// This test verifies that launching a task with a non-existent Seccomp profile // leads to failure. TEST_F( LinuxSeccompIsolatorTest, ROOT_SECCOMP_LaunchWithOverriddenNonExistentProfile) { slave::Flags flags = CreateSlaveFlags(); flags.seccomp_profile_name = createProfile(TEST_SECCOMP_PROFILE); Fetcher fetcher(flags); Try<MesosContainerizer*> create = MesosContainerizer::create(flags, false, &fetcher); ASSERT_SOME(create); Owned<MesosContainerizer> containerizer(create.get()); SlaveState state; state.id = SlaveID(); AWAIT_READY(containerizer->recover(state)); ContainerID containerId; containerId.set_value(id::UUID::random().toString()); Try<string> directory = environment->mkdtemp(); ASSERT_SOME(directory); auto containerConfig = createContainerConfig( None(), createExecutorInfo("executor", "exit 0", "cpus:1"), directory.get()); ContainerInfo* container = containerConfig.mutable_container_info(); container->set_type(ContainerInfo::MESOS); // Set a non-existent Seccomp profile for this particular task. SeccompInfo* seccomp = container->mutable_linux_info()->mutable_seccomp(); seccomp->set_profile_name("absent"); Future<Containerizer::LaunchResult> launch = containerizer->launch( containerId, containerConfig, map<string, string>(), None()); AWAIT_FAILED(launch); }
// This test verifies that we can launch a task container with overridden // Seccomp profile. TEST_F(LinuxSeccompIsolatorTest, ROOT_SECCOMP_LaunchWithOverriddenProfile) { const string config = R"~( { "defaultAction": "SCMP_ACT_ALLOW", "archMap": [ { "architecture": "SCMP_ARCH_X86_64", "subArchitectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32" ] } ], "syscalls": [ { "names": ["uname"], "action": "SCMP_ACT_ERRNO", "args": [], "includes": {}, "excludes": {} } ] })~"; slave::Flags flags = CreateSlaveFlags(); flags.seccomp_profile_name = createProfile(TEST_SECCOMP_PROFILE); Fetcher fetcher(flags); Try<MesosContainerizer*> create = MesosContainerizer::create(flags, false, &fetcher); ASSERT_SOME(create); Owned<MesosContainerizer> containerizer(create.get()); SlaveState state; state.id = SlaveID(); AWAIT_READY(containerizer->recover(state)); ContainerID containerId; containerId.set_value(id::UUID::random().toString()); Try<string> directory = environment->mkdtemp(); ASSERT_SOME(directory); auto containerConfig = createContainerConfig( None(), createExecutorInfo("executor", "uname", "cpus:1"), directory.get()); ContainerInfo* container = containerConfig.mutable_container_info(); container->set_type(ContainerInfo::MESOS); // Set the Seccomp profile name for this particular task. SeccompInfo* seccomp = container->mutable_linux_info()->mutable_seccomp(); seccomp->set_profile_name(createProfile(config)); Future<Containerizer::LaunchResult> launch = containerizer->launch( containerId, containerConfig, map<string, string>(), None()); AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch); Future<Option<ContainerTermination>> wait = containerizer->wait(containerId); AWAIT_READY(wait); ASSERT_SOME(wait.get()); ASSERT_TRUE(wait.get()->has_status()); EXPECT_WEXITSTATUS_NE(0, wait.get()->status()); }