Add a test that the default seccomp profile allows execution of 32 bit binaries

While testing #24510 I noticed that 32 bit syscalls were incorrectly being blocked and we did not have a test for this, so adding one. This is only tested on amd64 as it is the only architecture that reliably supports 32 bit code execution, others only do sometimes. There is no 32 bit libc in the buildpack-deps so we cannot build 32 bit C code easily so use the simplest assembly program which just calls the exit syscall. Signed-off-by: Justin Cormack <justin.cormack@docker.com> Upstream-commit: 93bbc76ee53240e0862c6f1ff409e7a4ee0883dc Component: engine
2016-07-27 18:42:34 +01:00
parent cb9f5d85ea
commit 980ac6c629
5 changed files with 27 additions and 0 deletions
--- a/components/engine/hack/make/.ensure-syscall-test
+++ b/components/engine/hack/make/.ensure-syscall-test
@ -9,6 +9,9 @@ if [ "$DOCKER_ENGINE_GOOS" = "linux" ]; then
 		gcc -g -Wall -static contrib/syscall-test/userns.c -o "${tmpdir}/userns-test"
 		gcc -g -Wall -static contrib/syscall-test/ns.c -o "${tmpdir}/ns-test"
 		gcc -g -Wall -static contrib/syscall-test/acct.c -o "${tmpdir}/acct-test"
+		if [ "$DOCKER_ENGINE_OSARCH" = "linux/amd64" ]; then
+			gcc -s -m32 -nostdlib contrib/syscall-test/exit32.s -o "${tmpdir}/exit32-test"
+		fi

 		dockerfile="${tmpdir}/Dockerfile"
 		cat <<-EOF > "$dockerfile"