MCPcopy Index your code
hub / github.com/moby/moby / TestExecSetPlatformOptAppArmor

Function TestExecSetPlatformOptAppArmor

daemon/exec_linux_test.go:15–89  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

13)
14
15func TestExecSetPlatformOptAppArmor(t *testing.T) {
16 appArmorEnabled := appArmorSupported()
17
18 tests := []struct {
19 doc string
20 privileged bool
21 appArmorProfile string
22 expectedProfile string
23 }{
24 {
25 doc: "default options",
26 expectedProfile: defaultAppArmorProfile,
27 },
28 {
29 doc: "custom profile",
30 appArmorProfile: "my-custom-profile",
31 expectedProfile: "my-custom-profile",
32 },
33 {
34 doc: "privileged container",
35 privileged: true,
36 expectedProfile: unconfinedAppArmorProfile,
37 },
38 {
39 doc: "privileged container, custom profile",
40 privileged: true,
41 appArmorProfile: "my-custom-profile",
42 expectedProfile: "my-custom-profile",
43 // FIXME: execSetPlatformOpts prefers custom profiles over "privileged",
44 // which looks like a bug (--privileged on the container should
45 // disable apparmor, seccomp, and selinux); see the code at:
46 // https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40
47 // expectedProfile: unconfinedAppArmorProfile,
48 },
49 }
50
51 cfg := &configStore{}
52 d := &Daemon{}
53 d.configStore.Store(cfg)
54
55 // Currently, `docker exec --privileged` inherits the Privileged configuration
56 // of the container, and does not disable AppArmor.
57 // See https://github.com/moby/moby/pull/31773#discussion_r105586900
58 //
59 // This behavior may change in future, but to verify the current behavior,
60 // we run the test both with "exec" and "exec --privileged", which should
61 // both give the same result.
62 for _, execPrivileged := range []bool{false, true} {
63 for _, tc := range tests {
64 doc := tc.doc
65 if !appArmorEnabled {
66 // no profile should be set if the host does not support AppArmor
67 doc += " (apparmor disabled)"
68 tc.expectedProfile = ""
69 }
70 if execPrivileged {
71 doc += " (exec privileged)"
72 }

Callers

nothing calls this directly

Calls 5

execSetPlatformOptMethod · 0.95
EqualMethod · 0.80
appArmorSupportedFunction · 0.70
StoreMethod · 0.65
RunMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…