Browse code
Add a test that the default seccomp profile allows execution of 32 bit binaries
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.
This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.
There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/07/28 02:42:34Showing 5 changed files
- contrib/syscall-test/Dockerfile
- contrib/syscall-test/exit32.s
- hack/make/.ensure-syscall-test
- integration-cli/docker_cli_run_unix_test.go
- integration-cli/requirements.go
| ... | ... |
@@ -7,3 +7,5 @@ WORKDIR /usr/src/ |
| 7 | 7 |
RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \ |
| 8 | 8 |
&& gcc -g -Wall -static ns.c -o /usr/bin/ns-test \ |
| 9 | 9 |
&& gcc -g -Wall -static acct.c -o /usr/bin/acct-test |
| 10 |
+ |
|
| 11 |
+RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true |
| ... | ... |
@@ -9,6 +9,9 @@ if [ "$DOCKER_ENGINE_GOOS" = "linux" ]; then |
| 9 | 9 |
gcc -g -Wall -static contrib/syscall-test/userns.c -o "${tmpdir}/userns-test"
|
| 10 | 10 |
gcc -g -Wall -static contrib/syscall-test/ns.c -o "${tmpdir}/ns-test"
|
| 11 | 11 |
gcc -g -Wall -static contrib/syscall-test/acct.c -o "${tmpdir}/acct-test"
|
| 12 |
+ if [ "$DOCKER_ENGINE_OSARCH" = "linux/amd64" ]; then |
|
| 13 |
+ gcc -s -m32 -nostdlib contrib/syscall-test/exit32.s -o "${tmpdir}/exit32-test"
|
|
| 14 |
+ fi |
|
| 12 | 15 |
|
| 13 | 16 |
dockerfile="${tmpdir}/Dockerfile"
|
| 14 | 17 |
cat <<-EOF > "$dockerfile" |
| ... | ... |
@@ -1053,6 +1053,17 @@ func (s *DockerSuite) TestRunSeccompAllowPrivCloneUserns(c *check.C) {
|
| 1053 | 1053 |
} |
| 1054 | 1054 |
} |
| 1055 | 1055 |
|
| 1056 |
+// TestRunSeccompProfileAllow32Bit checks that 32 bit code can run on x86_64 |
|
| 1057 |
+// with the default seccomp profile. |
|
| 1058 |
+func (s *DockerSuite) TestRunSeccompProfileAllow32Bit(c *check.C) {
|
|
| 1059 |
+ testRequires(c, SameHostDaemon, seccompEnabled, IsAmd64) |
|
| 1060 |
+ |
|
| 1061 |
+ runCmd := exec.Command(dockerBinary, "run", "syscall-test", "exit32-test", "id") |
|
| 1062 |
+ if out, _, err := runCommandWithOutput(runCmd); err != nil {
|
|
| 1063 |
+ c.Fatalf("expected to be able to run 32 bit code, got %s: %v", out, err)
|
|
| 1064 |
+ } |
|
| 1065 |
+} |
|
| 1066 |
+ |
|
| 1056 | 1067 |
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:jessie ulimit -v 1048510' succeeds. |
| 1057 | 1068 |
func (s *DockerSuite) TestRunSeccompAllowSetrlimit(c *check.C) {
|
| 1058 | 1069 |
testRequires(c, SameHostDaemon, seccompEnabled) |
| ... | ... |
@@ -38,6 +38,10 @@ var ( |
| 38 | 38 |
func() bool { return !utils.ExperimentalBuild() },
|
| 39 | 39 |
"Test requires a non experimental daemon", |
| 40 | 40 |
} |
| 41 |
+ IsAmd64 = testRequirement{
|
|
| 42 |
+ func() bool { return os.Getenv("DOCKER_ENGINE_GOARCH") == "amd64" },
|
|
| 43 |
+ "Test requires a daemon running on amd64", |
|
| 44 |
+ } |
|
| 41 | 45 |
NotArm = testRequirement{
|
| 42 | 46 |
func() bool { return os.Getenv("DOCKER_ENGINE_GOARCH") != "arm" },
|
| 43 | 47 |
"Test requires a daemon not running on ARM", |