test: Add docker integration no-new-privileges test.

This test will verify that a container process do not gain additional privileges while running no-new-privileges with docker. Fixes #811 Signed-off-by: Gabriela Cervantes <[email protected]>
clearcontainers · Jan 10, 2018 · f8aa965 · f8aa965
1 parent 1446fb5
commit f8aa965
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 0 deletions.
diff --git a/docker.go b/docker.go
@@ -39,6 +39,9 @@ const (
 
 	// FedoraImage is the fedora image
 	FedoraImage = "fedora"
+
+	// GccImage is the gcc image
+	GccImage = "gcc"
 )
 
 func runDockerCommandWithTimeout(timeout time.Duration, command string, args ...string) (string, string, int) {
@@ -340,6 +343,11 @@ func DockerExport(args ...string) (string, string, int) {
 	return runDockerCommand("export", args...)
 }
 
+// DockerImport imports the contents from a tarball to create a filesystem image
+func DockerImport(args ...string) (string, string, int) {
+	return runDockerCommand("import", args...)
+}
+
 // DockerInfo displays system-wide information
 func DockerInfo() (string, string, int) {
 	return runDockerCommand("info")

diff --git a/integration/docker/main_test.go b/integration/docker/main_test.go
@@ -47,6 +47,7 @@ func TestIntegration(t *testing.T) {
 		PostgresImage,
 		DebianImage,
 		FedoraImage,
+		GccImage,
 	}
 
 	for _, i := range images {

diff --git a/integration/docker/privileges_test.go b/integration/docker/privileges_test.go
@@ -0,0 +1,88 @@
+// Copyright (c) 2017 Intel Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package docker
+
+import (
+	"io/ioutil"
+	"os"
+
+	. "github.com/clearcontainers/tests"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("docker privileges", func() {
+	var (
+		args		[]string
+		id		string
+		secondId	string
+		thirdId		string
+		testImage	string
+		exitCode	int
+	)
+
+	AfterEach(func() {
+		Expect(RemoveDockerContainer(id)).To(BeTrue())
+		Expect(ExistDockerContainer(id)).NotTo(BeTrue())
+		Expect(RemoveDockerContainer(secondId)).To(BeTrue())
+		Expect(ExistDockerContainer(secondId)).NotTo(BeTrue())
+		_, _, exitCode := DockerRmi(testImage)
+		Expect(exitCode).To(Equal(0))
+	})
+
+	Context("check no-new-privileges flag", func() {
+		It("should display the correct effective uid", func() {
+			Skip("Issue https://github.com/clearcontainers/runtime/issues/880")
+			id = randomDockerName()
+			args = []string{"-d", "--name", id, GccImage, "bash", "-c", "sleep 30"}
+			_, _, exitCode = DockerRun(args...)
+			Expect(exitCode).To(Equal(0))
+			args = []string{id, "bash", "-c", "echo -e '#include<stdio.h>\n#include <unistd.h>\n#include <sys/types.h>\nint main (int argc, char *argv[])\n{printf(\"Effective uid: %d\", geteuid());return 0;}' > demo.c && make demo"}
+			_, _, exitCode = DockerExec(args...)
+			Expect(exitCode).To(Equal(0))
+			_, _, exitCode = DockerCp(id+":demo", ".")
+			Expect(exitCode).To(Equal(0))
+
+			secondId = randomDockerName()
+			args = []string{"-d", "--name", secondId, FedoraImage, "bash", "-c", "sleep 30"}
+			_, _, exitCode = DockerRun(args...)
+			Expect(exitCode).To(Equal(0))
+			_, _, exitCode = DockerCp("demo", secondId+":/root/demo")
+			Expect(exitCode).To(Equal(0))
+			_, _, exitCode = DockerExec(secondId, "bash", "-c", "chmod +s /root/demo")
+			Expect(exitCode).To(Equal(0))
+			_, _, exitCode = DockerExec(secondId, "bash", "-c", "./root/demo")
+			Expect(exitCode).To(Equal(0))
+
+			file, err := ioutil.TempFile(os.TempDir(), "latest.tar")
+			Expect(err).ToNot(HaveOccurred())
+			_, _, exitCode := DockerExport("--output", file.Name(), secondId)
+			Expect(exitCode).To(Equal(0))
+			Expect(file.Name()).To(BeAnExistingFile())
+			defer os.Remove("demo")
+
+			testImage = "testprivileges"
+			_, _, exitCode = DockerImport(file.Name(), testImage)
+			Expect(exitCode).To(Equal(0))
+			defer os.Remove(file.Name())
+
+			thirdId = randomDockerName()
+			args = []string{"--rm", "--name", thirdId, "--user", "1000", "--security-opt=no-new-privileges", testImage, "/root/demo"}
+			stdout, _, exitCode := DockerRun(args...)
+			Expect(exitCode).To(Equal(0))
+			Expect(stdout).To(ContainSubstring("Effective uid: 1000"))
+		})
+	})
+})