|
|
@@ -429,13 +429,14 @@ namespace ContainerExecutor {
|
|
|
}
|
|
|
|
|
|
TEST_F(TestDockerUtil, test_check_mount_permitted) {
|
|
|
- const char *permitted_mounts[] = {"/usr/", "/bin/ls", NULL};
|
|
|
+ const char *permitted_mounts[] = {"/etc", "/usr/bin/touch", "/tmp/", NULL};
|
|
|
std::vector<std::pair<std::string, int> > test_data;
|
|
|
- test_data.push_back(std::make_pair<std::string, int>("/usr", 1));
|
|
|
- test_data.push_back(std::make_pair<std::string, int>("/usr/", 1));
|
|
|
- test_data.push_back(std::make_pair<std::string, int>("/bin/ls", 1));
|
|
|
- test_data.push_back(std::make_pair<std::string, int>("//bin/", 0));
|
|
|
- test_data.push_back(std::make_pair<std::string, int>("/tmp/random-file", -1));
|
|
|
+ test_data.push_back(std::make_pair<std::string, int>("/etc", 1));
|
|
|
+ test_data.push_back(std::make_pair<std::string, int>("/etc/", 1));
|
|
|
+ test_data.push_back(std::make_pair<std::string, int>("/etc/passwd", 1));
|
|
|
+ test_data.push_back(std::make_pair<std::string, int>("/usr/bin/touch", 1));
|
|
|
+ test_data.push_back(std::make_pair<std::string, int>("//usr/", 0));
|
|
|
+ test_data.push_back(std::make_pair<std::string, int>("/etc/random-file", -1));
|
|
|
|
|
|
std::vector<std::pair<std::string, int> >::const_iterator itr;
|
|
|
for (itr = test_data.begin(); itr != test_data.end(); ++itr) {
|
|
|
@@ -446,8 +447,8 @@ namespace ContainerExecutor {
|
|
|
|
|
|
TEST_F(TestDockerUtil, test_normalize_mounts) {
|
|
|
const int entries = 4;
|
|
|
- const char *permitted_mounts[] = {"/home", "/usr", "/bin/ls", NULL};
|
|
|
- const char *expected[] = {"/home/", "/usr/", "/bin/ls", NULL};
|
|
|
+ const char *permitted_mounts[] = {"/home", "/etc", "/usr/bin/touch", NULL};
|
|
|
+ const char *expected[] = {"/home/", "/etc/", "/usr/bin/touch", NULL};
|
|
|
char **ptr = static_cast<char **>(malloc(entries * sizeof(char *)));
|
|
|
for (int i = 0; i < entries; ++i) {
|
|
|
if (permitted_mounts[i] != NULL) {
|
|
|
@@ -659,22 +660,19 @@ namespace ContainerExecutor {
|
|
|
const int buff_len = 1024;
|
|
|
char buff[buff_len];
|
|
|
int ret = 0;
|
|
|
- std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/usr,/var,/bin/ls,..\n "
|
|
|
- "docker.allowed.ro-mounts=/bin/cat";
|
|
|
+ std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/opt,/var,/usr/bin/touch,..\n "
|
|
|
+ "docker.allowed.ro-mounts=/etc/passwd";
|
|
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n docker-command=run\n rw-mounts=/var:/var", "-v '/var:/var' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n docker-command=run\n rw-mounts=/var/:/var/", "-v '/var/:/var/' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr:/usr", "-v '/usr:/usr' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/bin/touch:/usr/bin/touch",
|
|
|
+ "-v '/usr/bin/touch:/usr/bin/touch' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/:/usr", "-v '/usr/:/usr' "));
|
|
|
- file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n rw-mounts=/bin/ls:/bin/ls", "-v '/bin/ls:/bin/ls' "));
|
|
|
- file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/bin:/mydisk1,/var/log/:/mydisk2",
|
|
|
- "-v '/usr/bin:/mydisk1' -v '/var/log/:/mydisk2' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n rw-mounts=/opt:/mydisk1,/var/log/:/mydisk2",
|
|
|
+ "-v '/opt:/mydisk1' -v '/var/log/:/mydisk2' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n docker-command=run\n", ""));
|
|
|
write_container_executor_cfg(container_executor_cfg_contents);
|
|
|
@@ -705,10 +703,10 @@ namespace ContainerExecutor {
|
|
|
|
|
|
std::vector<std::pair<std::string, int> > bad_file_cmds_vec;
|
|
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n rw-mounts=/home:/home",
|
|
|
+ "[docker-command-execution]\n docker-command=run\n rw-mounts=/lib:/lib",
|
|
|
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
|
|
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n rw-mounts=/bin/cat:/bin/cat",
|
|
|
+ "[docker-command-execution]\n docker-command=run\n rw-mounts=/usr/bin/:/usr/bin",
|
|
|
static_cast<int>(INVALID_DOCKER_RW_MOUNT)));
|
|
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n docker-command=run\n rw-mounts=/blah:/blah",
|
|
|
@@ -768,27 +766,30 @@ namespace ContainerExecutor {
