container_create: support seccomp docker/default annotation

Fixes the following Origin/Kube test: ``` • Failure [10.323 seconds] [k8s.io] Security Context [Feature:SecurityContext] /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:619 should support seccomp alpha docker/default annotation [Feature:Seccomp] [It] /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/security_context.go:133 Expected error: <*errors.errorString | 0xc420cbacf0>: { s: "expected \"2\" in container output: Expected\n <string>: Seccomp:\t0\n \nto contain substring\n <string>: 2", } expected "2" in container output: Expected <string>: Seccomp: 0 to contain substring <string>: 2 not to have occurred } ``` Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-18 12:50:39 +02:00 · 2017-09-18 12:50:39 +02:00 · e8cfe3b867
parent 4fadbea75d
commit e8cfe3b867
2 changed files with 41 additions and 7 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -38,6 +38,7 @@ import (
 const (
 	seccompUnconfined      = "unconfined"
 	seccompRuntimeDefault  = "runtime/default"
+	seccompDockerDefault   = "docker/default"
 	seccompLocalhostPrefix = "localhost/"

 	scopePrefix           = "crio"
@ -1033,18 +1034,13 @@ func (s *Server) setupSeccomp(specgen *generate.Generator, cname string, sbAnnot
 		specgen.Spec().Linux.Seccomp = nil
 		return nil
 	}
-	if profile == seccompRuntimeDefault {
+	if profile == seccompRuntimeDefault || profile == seccompDockerDefault {
 		return seccomp.LoadProfileFromStruct(s.seccompProfile, specgen)
 	}
 	if !strings.HasPrefix(profile, seccompLocalhostPrefix) {
 		return fmt.Errorf("unknown seccomp profile option: %q", profile)
 	}
-	//file, err := ioutil.ReadFile(filepath.Join(s.seccompProfileRoot, strings.TrimPrefix(profile, seccompLocalhostPrefix)))
-	//if err != nil {
-	//return err
-	//}
-	// TODO(runcom): setup from provided node's seccomp profile
-	// can't do this yet, see https://issues.k8s.io/36997
+	// FIXME: https://github.com/kubernetes/kubernetes/issues/39128
 	return nil
 }

--- a/test/seccomp.bats
+++ b/test/seccomp.bats
@ -328,3 +328,41 @@ function teardown() {

 	skip "need https://issues.k8s.io/36997"
 }
+
+# test running with ctr docker/default
+# test that we cannot run with a syscall blocked by the default seccomp profile
+@test "ctr seccomp profiles docker/default" {
+	# this test requires seccomp, so skip this test if seccomp is not enabled.
+	enabled=$(is_seccomp_enabled)
+	if [[ "$enabled" -eq 0 ]]; then
+		skip "skip this test since seccomp is not enabled."
+	fi
+
+	sed -e 's/"chmod",//' "$CRIO_ROOT"/cri-o/seccomp.json > "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmod",//' "$TESTDIR"/seccomp_profile1.json
+	sed -i 's/"fchmodat",//g' "$TESTDIR"/seccomp_profile1.json
+
+	start_crio "$TESTDIR"/seccomp_profile1.json
+
+	sed -e 's/%VALUE%/,"security\.alpha\.kubernetes\.io\/seccomp\/container\/k8s_testname2_seccomp2_redhat\.test\.crio_redhat-test-crio_0": "docker\/default"/g' "$TESTDATA"/sandbox_config_seccomp.json > "$TESTDIR"/seccomp2.json
+	run crioctl pod run --name seccomp2 --config "$TESTDIR"/seccomp2.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run crioctl ctr create --name testname2 --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run crioctl ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run crioctl ctr execsync --id "$ctr_id" chmod 777 .
+	echo "$output"
+	[ "$status" -eq 0 ]
+	[[ "$output" =~ "Exit code: 1" ]]
+	[[ "$output" =~ "Operation not permitted" ]]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_crio
+}