From cd36f5251ea32701b03a1fd04f81ffd587784be9 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Wed, 20 Sep 2023 04:28:08 +0000
Subject: [PATCH 1/4] include multiasic scenario in container hardening test

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 tests/container_hardening/test_container_hardening.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tests/container_hardening/test_container_hardening.py b/tests/container_hardening/test_container_hardening.py
index 6150f77f72f..add557ff831 100644
--- a/tests/container_hardening/test_container_hardening.py
+++ b/tests/container_hardening/test_container_hardening.py
@@ -10,16 +10,20 @@
 
 NO_PRIVILEGED_CONTAINERS = [
     'bgp',
+    'lldp',
+    'teamd'
 ]
 
 
-def test_container_privileged(duthost):
+def test_container_privileged(duthost, enum_asic_index):
     """
     Test container without --privileged flag has no access to /dev/vda* or /dev/sda*
     """
-    for container_name in NO_PRIVILEGED_CONTAINERS:
+    for container in NO_PRIVILEGED_CONTAINERS:
+        asic = duthost.asic_instance(enum_asic_index)
+        container_name = asic.get_docker_name(container)
         docker_exec_cmd = 'docker exec {} bash -c '.format(container_name)
-        cmd = duthost.shell(docker_exec_cmd + "'df -h | grep /etc/hosts' | awk '{print $1}'")
+        cmd = duthost.shell(docker_exec_cmd + "df -h | awk '{print $1}' | grep /dev/")
         rc, device = cmd['rc'], cmd['stdout']
         pytest_assert(rc == 0, 'Failed to get the device name.')
         pytest_assert(device.startswith('/dev/'), 'Invalid device {}.'.format(device))

From 37a3ce15544203ce062a49568fc46e5c3a96d7eb Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Wed, 20 Sep 2023 04:40:25 +0000
Subject: [PATCH 2/4] fix cmd

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 tests/container_hardening/test_container_hardening.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/container_hardening/test_container_hardening.py b/tests/container_hardening/test_container_hardening.py
index add557ff831..a19e851b358 100644
--- a/tests/container_hardening/test_container_hardening.py
+++ b/tests/container_hardening/test_container_hardening.py
@@ -23,7 +23,7 @@ def test_container_privileged(duthost, enum_asic_index):
         asic = duthost.asic_instance(enum_asic_index)
         container_name = asic.get_docker_name(container)
         docker_exec_cmd = 'docker exec {} bash -c '.format(container_name)
-        cmd = duthost.shell(docker_exec_cmd + "df -h | awk '{print $1}' | grep /dev/")
+        cmd = duthost.shell(docker_exec_cmd + "'mount | grep /etc/hosts' | awk '{print $1}'")
         rc, device = cmd['rc'], cmd['stdout']
         pytest_assert(rc == 0, 'Failed to get the device name.')
         pytest_assert(device.startswith('/dev/'), 'Invalid device {}.'.format(device))

From 5e845646f82e8b78b31a1a767bcbee6b63b587a3 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Tue, 3 Oct 2023 01:53:12 +0000
Subject: [PATCH 3/4] address comment

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 tests/container_hardening/test_container_hardening.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/container_hardening/test_container_hardening.py b/tests/container_hardening/test_container_hardening.py
index a19e851b358..ab06dce32a2 100644
--- a/tests/container_hardening/test_container_hardening.py
+++ b/tests/container_hardening/test_container_hardening.py
@@ -15,12 +15,12 @@
 ]
 
 
-def test_container_privileged(duthost, enum_asic_index):
+def test_container_privileged(duthost, enum_rand_one_asic_index):
     """
     Test container without --privileged flag has no access to /dev/vda* or /dev/sda*
     """
     for container in NO_PRIVILEGED_CONTAINERS:
-        asic = duthost.asic_instance(enum_asic_index)
+        asic = duthost.asic_instance(enum_rand_one_asic_index)
         container_name = asic.get_docker_name(container)
         docker_exec_cmd = 'docker exec {} bash -c '.format(container_name)
         cmd = duthost.shell(docker_exec_cmd + "'mount | grep /etc/hosts' | awk '{print $1}'")

From 143b411cc2483a5003dae9325e8832e4e11f06f8 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Tue, 3 Oct 2023 19:39:29 +0000
Subject: [PATCH 4/4] address comment

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 tests/container_hardening/test_container_hardening.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tests/container_hardening/test_container_hardening.py b/tests/container_hardening/test_container_hardening.py
index ab06dce32a2..3c032efc7a6 100644
--- a/tests/container_hardening/test_container_hardening.py
+++ b/tests/container_hardening/test_container_hardening.py
@@ -15,17 +15,19 @@
 ]
 
 
-def test_container_privileged(duthost, enum_rand_one_asic_index):
+def test_container_privileged(duthosts, enum_rand_one_per_hwsku_hostname, enum_rand_one_asic_index):
     """
     Test container without --privileged flag has no access to /dev/vda* or /dev/sda*
     """
     for container in NO_PRIVILEGED_CONTAINERS:
+        duthost = duthosts[enum_rand_one_per_hwsku_hostname]
         asic = duthost.asic_instance(enum_rand_one_asic_index)
         container_name = asic.get_docker_name(container)
         docker_exec_cmd = 'docker exec {} bash -c '.format(container_name)
         cmd = duthost.shell(docker_exec_cmd + "'mount | grep /etc/hosts' | awk '{print $1}'")
         rc, device = cmd['rc'], cmd['stdout']
+        output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout']
+
         pytest_assert(rc == 0, 'Failed to get the device name.')
         pytest_assert(device.startswith('/dev/'), 'Invalid device {}.'.format(device))
-        output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout']
         pytest_assert(not output, 'The partition {} exists.'.format(device))