|
|
|
const int buff_len = 1024;
|
|
|
char buff[buff_len];
|
|
|
int ret = 0;
|
|
|
- std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/usr,/var,/bin/ls\n "
|
|
|
- "docker.allowed.ro-mounts=/bin/cat,/bin/ln";
|
|
|
+
|
|
|
+ std::string container_executor_cfg_contents = "[docker]\n docker.allowed.rw-mounts=/home/,/var,/usr/bin/touch,..\n "
|
|
|
+ "docker.allowed.ro-mounts=/etc/passwd,/etc/group";
|
|
|
std::vector<std::pair<std::string, std::string> > file_cmd_vec;
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n docker-command=run\n ro-mounts=/var:/var", "-v '/var:/var:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n docker-command=run\n ro-mounts=/var/:/var/", "-v '/var/:/var/:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr:/usr", "-v '/usr:/usr:ro' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/home:/home", "-v '/home:/home:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr/:/usr", "-v '/usr/:/usr:ro' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/home/:/home", "-v '/home/:/home:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/bin/ls:/bin/ls", "-v '/bin/ls:/bin/ls:ro' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr/bin/touch:/usr/bin/touch",
|
|
|
+ "-v '/usr/bin/touch:/usr/bin/touch:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/bin/ln:/bin/ln", "-v '/bin/ln:/bin/ln:ro' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/etc/group:/etc/group",
|
|
|
+ "-v '/etc/group:/etc/group:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/bin/cat:/bin/cat",
|
|
|
- "-v '/bin/cat:/bin/cat:ro' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/etc/passwd:/etc/passwd",
|
|
|
+ "-v '/etc/passwd:/etc/passwd:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/usr/bin:/mydisk1,/bin/cat:/bin/cat",
|
|
|
- "-v '/usr/bin:/mydisk1:ro' -v '/bin/cat:/bin/cat:ro' "));
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/var/log:/mydisk1,/etc/passwd:/etc/passwd",
|
|
|
+ "-v '/var/log:/mydisk1:ro' -v '/etc/passwd:/etc/passwd:ro' "));
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n docker-command=run\n", ""));
|
|
|
write_container_executor_cfg(container_executor_cfg_contents);
|
|
|
@@ -819,7 +820,7 @@ namespace ContainerExecutor {
|
|
|
|
|
|
std::vector<std::pair<std::string, int> > bad_file_cmds_vec;
|
|
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
|
|
- "[docker-command-execution]\n docker-command=run\n ro-mounts=/home:/home",
|
|
|
+ "[docker-command-execution]\n docker-command=run\n ro-mounts=/etc:/etc",
|
|
|
static_cast<int>(INVALID_DOCKER_RO_MOUNT)));
|
|
|
bad_file_cmds_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n docker-command=run\n ro-mounts=/blah:/blah",
|
|
|
@@ -855,7 +856,7 @@ namespace ContainerExecutor {
|
|
|
|
|
|
TEST_F(TestDockerUtil, test_docker_run_privileged) {
|
|
|
|
|
|
- std::string container_executor_contents = "[docker]\n docker.allowed.ro-mounts=/var,/etc,/bin/ls\n"
|
|
|
+ std::string container_executor_contents = "[docker]\n docker.allowed.ro-mounts=/var,/etc,/usr/bin/touch\n"
|
|
|
" docker.allowed.rw-mounts=/tmp\n docker.allowed.networks=bridge\n "
|
|
|
" docker.privileged-containers.enabled=1\n docker.allowed.capabilities=CHOWN,SETUID\n"
|
|
|
" docker.allowed.devices=/dev/test";
|
|
|
@@ -882,36 +883,36 @@ namespace ContainerExecutor {
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
|
|
- " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'"
|
|
|
+ " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'"
|
|
|
" --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash' "
|
|
|
"'test_script.sh' 'arg1' 'arg2' "));
|
|
|
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
|
|
- " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' "
|
|
|
+ " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' "
|
|
|
"--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash'"
|
|
|
" 'test_script.sh' 'arg1' 'arg2' "));
|
|
|
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
|
|
- " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
|
|
|
+ " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
|
|
|
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' "
|
|
|
