daemon/seccomp_linux_test.go - third_party/github.com/moby/moby - Git at Google

 package daemon // import "github.com/docker/docker/daemon"

 import (
 	"testing"

 	coci "github.com/containerd/containerd/oci"
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
 	dconfig "github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/oci"
 	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/docker/docker/profiles/seccomp"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"gotest.tools/v3/assert"
 )

 func TestWithSeccomp(t *testing.T) {
 	type expected struct {
 		daemon  *Daemon
 		c       *container.Container
 		inSpec  coci.Spec
 		outSpec coci.Spec
 		err     string
 		comment string
 	}

 	for _, x := range []expected{
 		{
 			comment: "unconfined seccompProfile runs unconfined",
 			daemon: &Daemon{
 				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: dconfig.SeccompProfileUnconfined},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: false,
 				},
 			},
 			inSpec:  oci.DefaultLinuxSpec(),
 			outSpec: oci.DefaultLinuxSpec(),
 		},
 		{
 			comment: "privileged container w/ custom profile runs unconfined",
 			daemon: &Daemon{
 				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_LOG"}`},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: true,
 				},
 			},
 			inSpec:  oci.DefaultLinuxSpec(),
 			outSpec: oci.DefaultLinuxSpec(),
 		},
 		{
 			comment: "privileged container w/ default runs unconfined",
 			daemon: &Daemon{
 				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: true,
 				},
 			},
 			inSpec:  oci.DefaultLinuxSpec(),
 			outSpec: oci.DefaultLinuxSpec(),
 		},
 		{
 			comment: "privileged container w/ daemon profile runs unconfined",
 			daemon: &Daemon{
 				sysInfo:        &sysinfo.SysInfo{Seccomp: true},
 				seccompProfile: []byte(`{"defaultAction": "SCMP_ACT_ERRNO"}`),
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: true,
 				},
 			},
 			inSpec:  oci.DefaultLinuxSpec(),
 			outSpec: oci.DefaultLinuxSpec(),
 		},
 		{
 			comment: "custom profile when seccomp is disabled returns error",
 			daemon: &Daemon{
 				sysInfo: &sysinfo.SysInfo{Seccomp: false},
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_ERRNO"}`},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: false,
 				},
 			},
 			inSpec:  oci.DefaultLinuxSpec(),
 			outSpec: oci.DefaultLinuxSpec(),
 			err:     "seccomp is not enabled in your kernel, cannot run a custom seccomp profile",
 		},
 		{
 			comment: "empty profile name loads default profile",
 			daemon: &Daemon{
 				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: false,
 				},
 			},
 			inSpec: oci.DefaultLinuxSpec(),
 			outSpec: func() coci.Spec {
 				s := oci.DefaultLinuxSpec()
 				profile, _ := seccomp.GetDefaultProfile(&s)
 				s.Linux.Seccomp = profile
 				return s
 			}(),
 		},
 		{
 			comment: "load container's profile",
 			daemon: &Daemon{
 				sysInfo: &sysinfo.SysInfo{Seccomp: true},
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_ERRNO"}`},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: false,
 				},
 			},
 			inSpec: oci.DefaultLinuxSpec(),
 			outSpec: func() coci.Spec {
 				s := oci.DefaultLinuxSpec()
 				profile := &specs.LinuxSeccomp{
 					DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
 				}
 				s.Linux.Seccomp = profile
 				return s
 			}(),
 		},
 		{
 			comment: "load daemon's profile",
 			daemon: &Daemon{
 				sysInfo:        &sysinfo.SysInfo{Seccomp: true},
 				seccompProfile: []byte(`{"defaultAction": "SCMP_ACT_ERRNO"}`),
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: false,
 				},
 			},
 			inSpec: oci.DefaultLinuxSpec(),
 			outSpec: func() coci.Spec {
 				s := oci.DefaultLinuxSpec()
 				profile := &specs.LinuxSeccomp{
 					DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
 				}
 				s.Linux.Seccomp = profile
 				return s
 			}(),
 		},
 		{
 			comment: "load prioritise container profile over daemon's",
 			daemon: &Daemon{
 				sysInfo:        &sysinfo.SysInfo{Seccomp: true},
 				seccompProfile: []byte(`{"defaultAction": "SCMP_ACT_ERRNO"}`),
 			},
 			c: &container.Container{
 				SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_LOG"}`},
 				HostConfig: &containertypes.HostConfig{
 					Privileged: false,
 				},
 			},
 			inSpec: oci.DefaultLinuxSpec(),
 			outSpec: func() coci.Spec {
 				s := oci.DefaultLinuxSpec()
 				profile := &specs.LinuxSeccomp{
 					DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_LOG"),
 				}
 				s.Linux.Seccomp = profile
 				return s
 			}(),
 		},
 	} {
 		x := x
 		t.Run(x.comment, func(t *testing.T) {
 			opts := WithSeccomp(x.daemon, x.c)
 			err := opts(nil, nil, nil, &x.inSpec)

