Browse code
seccomp: remove dependency on oci package
rewrite the tests to use a minimal runtime-spec Spec instead
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2020/09/28 21:55:28Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,23 @@ |
| 0 |
+{
|
|
| 1 |
+ "defaultAction": "SCMP_ACT_ERRNO", |
|
| 2 |
+ "syscalls": [ |
|
| 3 |
+ {
|
|
| 4 |
+ "names": ["chmod"], |
|
| 5 |
+ "action": "SCMP_ACT_ALLOW" |
|
| 6 |
+ }, |
|
| 7 |
+ {
|
|
| 8 |
+ "names": ["syslog"], |
|
| 9 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 10 |
+ "includes": {
|
|
| 11 |
+ "caps": ["CAP_SYSLOG"] |
|
| 12 |
+ } |
|
| 13 |
+ }, |
|
| 14 |
+ {
|
|
| 15 |
+ "names": ["ptrace"], |
|
| 16 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 17 |
+ "excludes": {
|
|
| 18 |
+ "caps": ["CAP_SYS_ADMIN"] |
|
| 19 |
+ } |
|
| 20 |
+ } |
|
| 21 |
+ ] |
|
| 22 |
+} |
| ... | ... |
@@ -6,7 +6,7 @@ import ( |
| 6 | 6 |
"io/ioutil" |
| 7 | 7 |
"testing" |
| 8 | 8 |
|
| 9 |
- "github.com/docker/docker/oci" |
|
| 9 |
+ "github.com/opencontainers/runtime-spec/specs-go" |
|
| 10 | 10 |
) |
| 11 | 11 |
|
| 12 | 12 |
func TestLoadProfile(t *testing.T) {
|
| ... | ... |
@@ -14,7 +14,7 @@ func TestLoadProfile(t *testing.T) {
|
| 14 | 14 |
if err != nil {
|
| 15 | 15 |
t.Fatal(err) |
| 16 | 16 |
} |
| 17 |
- rs := oci.DefaultSpec() |
|
| 17 |
+ rs := createSpec() |
|
| 18 | 18 |
if _, err := LoadProfile(string(f), &rs); err != nil {
|
| 19 | 19 |
t.Fatal(err) |
| 20 | 20 |
} |
| ... | ... |
@@ -27,7 +27,7 @@ func TestLoadLegacyProfile(t *testing.T) {
|
| 27 | 27 |
if err != nil {
|
| 28 | 28 |
t.Fatal(err) |
| 29 | 29 |
} |
| 30 |
- rs := oci.DefaultSpec() |
|
| 30 |
+ rs := createSpec() |
|
| 31 | 31 |
if _, err := LoadProfile(string(f), &rs); err != nil {
|
| 32 | 32 |
t.Fatal(err) |
| 33 | 33 |
} |
| ... | ... |
@@ -38,8 +38,56 @@ func TestLoadDefaultProfile(t *testing.T) {
|
| 38 | 38 |
if err != nil {
|
| 39 | 39 |
t.Fatal(err) |
| 40 | 40 |
} |
| 41 |
- rs := oci.DefaultSpec() |
|
| 41 |
+ rs := createSpec() |
|
| 42 | 42 |
if _, err := LoadProfile(string(f), &rs); err != nil {
|
| 43 | 43 |
t.Fatal(err) |
| 44 | 44 |
} |
| 45 | 45 |
} |
| 46 |
+ |
|
| 47 |
+func TestLoadConditional(t *testing.T) {
|
|
| 48 |
+ f, err := ioutil.ReadFile("fixtures/conditional_include.json")
|
|
| 49 |
+ if err != nil {
|
|
| 50 |
+ t.Fatal(err) |
|
| 51 |
+ } |
|
| 52 |
+ tests := []struct {
|
|
| 53 |
+ doc string |
|
| 54 |
+ cap string |
|
| 55 |
+ expected []string |
|
| 56 |
+ }{
|
|
| 57 |
+ {doc: "no caps", expected: []string{"chmod", "ptrace"}},
|
|
| 58 |
+ {doc: "with syslog", cap: "CAP_SYSLOG", expected: []string{"chmod", "syslog", "ptrace"}},
|
|
| 59 |
+ {doc: "no ptrace", cap: "CAP_SYS_ADMIN", expected: []string{"chmod"}},
|
|
| 60 |
+ } |
|
| 61 |
+ |
|
| 62 |
+ for _, tc := range tests {
|
|
| 63 |
+ tc := tc |
|
| 64 |
+ t.Run(tc.doc, func(t *testing.T) {
|
|
| 65 |
+ rs := createSpec(tc.cap) |
|
| 66 |
+ p, err := LoadProfile(string(f), &rs) |
|
| 67 |
+ if err != nil {
|
|
| 68 |
+ t.Fatal(err) |
|
| 69 |
+ } |
|
| 70 |
+ if len(p.Syscalls) != len(tc.expected) {
|
|
| 71 |
+ t.Fatalf("expected %d syscalls in profile, have %d", len(tc.expected), len(p.Syscalls))
|
|
| 72 |
+ } |
|
| 73 |
+ for i, v := range p.Syscalls {
|
|
| 74 |
+ if v.Names[0] != tc.expected[i] {
|
|
| 75 |
+ t.Fatalf("expected %s syscall, have %s", tc.expected[i], v.Names[0])
|
|
| 76 |
+ } |
|
| 77 |
+ } |
|
| 78 |
+ }) |
|
| 79 |
+ } |
|
| 80 |
+} |
|
| 81 |
+ |
|
| 82 |
+// createSpec() creates a minimum spec for testing |
|
| 83 |
+func createSpec(caps ...string) specs.Spec {
|
|
| 84 |
+ rs := specs.Spec{
|
|
| 85 |
+ Process: &specs.Process{
|
|
| 86 |
+ Capabilities: &specs.LinuxCapabilities{},
|
|
| 87 |
+ }, |
|
| 88 |
+ } |
|
| 89 |
+ if caps != nil {
|
|
| 90 |
+ rs.Process.Capabilities.Bounding = append(rs.Process.Capabilities.Bounding, caps...) |
|
| 91 |
+ } |
|
| 92 |
+ return rs |
|
| 93 |
+} |