Additional Seccomp tests

[mikebrow]

Adding support for seccomp testing.

Will add pod testing after validating these container tests.

@Random-Liu

[Random-Liu]

@mikebrow According to #135, seccomp is not supported in the current version of Docker we are using.

I'll review and get that PR merged first, and you could see whether your test overlaps with that one or not. And we could consolidate.

[mikebrow]

@feiskyer Wish I'd known someone else was also drafting seccomp tests :-)

[mikebrow]

@Random-Liu @feiskyer all good, I don't see any overlap in our test cases. I'll normalize and combine them on Monday. For example, he's using chmod and grep which should work with docker/default and they do not require caps to be set before generating the default seccomp profile (which from my investigation is different with and without certain caps and on different platforms). I'm using hostname which requires caps to make docker/default allow sethostname, so I'm testing with and without caps on to cover both fail and pass cases. I'm also testing the privileged case to make sure you can't block a command when privileged, and i've got a test for runtime/default as that may also be used instead of docker/default. And I just added a test to make sure the profile name is in the format "localhost/*"

[feiskyer]

@mikebrow Sorry for didn't let you know this. But cool with more complete test cases.

[feiskyer]

@mikebrow needs a rebase now

[mikebrow]

Rebased.

@feiskyer I see there was a change to the CRI api documentation

kubernetes/kubernetes@c242432#diff-df996ad3ce05a000c2009d6e8cfba507L486

Talked to @Random-Liu about this. Will just remove the runtime/default tests for now.

[mikebrow]

@Random-Liu @feiskyer rebased. Tests passing ready for review.

[feiskyer]

nits: [security context] same with other places.

[mikebrow]

the top level bucket is "[k8s.io] security context"
This context is for seccomp tests it is already within [k8s.io] security context bucket.

No need to be repeating the phrase security context 2-3 times one at each level in the buckets.

Let me refactor all of the titles making it easier to use focus and skip regexps and only having brackets on the left for ease of reading.

[Random-Liu]

@feiskyer On second thought, I also think it is fine to remove the tag given how cri validation test is organized today. :)

[mikebrow]

@feiskyer I refactored the context container descriptions to fix regexp options and make it easier to read. I also removed repetitive text from the suite descriptions, again to make it easier to read and easier to identify regexp options. Nit addressed.

[feiskyer]

@mikebrow thanks 👍

[feiskyer]

/lgtm

[Random-Liu]

@feiskyer I'm still reviewing. There are issues. :p

[feiskyer]

hmm, didn't notice issues. we could open another fix pr for the issues.

[mikebrow]

@feiskyer @Random-Liu There was an offline discussion (15min ago) about adding another context to separate docker/default tests. I'll push a pr for that in the morn...

[Random-Liu]

What do you mean by "bucket"?

[mikebrow]

a bucket of tests... This is the second "bucket", bucket-2 would be another possible name. This context is already within the "Security Context" .. the other buckets at this level are NamespaceOption and SeccompProfilePath.

This bucket comprises tests for: SupplementalGroups, RunAsUser, RunAsUserName, ReadOnlyRootfs, Privileged, and Capability. I couldn't come up with a better name for these than the "Security Context bucket"

[Random-Liu]

Probably just Seccomp?

[mikebrow]

I like using the litteral CRI spec name here as it doesn't test all of Seccomp here. It is literally testing the CRI spec defined options for the SeccompProfilePath:

// LinuxSandboxSecurityContext holds linux security configuration that will be
// applied to a sandbox. Note that:
// 1) It does not apply to containers in the pods.
// 2) It may not be applicable to a PodSandbox which does not contain any running
//    process.
type LinuxSandboxSecurityContext struct {
	// Configurations for the sandbox's namespaces.
	// This will be used only if the PodSandbox uses namespace for isolation.
	NamespaceOptions *NamespaceOption `protobuf:"bytes,1,opt,name=namespace_options,json=namespaceOptions" json:"namespace_options,omitempty"`
	// Optional SELinux context to be applied.
	SelinuxOptions *SELinuxOption `protobuf:"bytes,2,opt,name=selinux_options,json=selinuxOptions" json:"selinux_options,omitempty"`
	// UID to run sandbox processes as, when applicable.
	RunAsUser *Int64Value `protobuf:"bytes,3,opt,name=run_as_user,json=runAsUser" json:"run_as_user,omitempty"`
	// If set, the root filesystem of the sandbox is read-only.
	ReadonlyRootfs bool `protobuf:"varint,4,opt,name=readonly_rootfs,json=readonlyRootfs,proto3" json:"readonly_rootfs,omitempty"`
	// List of groups applied to the first process run in the sandbox, in
	// addition to the sandbox's primary GID.
	SupplementalGroups []int64 `protobuf:"varint,5,rep,packed,name=supplemental_groups,json=supplementalGroups" json:"supplemental_groups,omitempty"`
	// Indicates whether the sandbox will be asked to run a privileged
	// container. If a privileged container is to be executed within it, this
	// MUST be true.
	// This allows a sandbox to take additional security precautions if no
	// privileged containers are expected to be run.
	Privileged bool `protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"`
	// Seccomp profile for the sandbox, candidate values are:
	// * docker/default: the default profile for the docker container runtime
	// * unconfined: unconfined profile, ie, no seccomp sandboxing
	// * localhost/<full-path-to-profile>: the profile installed on the node.
	//   <full-path-to-profile> is the full path of the profile.
	// Default: "", which is identical with unconfined.
	SeccompProfilePath string `protobuf:"bytes,7,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
}

[Random-Liu]

Why not moving those 2 consts into the Seccomp context. No one else is using it.

[mikebrow]

sure I'll move..

[Random-Liu]

Don't think we could just log and return, it will still run test then.
You should do assertion here Expect(err).NotTo(HaveOccurred()).

[Random-Liu]

@mikebrow This is the issue we need to fix.

[mikebrow]

agreed will update ..

[Random-Liu]

no seccomp profile means "unconfined", why set hostname will be blocked? By whom?
Default capabilities? If so, I feel like this is more a capability test instead of seccomp test.

[Random-Liu]

WE can add a test to create a default container, and check whether seccomp is enabled. That is useful.

[mikebrow]

This is a duplicate test, I'll delete it.

[Random-Liu]

Move this to a separate docker/default context.

[mikebrow]

Yes, we both had that idea at the same time :-)

[Random-Liu]

ditto.

[Random-Liu]

Same. This is a default capability test, not seccomp test.

[mikebrow]

see above response to your comments.. maybe we should do a quick call on this.

[Random-Liu]

Same. This is a default capability test, not seccomp test.

[mikebrow]

it's both a default caps test and a seccomp test. See unconfined and default rules below:

	// Seccomp profile for the sandbox, candidate values are:
	// * docker/default: the default profile for the docker container runtime
	// * unconfined: unconfined profile, ie, no seccomp sandboxing
	// * localhost/<full-path-to-profile>: the profile installed on the node.
	//   <full-path-to-profile> is the full path of the profile.
	// Default: "", which is identical with unconfined.
	SeccompProfilePath string `protobuf:"bytes,7,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`

If you have an idea for a better way to test the unconfined and nil SeccompProfilePath options.. I'm all ears :)

[Random-Liu]

@mikebrow Please address the comments.