diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 0e3f534..ede00c6 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -40,7 +40,7 @@ check_5_1() { for c in $containers; do policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c") - if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ]; then + if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ] || [ "$policy" = "AppArmorProfile=unconfined" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_1" @@ -227,7 +227,7 @@ check_5_5() { # Go over each directory in sensitive dir and see if they exist in the volumes for v in $sensitive_dirs; do sensitive=0 - if echo "$volumes" | grep -e "{.*\s$v\s.*true\s}" 2>/tmp/null 1>&2; then + if echo "$volumes" | grep -e "{.*\s$v\s.*true\s.*}" 2>/tmp/null 1>&2; then sensitive=1 fi if [ $sensitive -eq 1 ]; then @@ -1247,7 +1247,7 @@ check_5_31() { fail=0 docker_sock_containers="" for c in $containers; do - if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then + if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep -e '.*bind\s\s/\s.*' -e '.*bind\s\s/var\s.*' -e '.*bind\s\s/var/run\s.*' -e '.*bind\s\s/var/run/docker.sock\s.*' >/dev/null 2>&1; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_31"