testcase for bgp container in container hardening (#8694)

Description of PR
HLD implementation: Container Hardening (sonic-net/SONiC#1364)
Dependency: sonic-net/sonic-buildimage#14932
#### What is the motivation for this PR?
Check bgp container has access to /dev/sda* or /dev/vda* after limiting privileged flag to less Linux capabilities.
#### How did you do it?
#### How did you verify/test it?
```
container_hardening/test_container_hardening.py::test_bgp_dev PASSED                                                                            [100%]
```
Signed-off-by: Mai Bui <[email protected]>

Author: maipbui

tests/container_hardening/test_container_hardening.py

@@ -0,0 +1,27 @@
+import pytest
+import logging
+from tests.common.helpers.assertions import pytest_assert
+
+pytestmark = [
+    pytest.mark.topology('any'),
+]
+
+logger = logging.getLogger(__name__)
+
+NO_PRIVILEGED_CONTAINERS = [
+    'bgp',
+]
+
+
+def test_container_privileged(duthost):
+    """
+    Test container without --privileged flag has no access to /dev/vda* or /dev/sda*
+    """
+    for container_name in NO_PRIVILEGED_CONTAINERS:
+        docker_exec_cmd = 'docker exec {} bash -c '.format(container_name)
+        cmd = duthost.shell(docker_exec_cmd + "'df -h | grep /etc/hosts' | awk '{print $1}'")
+        rc, device = cmd['rc'], cmd['stdout']
+        pytest_assert(rc == 0, 'Failed to get the device name.')
+        pytest_assert(device.startswith('/dev/'), 'Invalid device {}.'.format(device))
+        output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout']
+        pytest_assert(not output, 'The partition {} exists.'.format(device))

tests/python3_test_files.txt

@@ -37,6 +37,7 @@ console/test_console_loopback.py
 console/test_console_reversessh.py
 console/test_console_udevrule.py
 container_checker/test_container_checker.py
+container_hardening/test_container_hardening.py
 copp/test_copp.py
 crm/test_crm.py
 dash/test_dash_vnet.py