[action] [PR:22460] Add a test to test_container_hardening to check privilege via docker#22781
Merged
bingwang-ms merged 1 commit intosonic-net:202511from Mar 7, 2026
Merged
Conversation
…onic-net#22460) What is the motivation for this PR The previous test didn’t reliably detect privileged containers; it only checked partition block devices and could misclassify containers. How did you do it Check each running container’s docker config for privileged status, and extend the mount check to include raw block devices in addition to partitions. How did you verify/test it Verified on a device with privileged and unprivileged containers. Signed-off-by: Nate White <nate@nexthop.ai> Signed-off-by: mssonicbld <sonicbld@microsoft.com>
12 tasks
Collaborator
Author
|
Original PR: #22460 |
Collaborator
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
hdwhdw
approved these changes
Mar 6, 2026
Collaborator
|
Retriggered PR test and set to auto merge |
bingwang-ms
approved these changes
Mar 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of PR
Summary:
Previously this test was checking whether the block device that /etc/hosts was mounted on was mounted in the container to determine whether the container was privileged. This isn't fully effective, as this just checks the block device of the partition, the entire block device might also be mounted.
Expanded this check to see whether the entire block device is mounted.
To check for the privileged flag directly to hopefully prevent any more containers being added with --privileged, we'll get a list of all the containers running on the dut and check all of them against the allow-list of privileged containers. We'll check this by docker inspect'ing the containers.
Future work: Check various other attributes that come along with --privileged to ensure only allowed containers add them. For example, capabilities, /sys filesystem, other devices.
Fixes # (issue)
Type of change
Back port request
Approach
What is the motivation for this PR?
The previous test didn't check what it claimed to check. Dockers with just some /dev/ mounts could be considered privileged, which they were not.
How did you do it?
Check the docker description of each container to see if it was privileged directly
How did you verify/test it?
On a device with containers privileged and unprivileged.
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation