MCPcopy
hub / github.com/moby/moby / compileAndExecSocketDenied

Function compileAndExecSocketDenied

integration/container/exec_afalg_linux_test.go:31–60  ·  view source on GitHub ↗

compileAndExecSocketDenied writes a C source file into the container, compiles it with the given compiler command, runs the binary as uid 1000, and asserts that socket creation fails.

(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string)

Source from the content-addressed store, hash-verified

29// compiles it with the given compiler command, runs the binary as uid 1000,
30// and asserts that socket creation fails.
31func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string) {
32 t.Helper()
33
34 binPath := "/tmp/" + name
35 srcPath := binPath + ".c"
36
37 res := container.ExecT(ctx, t, apiClient, cID, []string{
38 "sh", "-c", "cat > " + srcPath + " << 'CEOF'\n" + src + "\nCEOF",
39 })
40 res.AssertSuccess(t)
41
42 compileCmd := append(cc, srcPath, "-o", binPath)
43 res = container.ExecT(ctx, t, apiClient, cID, compileCmd)
44 res.AssertSuccess(t)
45
46 res, err := container.Exec(ctx, apiClient, cID, []string{binPath},
47 func(ec *client.ExecCreateOptions) {
48 ec.User = "1000"
49 },
50 )
51 assert.NilError(t, err)
52 assert.Check(t, is.Equal(res.ExitCode, 1), "expected %s socket program to fail", name)
53
54 out := strings.ToLower(res.Combined())
55 assert.Check(t, is.Contains(out, "socket"), "expected socket-related error message")
56 // Seccomp returns EPERM ("not permitted"), AppArmor returns EACCES
57 // ("permission denied"). Accept either.
58 denied := strings.Contains(out, "not permitted") || strings.Contains(out, "permission denied")
59 assert.Check(t, denied, "expected EPERM or EACCES, got: %s", res.Combined())
60}
61
62// TestExecSocketDenied verifies that AF_ALG and AF_VSOCK sockets cannot be
63// created inside a container. AF_ALG is blocked by the default seccomp profile

Callers 1

TestExecSocketDeniedFunction · 0.85

Calls 8

ExecTFunction · 0.92
ExecFunction · 0.92
AssertSuccessMethod · 0.80
CheckMethod · 0.80
EqualMethod · 0.80
CombinedMethod · 0.80
HelperMethod · 0.65
ContainsMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…