github.com/dmaizel/tests@v0.0.0-20210728163746-cae6a2d9cee8/integration/docker/privileges_test.go (about) 1 // Copyright (c) 2018 Intel Corporation 2 // 3 // SPDX-License-Identifier: Apache-2.0 4 5 package docker 6 7 import ( 8 "io/ioutil" 9 "os" 10 11 . "github.com/onsi/ginkgo" 12 . "github.com/onsi/gomega" 13 ) 14 15 var _ = Describe("docker privileges", func() { 16 var ( 17 args []string 18 id string 19 secondID string 20 testImage string 21 exitCode int 22 ) 23 24 BeforeEach(func() { 25 id = randomDockerName() 26 secondID = randomDockerName() 27 testImage = "testprivileges" 28 }) 29 30 AfterEach(func() { 31 Expect(RemoveDockerContainer(id)).To(BeTrue()) 32 Expect(ExistDockerContainer(id)).NotTo(BeTrue()) 33 _, _, exitCode := dockerRmi(testImage) 34 Expect(exitCode).To(Equal(0)) 35 }) 36 37 Context("check no-new-privileges flag", func() { 38 It("should display the correct uid", func() { 39 args = []string{"-d", "--name", id, FedoraImage, "sh", "-c", "chmod -s /usr/bin/id"} 40 _, _, exitCode = dockerRun(args...) 41 Expect(exitCode).To(Equal(0)) 42 43 file, err := ioutil.TempFile(os.TempDir(), "latest.tar") 44 Expect(err).ToNot(HaveOccurred()) 45 _, _, exitCode := dockerExport("--output", file.Name(), id) 46 Expect(exitCode).To(Equal(0)) 47 Expect(file.Name()).To(BeAnExistingFile()) 48 49 _, _, exitCode = dockerImport(file.Name(), testImage) 50 Expect(exitCode).To(Equal(0)) 51 defer os.Remove(file.Name()) 52 53 args = []string{"--rm", "--name", secondID, "--user", "1000", "--security-opt=no-new-privileges", testImage, "/usr/bin/id"} 54 stdout, _, exitCode := dockerRun(args...) 55 Expect(exitCode).To(Equal(0)) 56 Expect(stdout).NotTo(ContainSubstring("euid=0(root)")) 57 Expect(stdout).To(ContainSubstring("uid=1000")) 58 }) 59 }) 60 })