Skip to content

Commit 26d35da

Browse files
saschagrunertsaschagrunert
committed
Fix seccomp value in test
The seccomp value should be `2` rather than `1`. The test succeeded because we also have the value `Seccomp_filters` which gets matched by "ecc", too. We now check for "Seccomp:" to actually match the right field. Signed-off-by: Sascha Grunert <[email protected]>
1 parent b9442e6 commit 26d35da

File tree

1 file changed

+19
-6
lines changed

1 file changed

+19
-6
lines changed

pkg/validate/security_context_linux.go

+19-6
Original file line numberDiff line numberDiff line change
@@ -657,10 +657,23 @@ var _ = framework.KubeDescribe("Security Context", func() {
657657
}
658658
]
659659
}`
660+
661+
// seccompProcStatusField is the field of /proc/$PID/status referencing the seccomp filter type.
662+
seccompProcStatusField = "Seccomp:"
663+
664+
// procSelfStatusPath is the path to /proc/self/status.
665+
procSelfStatusPath = "/proc/self/status"
666+
)
667+
668+
var (
669+
profileDir, blockHostNameProfilePath, blockchmodProfilePath string
670+
err error
671+
672+
sysAdminCap = []string{"SYS_ADMIN"}
673+
674+
// seccompProcSelfStatusGrepCommand is the command to grep the seccomp status of the current process.
675+
seccompProcSelfStatusGrepCommand = []string{"grep", seccompProcStatusField, procSelfStatusPath}
660676
)
661-
var profileDir, blockHostNameProfilePath, blockchmodProfilePath string
662-
var err error
663-
sysAdminCap := []string{"SYS_ADMIN"}
664677

665678
BeforeEach(func() {
666679
profileDir, err = createSeccompProfileDir()
@@ -689,7 +702,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
689702
podID, containerID = seccompTestContainer(rc, ic, seccompProfile)
690703

691704
By("verify seccomp profile")
692-
verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "0") // seccomp disabled
705+
verifySeccomp(rc, containerID, seccompProcSelfStatusGrepCommand, false, "0") // seccomp disabled
693706
})
694707

695708
It("should support seccomp localhost profile on the container", func() {
@@ -714,7 +727,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
714727
podID, containerID = seccompTestContainer(rc, ic, seccompProfile)
715728

716729
By("verify seccomp profile")
717-
verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "1") // seccomp enabled
730+
verifySeccomp(rc, containerID, seccompProcSelfStatusGrepCommand, false, "2") // seccomp enabled
718731
})
719732

720733
It("should support nil profile, which is unconfined", func() {
@@ -724,7 +737,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
724737
podID, containerID = seccompTestContainer(rc, ic, nil)
725738

726739
By("verify seccomp profile")
727-
verifySeccomp(rc, containerID, []string{"grep", "ecc", "/proc/self/status"}, false, "0") // seccomp disabled
740+
verifySeccomp(rc, containerID, seccompProcSelfStatusGrepCommand, false, "0") // seccomp disabled
728741
})
729742

730743
// SYS_ADMIN capability allows sethostname, and seccomp is unconfined. sethostname should work.

0 commit comments

Comments
 (0)