diff options
| author | Sebastiaan van Stijn <github@gone.nl> | 2021-07-16 15:50:12 +0200 |
|---|---|---|
| committer | Sebastiaan van Stijn <github@gone.nl> | 2021-07-16 18:01:25 +0200 |
| commit | c815b86f407a7566675ce5a737730ae5754b53e5 (patch) | |
| tree | fc01845285966a605c7d228e9d15b86e75a132f0 /profiles | |
| parent | c1ced23544a0a75bf5ad331ec729ddbbbe9f2d48 (diff) | |
| download | docker-c815b86f407a7566675ce5a737730ae5754b53e5.tar.gz | |
seccomp: add additional unit-tests
Add test to verify profile validation, and to verify that the legacy
format actually loads the profile as expected (instead of only verifying
it doesn't produce an error).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/seccomp/seccomp_test.go | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go index 53ddfaf989..0d3d39852c 100644 --- a/profiles/seccomp/seccomp_test.go +++ b/profiles/seccomp/seccomp_test.go @@ -100,6 +100,34 @@ func TestLoadProfileWithListenerPath(t *testing.T) { assert.DeepEqual(t, expected, *p) } +// TestLoadProfileValidation tests that invalid profiles produce the correct error. +func TestLoadProfileValidation(t *testing.T) { + tests := []struct { + doc string + profile string + expected string + }{ + { + doc: "conflicting architectures and archMap", + profile: `{"defaultAction": "SCMP_ACT_ERRNO", "architectures": ["A", "B", "C"], "archMap": [{"architecture": "A", "subArchitectures": ["B", "C"]}]}`, + expected: `use either 'architectures' or 'archMap'`, + }, + { + doc: "conflicting syscall.name and syscall.names", + profile: `{"defaultAction": "SCMP_ACT_ERRNO", "syscalls": [{"name": "accept", "names": ["accept"], "action": "SCMP_ACT_ALLOW"}]}`, + expected: `use either 'name' or 'names'`, + }, + } + for _, tc := range tests { + tc := tc + rs := createSpec() + t.Run(tc.doc, func(t *testing.T) { + _, err := LoadProfile(tc.profile, &rs) + assert.ErrorContains(t, err, tc.expected) + }) + } +} + // TestLoadLegacyProfile tests loading a seccomp profile in the old format // (before https://github.com/docker/docker/pull/24510) func TestLoadLegacyProfile(t *testing.T) { @@ -108,9 +136,17 @@ func TestLoadLegacyProfile(t *testing.T) { t.Fatal(err) } rs := createSpec() - if _, err := LoadProfile(string(f), &rs); err != nil { - t.Fatal(err) + p, err := LoadProfile(string(f), &rs) + assert.NilError(t, err) + assert.Equal(t, p.DefaultAction, specs.ActErrno) + assert.DeepEqual(t, p.Architectures, []specs.Arch{"SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32"}) + assert.Equal(t, len(p.Syscalls), 311) + expected := specs.LinuxSyscall{ + Names: []string{"accept"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, } + assert.DeepEqual(t, p.Syscalls[0], expected) } func TestLoadDefaultProfile(t *testing.T) { |