"'bash' 'test_script.sh' 'arg1' 'arg2' "));
|
|
|
|
|
|
@@ -919,12 +920,12 @@ namespace ContainerExecutor {
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n group-add=1000,1001\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
|
|
- " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
|
|
|
+ " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --privileged --cap-drop='ALL' "
|
|
|
"--cap-add='CHOWN' --cap-add='SETUID' --hostname='host-id' --group-add '1000' --group-add '1001' "
|
|
|
"--device='/dev/test:/dev/test' 'docker-image' 'bash' 'test_script.sh' 'arg1' 'arg2' "));
|
|
|
|
|
|
@@ -945,7 +946,7 @@ namespace ContainerExecutor {
|
|
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/var/log:/var/log\n"
|
|
|
+ " ro-mounts=/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/var/log:/var/log\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
@@ -955,7 +956,7 @@ namespace ContainerExecutor {
|
|
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/bin:/bin,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/bin:/bin,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
@@ -965,7 +966,7 @@ namespace ContainerExecutor {
|
|
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
|
|
" cap-add=CHOWN,SETUID,SETGID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
@@ -975,7 +976,7 @@ namespace ContainerExecutor {
|
|
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/dev1:/dev/dev1\n privileged=true\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
@@ -985,7 +986,7 @@ namespace ContainerExecutor {
|
|
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n privileged=true\n net=host\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
@@ -996,11 +997,11 @@ namespace ContainerExecutor {
|
|
|
|
|
|
TEST_F(TestDockerUtil, test_docker_run_no_privileged) {
|
|
|
|
|
|
- std::string container_executor_contents[] = {"[docker]\n docker.allowed.ro-mounts=/var,/etc,/bin/ls\n"
|
|
|
+ std::string container_executor_contents[] = {"[docker]\n docker.allowed.ro-mounts=/var,/etc,/usr/bin/touch\n"
|
|
|
" docker.allowed.rw-mounts=/tmp\n docker.allowed.networks=bridge\n "
|
|
|
" docker.allowed.capabilities=CHOWN,SETUID\n"
|
|
|
" docker.allowed.devices=/dev/test",
|
|
|
- "[docker]\n docker.allowed.ro-mounts=/var,/etc,/bin/ls\n"
|
|
|
+ "[docker]\n docker.allowed.ro-mounts=/var,/etc,/usr/bin/touch\n"
|
|
|
" docker.allowed.rw-mounts=/tmp\n docker.allowed.networks=bridge\n "
|
|
|
" docker.allowed.capabilities=CHOWN,SETUID\n"
|
|
|
" privileged=0\n"
|
|
|
@@ -1029,24 +1030,24 @@ namespace ContainerExecutor {
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
|
|
- " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'"
|
|
|
+ " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN'"
|
|
|
" --cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash' "
|
|
|
"'test_script.sh' 'arg1' 'arg2' "));
|
|
|
|
|
|
file_cmd_vec.push_back(std::make_pair<std::string, std::string>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
|
|
"run --name='container_e1_12312_11111_02_000001' --user='test' -d --rm --net='bridge' -v '/var/log:/var/log:ro' -v '/var/lib:/lib:ro'"
|
|
|
- " -v '/bin/ls:/bin/ls:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' "
|
|
|
+ " -v '/usr/bin/touch:/usr/bin/touch:ro' -v '/tmp:/tmp' --cgroup-parent='ctr-cgroup' --cap-drop='ALL' --cap-add='CHOWN' "
|
|
|
"--cap-add='SETUID' --hostname='host-id' --device='/dev/test:/dev/test' 'docker-image' 'bash'"
|
|
|
" 'test_script.sh' 'arg1' 'arg2' "));
|
|
|
|
|
|
@@ -1054,7 +1055,7 @@ namespace ContainerExecutor {
|
|
|
bad_file_cmd_vec.push_back(std::make_pair<std::string, int>(
|
|
|
"[docker-command-execution]\n"
|
|
|
" docker-command=run\n name=container_e1_12312_11111_02_000001\n image=docker-image\n user=test\n hostname=host-id\n"
|
|
|
- " ro-mounts=/var/log:/var/log,/var/lib:/lib,/bin/ls:/bin/ls\n rw-mounts=/tmp:/tmp\n"
|
|
|
+ " ro-mounts=/var/log:/var/log,/var/lib:/lib,/usr/bin/touch:/usr/bin/touch\n rw-mounts=/tmp:/tmp\n"
|
|
|
" network=bridge\n devices=/dev/test:/dev/test\n net=bridge\n privileged=true\n"
|
|
|
" cap-add=CHOWN,SETUID\n cgroup-parent=ctr-cgroup\n detach=true\n rm=true\n"
|
|
|
" launch-command=bash,test_script.sh,arg1,arg2",
|
Eric Yang