runc/security/restrict/restrict.go

// +build linux

package restrict

import (
	"fmt"
	"os"
	"syscall"
	"time"

	"github.com/dotcloud/docker/pkg/system"
)

const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

func mountReadonly(path string) error {
	for i := 0; i < 5; i++ {
		if err := system.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil {
			switch err {
			case syscall.EINVAL:
				// Probably not a mountpoint, use bind-mount
				if err := system.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
					return err
				}
				return system.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC|defaultMountFlags, "")
			case syscall.EBUSY:
				time.Sleep(100 * time.Millisecond)
				continue
			default:
				return err
			}
		}
		return nil
	}
	return fmt.Errorf("unable to mount %s as readonly max retries reached", path)
}

// This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts).
// However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes).
func Restrict(mounts ...string) error {
	// remount proc and sys as readonly
	for _, dest := range mounts {
		if err := mountReadonly(dest); err != nil {
			return fmt.Errorf("unable to remount %s readonly: %s", dest, err)
		}
	}

	if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore: %s", err)
	}
	return nil
}
Update to enable cross compile Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-01 10:09:25 +08:00			`// +build linux`

Add restrictions to proc in libcontainer Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-04-11 07:03:52 +08:00			`package restrict`

			`import (`
			`"fmt"`
Update restrict.Restrict to both show the error message when failing to mount /dev/null over /proc/kcore, and to ignore "not exists" errors while doing so (for when CONFIG_PROC_KCORE=n in the kernel) Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon) 2014-05-08 15:03:45 +08:00			`"os"`
Add restrictions to proc in libcontainer Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-04-11 07:03:52 +08:00			`"syscall"`
Handle EBUSY on remount Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-29 09:09:05 +08:00			`"time"`
Ignore isnot exists errors for proc paths Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-04-24 09:12:07 +08:00
			`"github.com/dotcloud/docker/pkg/system"`
Add restrictions to proc in libcontainer Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-04-11 07:03:52 +08:00			`)`

Make /proc writable, but not /proc/sys and /proc/sysrq-trigger Some applications want to write to /proc. For instance: docker run -it centos groupadd foo Gives: groupadd: failure while writing changes to /etc/group And strace reveals why: open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system) I've looked at what other systems do, and systemd-nspawn makes /proc read-write and /proc/sys readonly, while lxc allows "proc:mixed" which does the same, plus it makes /proc/sysrq-trigger also readonly. The later seems like a prudent idea, so we follows lxc proc:mixed. Additionally we make /proc/irq and /proc/bus, as these seem to let you control various hardware things. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) 2014-05-19 15:51:20 +08:00			`const defaultMountFlags = syscall.MS_NOEXEC \| syscall.MS_NOSUID \| syscall.MS_NODEV`

			`func mountReadonly(path string) error {`
Handle EBUSY on remount Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-29 09:09:05 +08:00			`for i := 0; i < 5; i++ {`
			`if err := system.Mount("", path, "", syscall.MS_REMOUNT\|syscall.MS_RDONLY, ""); err != nil {`
			`switch err {`
			`case syscall.EINVAL:`
			`// Probably not a mountpoint, use bind-mount`
			`if err := system.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {`
			`return err`
			`}`
			`return system.Mount(path, path, "", syscall.MS_BIND\|syscall.MS_REMOUNT\|syscall.MS_RDONLY\|syscall.MS_REC\|defaultMountFlags, "")`
			`case syscall.EBUSY:`
			`time.Sleep(100 * time.Millisecond)`
			`continue`
			`default:`
Make /proc writable, but not /proc/sys and /proc/sysrq-trigger Some applications want to write to /proc. For instance: docker run -it centos groupadd foo Gives: groupadd: failure while writing changes to /etc/group And strace reveals why: open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system) I've looked at what other systems do, and systemd-nspawn makes /proc read-write and /proc/sys readonly, while lxc allows "proc:mixed" which does the same, plus it makes /proc/sysrq-trigger also readonly. The later seems like a prudent idea, so we follows lxc proc:mixed. Additionally we make /proc/irq and /proc/bus, as these seem to let you control various hardware things. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) 2014-05-19 15:51:20 +08:00			`return err`
			`}`
			`}`
Handle EBUSY on remount Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-29 09:09:05 +08:00			`return nil`
Make /proc writable, but not /proc/sys and /proc/sysrq-trigger Some applications want to write to /proc. For instance: docker run -it centos groupadd foo Gives: groupadd: failure while writing changes to /etc/group And strace reveals why: open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system) I've looked at what other systems do, and systemd-nspawn makes /proc read-write and /proc/sys readonly, while lxc allows "proc:mixed" which does the same, plus it makes /proc/sysrq-trigger also readonly. The later seems like a prudent idea, so we follows lxc proc:mixed. Additionally we make /proc/irq and /proc/bus, as these seem to let you control various hardware things. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) 2014-05-19 15:51:20 +08:00			`}`
Handle EBUSY on remount Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-29 09:09:05 +08:00			`return fmt.Errorf("unable to mount %s as readonly max retries reached", path)`
Make /proc writable, but not /proc/sys and /proc/sysrq-trigger Some applications want to write to /proc. For instance: docker run -it centos groupadd foo Gives: groupadd: failure while writing changes to /etc/group And strace reveals why: open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system) I've looked at what other systems do, and systemd-nspawn makes /proc read-write and /proc/sys readonly, while lxc allows "proc:mixed" which does the same, plus it makes /proc/sysrq-trigger also readonly. The later seems like a prudent idea, so we follows lxc proc:mixed. Additionally we make /proc/irq and /proc/bus, as these seem to let you control various hardware things. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) 2014-05-19 15:51:20 +08:00			`}`

