github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/exec_linux_test.go (about) 1 // +build linux 2 3 package daemon 4 5 import ( 6 "testing" 7 8 containertypes "github.com/docker/docker/api/types/container" 9 "github.com/docker/docker/container" 10 "github.com/docker/docker/daemon/exec" 11 "github.com/opencontainers/runc/libcontainer/apparmor" 12 specs "github.com/opencontainers/runtime-spec/specs-go" 13 "gotest.tools/v3/assert" 14 ) 15 16 func TestExecSetPlatformOpt(t *testing.T) { 17 if !apparmor.IsEnabled() { 18 t.Skip("requires AppArmor to be enabled") 19 } 20 d := &Daemon{} 21 c := &container.Container{AppArmorProfile: "my-custom-profile"} 22 ec := &exec.Config{} 23 p := &specs.Process{} 24 25 err := d.execSetPlatformOpt(c, ec, p) 26 assert.NilError(t, err) 27 assert.Equal(t, "my-custom-profile", p.ApparmorProfile) 28 } 29 30 // TestExecSetPlatformOptPrivileged verifies that `docker exec --privileged` 31 // does not disable AppArmor profiles. Exec currently inherits the `Privileged` 32 // configuration of the container. See https://github.com/moby/moby/pull/31773#discussion_r105586900 33 // 34 // This behavior may change in future, but test for the behavior to prevent it 35 // from being changed accidentally. 36 func TestExecSetPlatformOptPrivileged(t *testing.T) { 37 if !apparmor.IsEnabled() { 38 t.Skip("requires AppArmor to be enabled") 39 } 40 d := &Daemon{} 41 c := &container.Container{AppArmorProfile: "my-custom-profile"} 42 ec := &exec.Config{Privileged: true} 43 p := &specs.Process{} 44 45 err := d.execSetPlatformOpt(c, ec, p) 46 assert.NilError(t, err) 47 assert.Equal(t, "my-custom-profile", p.ApparmorProfile) 48 49 c.HostConfig = &containertypes.HostConfig{Privileged: true} 50 err = d.execSetPlatformOpt(c, ec, p) 51 assert.NilError(t, err) 52 assert.Equal(t, unconfinedAppArmorProfile, p.ApparmorProfile) 53 }