From 0d5874877bdd72b495486a22447ba8437bfca39c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 2 Dec 2021 11:10:12 +0100
Subject: [PATCH] if the docker daemon is configure with no-new-privileges,
 pass check 5.25
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 tests/5_container_runtime.sh | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index 6eccf9b..02cf9bb 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -970,23 +970,32 @@ check_5_25() {
   starttestjson "$id" "$desc"
 
   fail=0
+  no_priv_config=0
   addprivs_containers=""
-  for c in $containers; do
-    if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
-      # If it's the first container, fail the test
-      if [ $fail -eq 0 ]; then
-        warn -s "$check"
+
+  if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
+    no_priv_config=1
+  elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
+    no_priv_config=1
+  else
+    for c in $containers; do
+      if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
+        # If it's the first container, fail the test
+        if [ $fail -eq 0 ]; then
+          warn -s "$check"
+          warn "      * Privileges not restricted: $c"
+          addprivs_containers="$addprivs_containers $c"
+          fail=1
+          continue
+        fi
         warn "      * Privileges not restricted: $c"
         addprivs_containers="$addprivs_containers $c"
-        fail=1
-        continue
       fi
-      warn "      * Privileges not restricted: $c"
-      addprivs_containers="$addprivs_containers $c"
-    fi
-  done
+    done
+  fi
+
   # We went through all the containers and found none with capability to acquire additional privileges
-  if [ $fail -eq 0 ]; then
+  if [ $fail -eq 0 ] || [ $no_priv_config -eq 1 ]; then
     pass -s "$check"
     logcheckresult "PASS"
     return