68 outSpec: oci.DefaultLinuxSpec(), 69 }, 70 { 71 comment: "privileged container w/ daemon profile runs unconfined", 72 daemon: &Daemon{ 73 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 74 seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"), 75 }, 76 c: &container.Container{ 77 SeccompProfile: "", 78 HostConfig: &containertypes.HostConfig{ 79 Privileged: true, 80 }, 81 }, 82 inSpec: oci.DefaultLinuxSpec(), 83 outSpec: oci.DefaultLinuxSpec(), 84 }, 85 { 86 comment: "custom profile when seccomp is disabled returns error", 87 daemon: &Daemon{ 88 sysInfo: &sysinfo.SysInfo{Seccomp: false}, 89 }, 90 c: &container.Container{ 91 SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }", 92 HostConfig: &containertypes.HostConfig{ 93 Privileged: false, 94 }, 95 }, 96 inSpec: oci.DefaultLinuxSpec(), 97 outSpec: oci.DefaultLinuxSpec(), 98 err: "seccomp is not enabled in your kernel, cannot run a custom seccomp profile", 99 }, 100 { 101 comment: "empty profile name loads default profile", 102 daemon: &Daemon{ 103 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 104 }, 105 c: &container.Container{ 106 SeccompProfile: "", 107 HostConfig: &containertypes.HostConfig{ 108 Privileged: false, 109 }, 110 }, 111 inSpec: oci.DefaultLinuxSpec(), 112 outSpec: func() coci.Spec { 113 s := oci.DefaultLinuxSpec() 114 profile, _ := seccomp.GetDefaultProfile(&s) 115 s.Linux.Seccomp = profile 116 return s 117 }(), 118 }, 119 { 120 comment: "load container's profile", 121 daemon: &Daemon{ 122 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 123 }, 124 c: &container.Container{ 125 SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }", 126 HostConfig: &containertypes.HostConfig{ 127 Privileged: false, 128 }, 129 }, 130 inSpec: oci.DefaultLinuxSpec(), 131 outSpec: func() coci.Spec { 132 s := oci.DefaultLinuxSpec() 133 profile := &specs.LinuxSeccomp{ 134 DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"), 135 } 136 s.Linux.Seccomp = profile 137 return s 138 }(), 139 }, 140 { 141 comment: "load daemon's profile", 142 daemon: &Daemon{ 143 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 144 seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"), 145 }, 146 c: &container.Container{ 147 SeccompProfile: "", 148 HostConfig: &containertypes.HostConfig{ 149 Privileged: false, 150 }, 151 }, 152 inSpec: oci.DefaultLinuxSpec(), 153 outSpec: func() coci.Spec { 154 s := oci.DefaultLinuxSpec() 155 profile := &specs.LinuxSeccomp{ 156 DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"), 157 } 158 s.Linux.Seccomp = profile 159 return s 160 }(), 161 }, 162 { 163 comment: "load prioritise container profile over daemon's", 164 daemon: &Daemon{ 165 sysInfo: &sysinfo.SysInfo{Seccomp: true}, 166 seccompProfile: []byte("{ \"defaultAction\": \"SCMP_ACT_ERRNO\" }"), 167 }, 168 c: &container.Container{ 169 SeccompProfile: "{ \"defaultAction\": \"SCMP_ACT_LOG\" }", 170 HostConfig: &containertypes.HostConfig{ 171 Privileged: false, 172 }, 173 }, 174 inSpec: oci.DefaultLinuxSpec(), 175 outSpec: func() coci.Spec { 176 s := oci.DefaultLinuxSpec() 177 profile := &specs.LinuxSeccomp{ 178 DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_LOG"), 179 } 180 s.Linux.Seccomp = profile 181 return s 182 }(), 183 }, 184 } { 185 x := x 186 t.Run(x.comment, func(t *testing.T) { 187 opts := WithSeccomp(x.daemon, x.c) 188 err := opts(nil, nil, nil, &x.inSpec) 189 190 assert.DeepEqual(t, x.inSpec, x.outSpec) 191 if x.err != "" { 192 assert.Error(t, err, x.err) 193 } else { 194 assert.NilError(t, err) 195 } 196 }) 197 } 198 }