Skip to content

Commit

Permalink
test: fix e2e test for privileged builds (docker#10873)
Browse files Browse the repository at this point in the history 
We cannot guarantee the exact value of `CapEff` across
environments, and this test has started failing some places,
e.g. Docker Desktop, and now GitHub Actions (likely due to
a kernel upgrade on the runners or similar).

By setting `privileged: true` on the build, we're asking for
the `security.insecure` entitlement on the build. A safe
assumption is that will include `CAP_SYS_ADMIN`, which won't
be present otherwise, so mask the `CapEff` value and check
for that.

It's worth noting that realistically, the build won't even
be able to complete without the correct entitlement, since the
`Dockerfile` uses `RUN --security=insecure`, so this is really
an additional sanity check.

Signed-off-by: Milas Bowman <milas.bowman@docker.com>
  • Loading branch information
@milas @kylos101
milas authored and kylos101 committed Aug 8, 2023
1 parent 7371bd8 commit 41a80d3
Showing 1 changed file with 17 additions and 4 deletions.
21 changes: 17 additions & 4 deletions pkg/e2e/build_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ package e2e
import (
"fmt"
"net/http"
"regexp"
"runtime"
"strconv"
"strings"
"testing"
"time"
Expand Down Expand Up @@ -366,10 +368,21 @@ func TestBuildPrivileged(t *testing.T) {
})

t.Run("use build privileged mode to run insecure build command", func(t *testing.T) {
res := c.RunDockerComposeCmdNoCheck(t, "--project-directory", "fixtures/build-test/privileged", "build")
assert.NilError(t, res.Error, res.Stderr())
res.Assert(t, icmd.Expected{Out: "CapEff:\t0000003fffffffff"})

res := c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "build")
capEffRe := regexp.MustCompile("CapEff:\t([0-9a-f]+)")
matches := capEffRe.FindStringSubmatch(res.Stdout())
assert.Equal(t, 2, len(matches), "Did not match CapEff in output, matches: %v", matches)

capEff, err := strconv.ParseUint(matches[1], 16, 64)
assert.NilError(t, err, "Parsing CapEff: %s", matches[1])

// NOTE: can't use constant from x/sys/unix or tests won't compile on macOS/Windows
// #define CAP_SYS_ADMIN 21
// https://github.com/torvalds/linux/blob/v6.1/include/uapi/linux/capability.h#L278
const capSysAdmin = 0x15
if capEff&capSysAdmin != capSysAdmin {
t.Fatalf("CapEff %s is missing CAP_SYS_ADMIN", matches[1])
}
})
}

Expand Down

0 comments on commit 41a80d3

Please sign in to comment.