github.com/adityamillind98/moby@v23.0.0-rc.4+incompatible/daemon/exec_linux_test.go

github.com/adityamillind98/moby@v23.0.0-rc.4+incompatible/daemon/exec_linux_test.go (about)

     1  //go:build linux
     2  // +build linux
     3  
     4  package daemon
     5  
     6  import (
     7  	"testing"
     8  
     9  	"github.com/containerd/containerd/pkg/apparmor"
    10  	containertypes "github.com/docker/docker/api/types/container"
    11  	"github.com/docker/docker/container"
    12  	"github.com/docker/docker/daemon/config"
    13  	"github.com/docker/docker/daemon/exec"
    14  	specs "github.com/opencontainers/runtime-spec/specs-go"
    15  	"gotest.tools/v3/assert"
    16  )
    17  
    18  func TestExecSetPlatformOptAppArmor(t *testing.T) {
    19  	appArmorEnabled := apparmor.HostSupports()
    20  
    21  	tests := []struct {
    22  		doc             string
    23  		privileged      bool
    24  		appArmorProfile string
    25  		expectedProfile string
    26  	}{
    27  		{
    28  			doc:             "default options",
    29  			expectedProfile: defaultAppArmorProfile,
    30  		},
    31  		{
    32  			doc:             "custom profile",
    33  			appArmorProfile: "my-custom-profile",
    34  			expectedProfile: "my-custom-profile",
    35  		},
    36  		{
    37  			doc:             "privileged container",
    38  			privileged:      true,
    39  			expectedProfile: unconfinedAppArmorProfile,
    40  		},
    41  		{
    42  			doc:             "privileged container, custom profile",
    43  			privileged:      true,
    44  			appArmorProfile: "my-custom-profile",
    45  			expectedProfile: "my-custom-profile",
    46  			// FIXME: execSetPlatformOpts prefers custom profiles over "privileged",
    47  			//        which looks like a bug (--privileged on the container should
    48  			//        disable apparmor, seccomp, and selinux); see the code at:
    49  			//        https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40
    50  			// expectedProfile: unconfinedAppArmorProfile,
    51  		},
    52  	}
    53  
    54  	d := &Daemon{configStore: &config.Config{}}
    55  
    56  	// Currently, `docker exec --privileged` inherits the Privileged configuration
    57  	// of the container, and does not disable AppArmor.
    58  	// See https://github.com/moby/moby/pull/31773#discussion_r105586900
    59  	//
    60  	// This behavior may change in future, but to verify the current behavior,
    61  	// we run the test both with "exec" and "exec --privileged", which should
    62  	// both give the same result.
    63  	for _, execPrivileged := range []bool{false, true} {
    64  		for _, tc := range tests {
    65  			tc := tc
    66  			doc := tc.doc
    67  			if !appArmorEnabled {
    68  				// no profile should be set if the host does not support AppArmor
    69  				doc += " (apparmor disabled)"
    70  				tc.expectedProfile = ""
    71  			}
    72  			if execPrivileged {
    73  				doc += " (exec privileged)"
    74  			}
    75  			t.Run(doc, func(t *testing.T) {
    76  				c := &container.Container{
    77  					AppArmorProfile: tc.appArmorProfile,
    78  					HostConfig: &containertypes.HostConfig{
    79  						Privileged: tc.privileged,
    80  					},
    81  				}
    82  				ec := &exec.Config{Privileged: execPrivileged}
    83  				p := &specs.Process{}
    84  
    85  				err := d.execSetPlatformOpt(c, ec, p)
    86  				assert.NilError(t, err)
    87  				assert.Equal(t, p.ApparmorProfile, tc.expectedProfile)
    88  			})
    89  		}
    90  	}
    91  }