コード例 #1
0
func TestSeccompNoChown(t *testing.T) {
	if testing.Short() {
		return
	}
	rootfs, err := newRootfs()
	if err != nil {
		t.Fatal(err)
	}
	defer remove(rootfs)
	config := newTemplateConfig(rootfs)
	config.Seccomp = &configs.Seccomp{}
	config.Seccomp.Syscalls = append(config.Seccomp.Syscalls, &configs.Syscall{
		Value:  syscall.SYS_CHOWN,
		Action: configs.Action(syscall.EPERM),
	})
	buffers, _, err := runContainer(config, "", "/bin/sh", "-c", "chown 1:1 /tmp")
	if err == nil {
		t.Fatal("running chown in a container should fail")
	}
	if s := buffers.String(); !strings.Contains(s, "not permitted") {
		t.Fatalf("running chown should result in an EPERM but got %q", s)
	}
}
コード例 #2
0
ファイル: security.go プロジェクト: johnmccawley/origin
		"KILL",
		"AUDIT_WRITE",
	},
	Rlimits: []configs.Rlimit{
		{
			Type: syscall.RLIMIT_NOFILE,
			Hard: 1024,
			Soft: 1024,
		},
	},
	// http://man7.org/linux/man-pages/man2/syscalls.2.html
	Seccomp: &configs.Seccomp{
		Syscalls: []*configs.Syscall{
			{
				Value:  syscall.SYS_CAPSET, // http://man7.org/linux/man-pages/man2/capset.2.html
				Action: configs.Action(syscall.EPERM),
			},
			{
				Value:  syscall.SYS_UNSHARE, // http://man7.org/linux/man-pages/man2/unshare.2.html
				Action: configs.Action(syscall.EPERM),
			},
			{
				Value:  int(system.SysSetns()),
				Action: configs.Action(syscall.EPERM),
			},
			{
				Value:  syscall.SYS_MOUNT, // http://man7.org/linux/man-pages/man2/mount.2.html
				Action: configs.Action(syscall.EPERM),
			},
			{
				Value:  syscall.SYS_UMOUNT2, // http://man7.org/linux/man-pages/man2/umount.2.html