toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated test to check for exec --privileged side-effects

Browse Source 
Also improving documentation for same feature as part of
docker/docker#14113 docs review.

Signed-off-by: Tim Dettrick <t.dettrick@uq.edu.au>
Upstream-commit: 90326939c8089dbd7b59423415bc67cae6208b08
Component: engine
This commit is contained in:
Tim Dettrick
2015-06-22 13:06:07 +10:00
parent 337be087f4
commit 273be038ad
3 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
components/engine/integration-cli/docker_cli_exec_test.go
View File

@ -534,18 +534,18 @@ func (s *DockerSuite) TestExecWithUser(c *check.C) {
func (s *DockerSuite) TestExecWithPrivileged(c *check.C) {
runCmd := exec.Command(dockerBinary, "run", "-d", "--name", "parent", "--cap-drop=ALL", "busybox", "top")
if out, _, err := runCommandWithOutput(runCmd); err != nil {
c.Fatal(out, err)
}
// Start main loop which attempts mknod repeatedly
dockerCmd(c, "run", "-d", "--name", "parent", "--cap-drop=ALL", "busybox", "sh", "-c", `while (true); do if [ -e /exec_priv ]; then cat /exec_priv && mknod /tmp/sda b 8 0 && echo "Success"; else echo "Privileged exec has not run yet"; fi; usleep 10000; done`)
cmd := exec.Command(dockerBinary, "exec", "parent", "sh", "-c", "mknod /tmp/sda b 8 0")
// Check exec mknod doesn't work
cmd := exec.Command(dockerBinary, "exec", "parent", "sh", "-c", "mknod /tmp/sdb b 8 16")
out, _, err := runCommandWithOutput(cmd)
if err == nil || !strings.Contains(out, "Operation not permitted") {
c.Fatalf("exec mknod in --cap-drop=ALL container without --privileged should failed")
c.Fatalf("exec mknod in --cap-drop=ALL container without --privileged should fail")
}
cmd = exec.Command(dockerBinary, "exec", "--privileged", "parent", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
// Check exec mknod does work with --privileged
cmd = exec.Command(dockerBinary, "exec", "--privileged", "parent", "sh", "-c", `echo "Running exec --privileged" > /exec_priv && mknod /tmp/sdb b 8 16 && usleep 50000 && echo "Finished exec --privileged" > /exec_priv && echo ok`)
out, _, err = runCommandWithOutput(cmd)
if err != nil {
c.Fatal(err, out)
@ -555,6 +555,19 @@ func (s *DockerSuite) TestExecWithPrivileged(c *check.C) {
c.Fatalf("exec mknod in --cap-drop=ALL container with --privileged failed: %v, output: %q", err, out)
}
// Check subsequent unprivileged exec cannot mknod
cmd = exec.Command(dockerBinary, "exec", "parent", "sh", "-c", "mknod /tmp/sdc b 8 32")
out, _, err = runCommandWithOutput(cmd)
if err == nil || !strings.Contains(out, "Operation not permitted") {
c.Fatalf("repeating exec mknod in --cap-drop=ALL container after --privileged without --privileged should fail")
}
// Confirm at no point was mknod allowed
logCmd := exec.Command(dockerBinary, "logs", "parent")
if out, _, err := runCommandWithOutput(logCmd); err != nil || strings.Contains(out, "Success") {
c.Fatal(out, err)
}
}
func (s *DockerSuite) TestExecWithImageUser(c *check.C) {