(t *testing.T)
| 13 | ) |
| 14 | |
| 15 | func TestExecSetPlatformOptAppArmor(t *testing.T) { |
| 16 | appArmorEnabled := appArmorSupported() |
| 17 | |
| 18 | tests := []struct { |
| 19 | doc string |
| 20 | privileged bool |
| 21 | appArmorProfile string |
| 22 | expectedProfile string |
| 23 | }{ |
| 24 | { |
| 25 | doc: "default options", |
| 26 | expectedProfile: defaultAppArmorProfile, |
| 27 | }, |
| 28 | { |
| 29 | doc: "custom profile", |
| 30 | appArmorProfile: "my-custom-profile", |
| 31 | expectedProfile: "my-custom-profile", |
| 32 | }, |
| 33 | { |
| 34 | doc: "privileged container", |
| 35 | privileged: true, |
| 36 | expectedProfile: unconfinedAppArmorProfile, |
| 37 | }, |
| 38 | { |
| 39 | doc: "privileged container, custom profile", |
| 40 | privileged: true, |
| 41 | appArmorProfile: "my-custom-profile", |
| 42 | expectedProfile: "my-custom-profile", |
| 43 | // FIXME: execSetPlatformOpts prefers custom profiles over "privileged", |
| 44 | // which looks like a bug (--privileged on the container should |
| 45 | // disable apparmor, seccomp, and selinux); see the code at: |
| 46 | // https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40 |
| 47 | // expectedProfile: unconfinedAppArmorProfile, |
| 48 | }, |
| 49 | } |
| 50 | |
| 51 | cfg := &configStore{} |
| 52 | d := &Daemon{} |
| 53 | d.configStore.Store(cfg) |
| 54 | |
| 55 | // Currently, `docker exec --privileged` inherits the Privileged configuration |
| 56 | // of the container, and does not disable AppArmor. |
| 57 | // See https://github.com/moby/moby/pull/31773#discussion_r105586900 |
| 58 | // |
| 59 | // This behavior may change in future, but to verify the current behavior, |
| 60 | // we run the test both with "exec" and "exec --privileged", which should |
| 61 | // both give the same result. |
| 62 | for _, execPrivileged := range []bool{false, true} { |
| 63 | for _, tc := range tests { |
| 64 | doc := tc.doc |
| 65 | if !appArmorEnabled { |
| 66 | // no profile should be set if the host does not support AppArmor |
| 67 | doc += " (apparmor disabled)" |
| 68 | tc.expectedProfile = "" |
| 69 | } |
| 70 | if execPrivileged { |
| 71 | doc += " (exec privileged)" |
| 72 | } |
nothing calls this directly
no test coverage detected
searching dependent graphs…