1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
//go:build linux
// +build linux
package daemon
import (
"context"
"testing"
"github.com/containerd/containerd/pkg/apparmor"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/config"
specs "github.com/opencontainers/runtime-spec/specs-go"
"gotest.tools/v3/assert"
)
func TestExecSetPlatformOptAppArmor(t *testing.T) {
appArmorEnabled := apparmor.HostSupports()
tests := []struct {
doc string
privileged bool
appArmorProfile string
expectedProfile string
}{
{
doc: "default options",
expectedProfile: defaultAppArmorProfile,
},
{
doc: "custom profile",
appArmorProfile: "my-custom-profile",
expectedProfile: "my-custom-profile",
},
{
doc: "privileged container",
privileged: true,
expectedProfile: unconfinedAppArmorProfile,
},
{
doc: "privileged container, custom profile",
privileged: true,
appArmorProfile: "my-custom-profile",
expectedProfile: "my-custom-profile",
// FIXME: execSetPlatformOpts prefers custom profiles over "privileged",
// which looks like a bug (--privileged on the container should
// disable apparmor, seccomp, and selinux); see the code at:
// https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40
// expectedProfile: unconfinedAppArmorProfile,
},
}
d := &Daemon{configStore: &config.Config{}}
// Currently, `docker exec --privileged` inherits the Privileged configuration
// of the container, and does not disable AppArmor.
// See https://github.com/moby/moby/pull/31773#discussion_r105586900
//
// This behavior may change in future, but to verify the current behavior,
// we run the test both with "exec" and "exec --privileged", which should
// both give the same result.
for _, execPrivileged := range []bool{false, true} {
for _, tc := range tests {
tc := tc
doc := tc.doc
if !appArmorEnabled {
// no profile should be set if the host does not support AppArmor
doc += " (apparmor disabled)"
tc.expectedProfile = ""
}
if execPrivileged {
doc += " (exec privileged)"
}
t.Run(doc, func(t *testing.T) {
c := &container.Container{
SecurityOptions: container.SecurityOptions{AppArmorProfile: tc.appArmorProfile},
HostConfig: &containertypes.HostConfig{
Privileged: tc.privileged,
},
}
ec := &container.ExecConfig{Container: c, Privileged: execPrivileged}
p := &specs.Process{}
err := d.execSetPlatformOpt(context.Background(), ec, p)
assert.NilError(t, err)
assert.Equal(t, p.ApparmorProfile, tc.expectedProfile)
})
}
}
}
|