 			assert.DeepEqual(t, x.inSpec, x.outSpec)
 			if x.err != "" {
 				assert.Error(t, err, x.err)
 			} else {
 				assert.NilError(t, err)
 			}
 		})
 	}
 }
	package daemon // import "github.com/docker/docker/daemon"

	import (
	"testing"

	coci "github.com/containerd/containerd/oci"
	containertypes "github.com/docker/docker/api/types/container"
	"github.com/docker/docker/container"
	dconfig "github.com/docker/docker/daemon/config"
	"github.com/docker/docker/oci"
	"github.com/docker/docker/pkg/sysinfo"
	"github.com/docker/docker/profiles/seccomp"
	specs "github.com/opencontainers/runtime-spec/specs-go"
	"gotest.tools/v3/assert"
	)

	func TestWithSeccomp(t *testing.T) {
	type expected struct {
	daemon *Daemon
	c *container.Container
	inSpec coci.Spec
	outSpec coci.Spec
	err string
	comment string
	}

	for _, x := range []expected{
	{
	comment: "unconfined seccompProfile runs unconfined",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: dconfig.SeccompProfileUnconfined},
	HostConfig: &containertypes.HostConfig{
	Privileged: false,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: oci.DefaultLinuxSpec(),
	},
	{
	comment: "privileged container w/ custom profile runs unconfined",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_LOG"}`},
	HostConfig: &containertypes.HostConfig{
	Privileged: true,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: oci.DefaultLinuxSpec(),
	},
	{
	comment: "privileged container w/ default runs unconfined",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
	HostConfig: &containertypes.HostConfig{
	Privileged: true,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: oci.DefaultLinuxSpec(),
	},
	{
	comment: "privileged container w/ daemon profile runs unconfined",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	seccompProfile: []byte(`{"defaultAction": "SCMP_ACT_ERRNO"}`),
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
	HostConfig: &containertypes.HostConfig{
	Privileged: true,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: oci.DefaultLinuxSpec(),
	},
	{
	comment: "custom profile when seccomp is disabled returns error",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: false},
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_ERRNO"}`},
	HostConfig: &containertypes.HostConfig{
	Privileged: false,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: oci.DefaultLinuxSpec(),
	err: "seccomp is not enabled in your kernel, cannot run a custom seccomp profile",
	},
	{
	comment: "empty profile name loads default profile",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
	HostConfig: &containertypes.HostConfig{
	Privileged: false,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: func() coci.Spec {
	s := oci.DefaultLinuxSpec()
	profile, _ := seccomp.GetDefaultProfile(&s)
	s.Linux.Seccomp = profile
	return s
	}(),
	},
	{
	comment: "load container's profile",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_ERRNO"}`},
	HostConfig: &containertypes.HostConfig{
	Privileged: false,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: func() coci.Spec {
	s := oci.DefaultLinuxSpec()
	profile := &specs.LinuxSeccomp{
	DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
	}
	s.Linux.Seccomp = profile
	return s
	}(),
	},
	{
	comment: "load daemon's profile",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	seccompProfile: []byte(`{"defaultAction": "SCMP_ACT_ERRNO"}`),
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: ""},
	HostConfig: &containertypes.HostConfig{
	Privileged: false,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: func() coci.Spec {
	s := oci.DefaultLinuxSpec()
	profile := &specs.LinuxSeccomp{
	DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_ERRNO"),
	}
	s.Linux.Seccomp = profile
	return s
	}(),
	},
	{
	comment: "load prioritise container profile over daemon's",
	daemon: &Daemon{
	sysInfo: &sysinfo.SysInfo{Seccomp: true},
	seccompProfile: []byte(`{"defaultAction": "SCMP_ACT_ERRNO"}`),
	},
	c: &container.Container{
	SecurityOptions: container.SecurityOptions{SeccompProfile: `{"defaultAction": "SCMP_ACT_LOG"}`},
	HostConfig: &containertypes.HostConfig{
	Privileged: false,
	},
	},
	inSpec: oci.DefaultLinuxSpec(),
	outSpec: func() coci.Spec {
	s := oci.DefaultLinuxSpec()
	profile := &specs.LinuxSeccomp{
	DefaultAction: specs.LinuxSeccompAction("SCMP_ACT_LOG"),
	}
	s.Linux.Seccomp = profile
	return s
	}(),
	},
	} {
	x := x
	t.Run(x.comment, func(t *testing.T) {
	opts := WithSeccomp(x.daemon, x.c)
	err := opts(nil, nil, nil, &x.inSpec)

	assert.DeepEqual(t, x.inSpec, x.outSpec)
	if x.err != "" {
	assert.Error(t, err, x.err)
	} else {
	assert.NilError(t, err)
	}
	})
	}
	}