github.com/toplink-cn/moby@v0.0.0-20240305205811-460b4aebdf81/daemon/exec_linux_test.go

github.com/toplink-cn/moby@v0.0.0-20240305205811-460b4aebdf81/daemon/exec_linux_test.go (about)

     1  //go:build linux
     2  
     3  package daemon
     4  
     5  import (
     6  	"context"
     7  	"testing"
     8  
     9  	"github.com/containerd/containerd/pkg/apparmor"
    10  	containertypes "github.com/docker/docker/api/types/container"
    11  	"github.com/docker/docker/container"
    12  	specs "github.com/opencontainers/runtime-spec/specs-go"
    13  	"gotest.tools/v3/assert"
    14  )
    15  
    16  func TestExecSetPlatformOptAppArmor(t *testing.T) {
    17  	appArmorEnabled := apparmor.HostSupports()
    18  
    19  	tests := []struct {
    20  		doc             string
    21  		privileged      bool
    22  		appArmorProfile string
    23  		expectedProfile string
    24  	}{
    25  		{
    26  			doc:             "default options",
    27  			expectedProfile: defaultAppArmorProfile,
    28  		},
    29  		{
    30  			doc:             "custom profile",
    31  			appArmorProfile: "my-custom-profile",
    32  			expectedProfile: "my-custom-profile",
    33  		},
    34  		{
    35  			doc:             "privileged container",
    36  			privileged:      true,
    37  			expectedProfile: unconfinedAppArmorProfile,
    38  		},
    39  		{
    40  			doc:             "privileged container, custom profile",
    41  			privileged:      true,
    42  			appArmorProfile: "my-custom-profile",
    43  			expectedProfile: "my-custom-profile",
    44  			// FIXME: execSetPlatformOpts prefers custom profiles over "privileged",
    45  			//        which looks like a bug (--privileged on the container should
    46  			//        disable apparmor, seccomp, and selinux); see the code at:
    47  			//        https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40
    48  			// expectedProfile: unconfinedAppArmorProfile,
    49  		},
    50  	}
    51  
    52  	cfg := &configStore{}
    53  	d := &Daemon{}
    54  	d.configStore.Store(cfg)
    55  
    56  	// Currently, `docker exec --privileged` inherits the Privileged configuration
    57  	// of the container, and does not disable AppArmor.
    58  	// See https://github.com/moby/moby/pull/31773#discussion_r105586900
    59  	//
    60  	// This behavior may change in future, but to verify the current behavior,
    61  	// we run the test both with "exec" and "exec --privileged", which should
    62  	// both give the same result.
    63  	for _, execPrivileged := range []bool{false, true} {
    64  		for _, tc := range tests {
    65  			tc := tc
    66  			doc := tc.doc
    67  			if !appArmorEnabled {
    68  				// no profile should be set if the host does not support AppArmor
    69  				doc += " (apparmor disabled)"
    70  				tc.expectedProfile = ""
    71  			}
    72  			if execPrivileged {
    73  				doc += " (exec privileged)"
    74  			}
    75  			t.Run(doc, func(t *testing.T) {
    76  				c := &container.Container{
    77  					SecurityOptions: container.SecurityOptions{AppArmorProfile: tc.appArmorProfile},
    78  					HostConfig: &containertypes.HostConfig{
    79  						Privileged: tc.privileged,
    80  					},
    81  				}
    82  				ec := &container.ExecConfig{Container: c, Privileged: execPrivileged}
    83  				p := &specs.Process{}
    84  
    85  				err := d.execSetPlatformOpt(context.Background(), &cfg.Config, ec, p)
    86  				assert.NilError(t, err)
    87  				assert.Equal(t, p.ApparmorProfile, tc.expectedProfile)
    88  			})
    89  		}
    90  	}
    91  }