diff options
author | Daniel Zhang <jmzwcn@gmail.com> | 2017-01-09 09:22:05 +0800 |
---|---|---|
committer | Daniel Zhang <jmzwcn@gmail.com> | 2017-02-16 19:05:14 +0800 |
commit | d7fda019bb7e24f42f8ae1ddecb3fd52df3c48bf (patch) | |
tree | ca51ce8eb00534fdd5634d14303f703913c3160e /daemon/daemon_unix_test.go | |
parent | d26cf30a6094c22fd9d5a032faf96103f6f841dc (diff) | |
download | docker-d7fda019bb7e24f42f8ae1ddecb3fd52df3c48bf.tar.gz |
Add daemon flag to set no_new_priv as default for unprivileged containers.
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
Diffstat (limited to 'daemon/daemon_unix_test.go')
-rw-r--r-- | daemon/daemon_unix_test.go | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/daemon/daemon_unix_test.go b/daemon/daemon_unix_test.go index 9889bd19fe..ebb0a0186a 100644 --- a/daemon/daemon_unix_test.go +++ b/daemon/daemon_unix_test.go @@ -180,6 +180,35 @@ func TestParseSecurityOpt(t *testing.T) { } } +func TestParseNNPSecurityOptions(t *testing.T) { + daemon := &Daemon{ + configStore: &config.Config{NoNewPrivileges: true}, + } + container := &container.Container{} + config := &containertypes.HostConfig{} + + // test NNP when "daemon:true" and "no-new-privileges=false"" + config.SecurityOpt = []string{"no-new-privileges=false"} + + if err := daemon.parseSecurityOpt(container, config); err != nil { + t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err) + } + if container.NoNewPrivileges { + t.Fatalf("container.NoNewPrivileges should be FALSE: %v", container.NoNewPrivileges) + } + + // test NNP when "daemon:false" and "no-new-privileges=true"" + daemon.configStore.NoNewPrivileges = false + config.SecurityOpt = []string{"no-new-privileges=true"} + + if err := daemon.parseSecurityOpt(container, config); err != nil { + t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err) + } + if !container.NoNewPrivileges { + t.Fatalf("container.NoNewPrivileges should be TRUE: %v", container.NoNewPrivileges) + } +} + func TestNetworkOptions(t *testing.T) { daemon := &Daemon{} dconfigCorrect := &config.Config{ |