integration/container: Add test for denied socket address families

vvoland · vvoland · commit ccabd78d7375 · 2026-05-01T01:03:03.000+02:00
Verify that AF_ALG and AF_VSOCK sockets cannot be created inside a
container running with the default seccomp profile.

The test compiles small C programs inside a debian:trixie-slim container
that attempt to create sockets with these address families, then runs
them as a non-root user (uid 1000) and asserts that socket creation is
denied with EPERM or EAFNOSUPPORT.

Signed-off-by: Paweł Gronowski &lt;pawel.gronowski@docker.com&gt;
diff --git a/integration/container/exec_afalg_linux_test.go b/integration/container/exec_afalg_linux_test.go
@@ -0,0 +1,86 @@
+package container
+
+import (
+	"context"
+	_ "embed"
+	"strings"
+	"testing"
+
+	"github.com/moby/moby/client"
+	"github.com/moby/moby/v2/integration/internal/container"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/skip"
+)
+
+var (
+	//go:embed testdata/af_alg.c
+	afALGSource string
+
+	//go:embed testdata/af_vsock.c
+	afVSOCKSource string
+)
+
+// compileAndExecSocketDenied writes a C source file into the container,
+// compiles it with the given compiler command, runs the binary as uid 1000,
+// and asserts that socket creation fails with a permission or
+// address-family error (not EFAULT or other unrelated failures).
+func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string) {
+	t.Helper()
+
+	binPath := "/tmp/" + name
+	srcPath := binPath + ".c"
+
+	res := container.ExecT(ctx, t, apiClient, cID, []string{
+		"sh", "-c", "cat > " + srcPath + " << 'CEOF'\n" + src + "\nCEOF",
+	})
+	res.AssertSuccess(t)
+
+	compileCmd := append(cc, srcPath, "-o", binPath)
+	res = container.ExecT(ctx, t, apiClient, cID, compileCmd)
+	res.AssertSuccess(t)
+
+	res, err := container.Exec(ctx, apiClient, cID, []string{binPath},
+		func(ec *client.ExecCreateOptions) {
+			ec.User = "1000"
+		},
+	)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(res.ExitCode, 1), "expected %s socket program to fail", name)
+
+	out := strings.ToLower(res.Combined())
+	assert.Check(t, is.Contains(out, "socket"), "expected socket-related error message")
+
+	// Seccomp blocks return either EPERM ("operation not permitted") or
+	// EAFNOSUPPORT ("address family not supported"). Make sure the failure
+	// is from seccomp, not from a bogus pointer (EFAULT) or other issue.
+	permErr := strings.Contains(out, "not permitted") || strings.Contains(out, "not supported")
+	assert.Check(t, permErr, "expected EPERM or EAFNOSUPPORT, got: %s", res.Combined())
+}
+
+// TestExecSocketDenied verifies that AF_ALG and AF_VSOCK sockets cannot be
+// created inside a container. These address families are blocked by the
+// default seccomp profile.
+func TestExecSocketDenied(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	ctx := setupTest(t)
+	apiClient := testEnv.APIClient()
+
+	cID := container.Run(ctx, t, apiClient, container.WithImage("debian:trixie-slim"), container.WithCmd("sleep", "infinity"))
+
+	// Install build dependencies as root.
+	res := container.ExecT(ctx, t, apiClient, cID, []string{
+		"sh", "-c", "apt-get update && apt-get install -y --no-install-recommends gcc libc-dev linux-libc-dev",
+	})
+	res.AssertSuccess(t)
+
+	gcc := []string{"gcc"}
+
+	t.Run("AF_ALG", func(t *testing.T) {
+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG", afALGSource, gcc)
+	})
+	t.Run("AF_VSOCK", func(t *testing.T) {
+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_VSOCK", afVSOCKSource, gcc)
+	})
+}
diff --git a/integration/container/testdata/af_alg.c b/integration/container/testdata/af_alg.c
@@ -0,0 +1,45 @@
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+
+int main() {
+    int sockfd, opfd;
+    struct sockaddr_alg sa = {
+        .salg_family = AF_ALG,
+        .salg_type = "hash",
+        .salg_name = "sha1"
+    };
+
+    sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+    if (sockfd < 0) {
+        perror("socket");
+        return 1;
+    }
+
+    if (bind(sockfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
+        perror("bind");
+        close(sockfd);
+        return 1;
+    }
+
+    opfd = accept(sockfd, NULL, 0);
+    if (opfd < 0) {
+        perror("accept");
+        close(sockfd);
+        return 1;
+    }
+
+    char data[] = "hello world";
+    write(opfd, data, strlen(data));
+
+    char hash[20];
+    read(opfd, hash, sizeof(hash));
+
+    printf("SHA1 hash computed\n");
+
+    close(opfd);
+    close(sockfd);
+    return 0;
+}
diff --git a/integration/container/testdata/af_vsock.c b/integration/container/testdata/af_vsock.c
@@ -0,0 +1,16 @@
+#include <sys/socket.h>
+#include <linux/vm_sockets.h>
+#include <unistd.h>
+#include <stdio.h>
+
+int main() {
+    int sockfd = socket(AF_VSOCK, SOCK_STREAM, 0);
+    if (sockfd < 0) {
+        perror("socket");
+        return 1;
+    }
+
+    printf("AF_VSOCK socket created\n");
+    close(sockfd);
+    return 0;
+}
