Merge pull request #144 from Random-Liu/improve-seccomp-test

Minor improvement on seccomp test.
kubernetes-sigs · Sep 21, 2017 · 1a56c31 · 1a56c31
2 parents 48f8614 + b9592bf
commit 1a56c31
Showing 1 changed file with 26 additions and 6 deletions.
diff --git a/pkg/validate/security_context.go b/pkg/validate/security_context.go
@@ -405,6 +405,8 @@ var _ = framework.KubeDescribe("Security Context", func() {
 		})
 	})
 
+	// TODO(random-liu): We should set apparmor to unconfined in seccomp test to prevent
+	// them from interfering with each other.
 	Context("SeccompProfilePath", func() {
 		const (
 			// profile which denies sethostname syscall
@@ -431,7 +433,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
 		var podID, profileDir, blockHostNameProfilePath, blockchmodProfilePath string
 		var podConfig *runtimeapi.PodSandboxConfig
 		var err error
-		sysCaps := []string{"ALL"}
+		sysAdminCap := []string{"SYS_ADMIN"}
 
 		BeforeEach(func() {
 			profileDir, err = createSeccompProfileDir()
@@ -493,15 +495,33 @@ var _ = framework.KubeDescribe("Security Context", func() {
 			verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "0") // seccomp disabled
 		})
 
-		It("runtime should support an seccomp profile that blocks setting hostname with no sysCaps", func() {
+		// SYS_ADMIN capability allows sethostname, and seccomp is unconfined. sethostname should work.
+		It("runtime should not block setting host name with unconfined seccomp and SYS_ADMIN", func() {
 			privileged := false
 			expectContainerCreateToPass := true
 			By("create pod")
 			podID, podConfig = framework.CreatePodSandboxForContainer(rc)
 			By("create container with seccompBlockHostNameProfile and test")
 			containerID := createSeccompContainer(rc, ic, podID, podConfig,
 				"container-with-block-hostname-seccomp-profile-test-",
-				localhost+blockHostNameProfilePath, nil, privileged, expectContainerCreateToPass)
+				"unconfined", sysAdminCap, privileged, expectContainerCreateToPass)
+			startContainer(rc, containerID)
+			Eventually(func() runtimeapi.ContainerState {
+				return getContainerStatus(rc, containerID).State
+			}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))
+			checkSetHostname(rc, containerID, true)
+		})
+
+		// SYS_ADMIN capability allows sethostname, but seccomp profile should be able to block it.
+		It("runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN", func() {
+			privileged := false
+			expectContainerCreateToPass := true
+			By("create pod")
+			podID, podConfig = framework.CreatePodSandboxForContainer(rc)
+			By("create container with seccompBlockHostNameProfile and test")
+			containerID := createSeccompContainer(rc, ic, podID, podConfig,
+				"container-with-block-hostname-seccomp-profile-test-",
+				localhost+blockHostNameProfilePath, sysAdminCap, privileged, expectContainerCreateToPass)
 			startContainer(rc, containerID)
 			Eventually(func() runtimeapi.ContainerState {
 				return getContainerStatus(rc, containerID).State
@@ -548,22 +568,22 @@ var _ = framework.KubeDescribe("Security Context", func() {
 				verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "2") // seccomp filtered
 			})
 
-			It("runtime should support setting hostname with docker/default seccomp profile and sysCaps", func() {
+			It("runtime should support setting hostname with docker/default seccomp profile and SYS_ADMIN", func() {
 				privileged := false
 				expectContainerCreateToPass := true
 				By("create pod")
 				podID, podConfig = framework.CreatePodSandboxForContainer(rc)
 				By("create container with docker/default seccomp profile and test")
 				containerID := createSeccompContainer(rc, ic, podID, podConfig,
-					"container-with-dockerdefault-seccomp-profile-test-", "docker/default", sysCaps, privileged, expectContainerCreateToPass)
+					"container-with-dockerdefault-seccomp-profile-test-", "docker/default", sysAdminCap, privileged, expectContainerCreateToPass)
 				startContainer(rc, containerID)
 				Eventually(func() runtimeapi.ContainerState {
 					return getContainerStatus(rc, containerID).State
 				}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_RUNNING))
 				checkSetHostname(rc, containerID, true)
 			})
 
-			It("runtime should block sethostname with docker/default seccomp profile and no sysCaps", func() {
+			It("runtime should block sethostname with docker/default seccomp profile and no extra caps", func() {
 				privileged := false
 				expectContainerCreateToPass := true
 				By("create pod")