add seccomp default profile fix tests

Signed-off-by: Antonio Murdaca <[email protected]> Signed-off-by: Jessica Frazelle <[email protected]>
genana · Feb 19, 2016 · 11435b6 · 11435b6
1 parent ad60023
commit 11435b6
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go
@@ -909,3 +909,13 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
 		c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", out, err)
 	}
 }
+
+// make sure the default profile can be successfully parsed (using unshare as it is
+// something which we know is blocked in the default profile)
+func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp:../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "unshare: unshare failed: Operation not permitted")
+}
diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go
@@ -12,7 +12,16 @@ func TestLoadProfile(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	if _, err := LoadProfile(string(f)); err != nil {
+		t.Fatal(err)
+	}
+}
 
+func TestLoadDefaultProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("default.json")
+	if err != nil {
+		t.Fatal(err)
+	}
 	if _, err := LoadProfile(string(f)); err != nil {
 		t.Fatal(err)
 	}