github.com/toplink-cn/moby@v0.0.0-20240305205811-460b4aebdf81/daemon/exec_linux_test.go (about) 1 //go:build linux 2 3 package daemon 4 5 import ( 6 "context" 7 "testing" 8 9 "github.com/containerd/containerd/pkg/apparmor" 10 containertypes "github.com/docker/docker/api/types/container" 11 "github.com/docker/docker/container" 12 specs "github.com/opencontainers/runtime-spec/specs-go" 13 "gotest.tools/v3/assert" 14 ) 15 16 func TestExecSetPlatformOptAppArmor(t *testing.T) { 17 appArmorEnabled := apparmor.HostSupports() 18 19 tests := []struct { 20 doc string 21 privileged bool 22 appArmorProfile string 23 expectedProfile string 24 }{ 25 { 26 doc: "default options", 27 expectedProfile: defaultAppArmorProfile, 28 }, 29 { 30 doc: "custom profile", 31 appArmorProfile: "my-custom-profile", 32 expectedProfile: "my-custom-profile", 33 }, 34 { 35 doc: "privileged container", 36 privileged: true, 37 expectedProfile: unconfinedAppArmorProfile, 38 }, 39 { 40 doc: "privileged container, custom profile", 41 privileged: true, 42 appArmorProfile: "my-custom-profile", 43 expectedProfile: "my-custom-profile", 44 // FIXME: execSetPlatformOpts prefers custom profiles over "privileged", 45 // which looks like a bug (--privileged on the container should 46 // disable apparmor, seccomp, and selinux); see the code at: 47 // https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40 48 // expectedProfile: unconfinedAppArmorProfile, 49 }, 50 } 51 52 cfg := &configStore{} 53 d := &Daemon{} 54 d.configStore.Store(cfg) 55 56 // Currently, `docker exec --privileged` inherits the Privileged configuration 57 // of the container, and does not disable AppArmor. 58 // See https://github.com/moby/moby/pull/31773#discussion_r105586900 59 // 60 // This behavior may change in future, but to verify the current behavior, 61 // we run the test both with "exec" and "exec --privileged", which should 62 // both give the same result. 63 for _, execPrivileged := range []bool{false, true} { 64 for _, tc := range tests { 65 tc := tc 66 doc := tc.doc 67 if !appArmorEnabled { 68 // no profile should be set if the host does not support AppArmor 69 doc += " (apparmor disabled)" 70 tc.expectedProfile = "" 71 } 72 if execPrivileged { 73 doc += " (exec privileged)" 74 } 75 t.Run(doc, func(t *testing.T) { 76 c := &container.Container{ 77 SecurityOptions: container.SecurityOptions{AppArmorProfile: tc.appArmorProfile}, 78 HostConfig: &containertypes.HostConfig{ 79 Privileged: tc.privileged, 80 }, 81 } 82 ec := &container.ExecConfig{Container: c, Privileged: execPrivileged} 83 p := &specs.Process{} 84 85 err := d.execSetPlatformOpt(context.Background(), &cfg.Config, ec, p) 86 assert.NilError(t, err) 87 assert.Equal(t, p.ApparmorProfile, tc.expectedProfile) 88 }) 89 } 90 } 91 }