From e81daf48b57b7e3df1b63a00210c79fea4987fa5 Mon Sep 17 00:00:00 2001 From: Jess Frazelle Date: Tue, 6 Jun 2017 16:05:01 -0400 Subject: [PATCH] test/images: add no_new_privs test container Using the image: ``` $ docker run --rm -it --user 1000 gcr.io/google_containers/nonewprivs:1.0 Effective uid: 0 $ docker run --rm -it --user 1000 --security-opt no-new-privileges gcr.io/google_containers/nonewprivs:1.0 Effective uid: 1000 ``` Signed-off-by: Jess Frazelle --- test/images/nonewprivs/.gitignore | 1 + test/images/nonewprivs/Dockerfile | 20 +++++++++++++++++++ test/images/nonewprivs/Makefile | 33 +++++++++++++++++++++++++++++++ test/images/nonewprivs/nnp.c | 22 +++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 test/images/nonewprivs/.gitignore create mode 100644 test/images/nonewprivs/Dockerfile create mode 100644 test/images/nonewprivs/Makefile create mode 100644 test/images/nonewprivs/nnp.c diff --git a/test/images/nonewprivs/.gitignore b/test/images/nonewprivs/.gitignore new file mode 100644 index 0000000000..ee82aeed3b --- /dev/null +++ b/test/images/nonewprivs/.gitignore @@ -0,0 +1 @@ +nnp diff --git a/test/images/nonewprivs/Dockerfile b/test/images/nonewprivs/Dockerfile new file mode 100644 index 0000000000..fede04af31 --- /dev/null +++ b/test/images/nonewprivs/Dockerfile @@ -0,0 +1,20 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM alpine:latest + +COPY nnp /usr/local/bin/nnp +RUN chmod +s /usr/local/bin/nnp + +CMD ["nnp"] diff --git a/test/images/nonewprivs/Makefile b/test/images/nonewprivs/Makefile new file mode 100644 index 0000000000..05d78ba46e --- /dev/null +++ b/test/images/nonewprivs/Makefile @@ -0,0 +1,33 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: all image push clean + +TAG = 1.2 +PREFIX = gcr.io/google_containers + + +all: push + +nnp: nnp.c + gcc -static -o $@ $@.c + +image: nnp + docker build --pull -t $(PREFIX)/nonewprivs:$(TAG) . + +push: image + gcloud docker -- push $(PREFIX)/nonewprivs:$(TAG) + +clean: + rm -f nnp diff --git a/test/images/nonewprivs/nnp.c b/test/images/nonewprivs/nnp.c new file mode 100644 index 0000000000..324bd42e97 --- /dev/null +++ b/test/images/nonewprivs/nnp.c @@ -0,0 +1,22 @@ +// Copyright 2017 The Kubernetes Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include +#include +#include + +int main(int argc, char *argv[]){ + printf("Effective uid: %d\n", geteuid()); + return 0; +}