diff --git a/pkg/securitypolicy/opts.go b/pkg/securitypolicy/opts.go new file mode 100644 index 0000000000..32885ce666 --- /dev/null +++ b/pkg/securitypolicy/opts.go @@ -0,0 +1,27 @@ +package securitypolicy + +type ContainerConfigOpt func(*ContainerConfig) error + +// WithEnvVarRules adds environment variable constraints to container policy config. +func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt { + return func(c *ContainerConfig) error { + c.EnvRules = append(c.EnvRules, envs...) + return nil + } +} + +// WithExpectedMounts adds expected mounts to container policy config. +func WithExpectedMounts(em []string) ContainerConfigOpt { + return func(c *ContainerConfig) error { + c.ExpectedMounts = append(c.ExpectedMounts, em...) + return nil + } +} + +// WithWorkingDir sets working directory in container policy config. +func WithWorkingDir(wd string) ContainerConfigOpt { + return func(c *ContainerConfig) error { + c.WorkingDir = wd + return nil + } +} diff --git a/test/cri-containerd/policy_test.go b/test/cri-containerd/policy_test.go index ea8b1f51f9..334ab6012e 100644 --- a/test/cri-containerd/policy_test.go +++ b/test/cri-containerd/policy_test.go @@ -20,29 +20,6 @@ var ( validPolicyAlpineCommand = []string{"ash", "-c", "echo 'Hello'"} ) -type configOpt func(*securitypolicy.ContainerConfig) error - -func withExpectedMounts(em []string) configOpt { - return func(conf *securitypolicy.ContainerConfig) error { - conf.ExpectedMounts = append(conf.ExpectedMounts, em...) - return nil - } -} - -func withEnvVarRules(envRules []securitypolicy.EnvRuleConfig) configOpt { - return func(config *securitypolicy.ContainerConfig) error { - config.EnvRules = append(config.EnvRules, envRules...) - return nil - } -} - -func withWorkingDir(workingDir string) configOpt { - return func(config *securitypolicy.ContainerConfig) error { - config.WorkingDir = workingDir - return nil - } -} - func securityPolicyFromContainers(containers []securitypolicy.ContainerConfig) (string, error) { pc, err := helpers.PolicyContainersFromConfigs(containers) if err != nil { @@ -65,7 +42,7 @@ func sandboxSecurityPolicy(t *testing.T) string { return policyString } -func alpineSecurityPolicy(t *testing.T, opts ...configOpt) string { +func alpineSecurityPolicy(t *testing.T, opts ...securitypolicy.ContainerConfigOpt) string { defaultContainers := helpers.DefaultContainerConfigs() alpineContainer := securitypolicy.NewContainerConfig( "alpine:latest", @@ -287,7 +264,7 @@ func Test_RunContainer_ValidContainerConfigs_Allowed(t *testing.T) { type config struct { name string sf sideEffect - opts []configOpt + opts []securitypolicy.ContainerConfigOpt } requireFeatures(t, featureLCOW, featureLCOWIntegrity) @@ -303,7 +280,7 @@ func Test_RunContainer_ValidContainerConfigs_Allowed(t *testing.T) { sf: func(req *runtime.CreateContainerRequest) { req.Config.WorkingDir = "/root" }, - opts: []configOpt{withWorkingDir("/root")}, + opts: []securitypolicy.ContainerConfigOpt{securitypolicy.WithWorkingDir("/root")}, }, { name: "EnvironmentVariable", @@ -313,8 +290,8 @@ func Test_RunContainer_ValidContainerConfigs_Allowed(t *testing.T) { Value: "VALUE", }) }, - opts: []configOpt{ - withEnvVarRules( + opts: []securitypolicy.ContainerConfigOpt{ + securitypolicy.WithEnvVarRules( []securitypolicy.EnvRuleConfig{ { Strategy: securitypolicy.EnvVarRuleString, diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/opts.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/opts.go new file mode 100644 index 0000000000..32885ce666 --- /dev/null +++ b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/opts.go @@ -0,0 +1,27 @@ +package securitypolicy + +type ContainerConfigOpt func(*ContainerConfig) error + +// WithEnvVarRules adds environment variable constraints to container policy config. +func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt { + return func(c *ContainerConfig) error { + c.EnvRules = append(c.EnvRules, envs...) + return nil + } +} + +// WithExpectedMounts adds expected mounts to container policy config. +func WithExpectedMounts(em []string) ContainerConfigOpt { + return func(c *ContainerConfig) error { + c.ExpectedMounts = append(c.ExpectedMounts, em...) + return nil + } +} + +// WithWorkingDir sets working directory in container policy config. +func WithWorkingDir(wd string) ContainerConfigOpt { + return func(c *ContainerConfig) error { + c.WorkingDir = wd + return nil + } +}