Mount /proc and /sys read-only, except in privileged containers. It has been pointed out that some files in /proc and /sys can be used to break out of containers. However, if those filesystems are mounted read-only, most of the known exploits are mitigated, since they rely on writing some file in those filesystems. This does not replace security modules (like SELinux or AppArmor), it is just another layer of security. Likewise, it doesn't mean that the other mitigations (shadowing parts of /proc or /sys with bind mounts) are useless. Those measures are still useful. As such, the shadowing of /proc/kcore is still enabled with both LXC and native drivers. Special care has to be taken with /proc/1/attr, which still needs to be mounted read-write in order to enable the AppArmor profile. It is bind-mounted from a private read-write mount of procfs. All that enforcement is done in dockerinit. The code doing the real work is in libcontainer. The init function for the LXC driver calls the function from libcontainer to avoid code duplication. Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo) 2014-05-01 09:00:42 +08:00			`// This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts).`
			`// However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes).`
Don't restrict lxc because of apparmor We don't have the flexibility to do extra things with lxc because it is a black box and most fo the magic happens before we get a chance to interact with it in dockerinit. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-03 02:14:24 +08:00			`func Restrict(mounts ...string) error {`
Update restrictions for better handling of mounts This also cleans up some of the left over restriction paths code from before. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-02 01:08:18 +08:00			`// remount proc and sys as readonly`
Don't restrict lxc because of apparmor We don't have the flexibility to do extra things with lxc because it is a black box and most fo the magic happens before we get a chance to interact with it in dockerinit. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-03 02:14:24 +08:00			`for _, dest := range mounts {`
Make /proc writable, but not /proc/sys and /proc/sysrq-trigger Some applications want to write to /proc. For instance: docker run -it centos groupadd foo Gives: groupadd: failure while writing changes to /etc/group And strace reveals why: open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system) I've looked at what other systems do, and systemd-nspawn makes /proc read-write and /proc/sys readonly, while lxc allows "proc:mixed" which does the same, plus it makes /proc/sysrq-trigger also readonly. The later seems like a prudent idea, so we follows lxc proc:mixed. Additionally we make /proc/irq and /proc/bus, as these seem to let you control various hardware things. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) 2014-05-19 15:51:20 +08:00			`if err := mountReadonly(dest); err != nil {`
Update restrictions for better handling of mounts This also cleans up some of the left over restriction paths code from before. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-02 01:08:18 +08:00			`return fmt.Errorf("unable to remount %s readonly: %s", dest, err)`
Add restrictions to proc in libcontainer Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-04-11 07:03:52 +08:00			`}`
			`}`
Handle EBUSY on remount Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-29 09:09:05 +08:00
Update restrict.Restrict to both show the error message when failing to mount /dev/null over /proc/kcore, and to ignore "not exists" errors while doing so (for when CONFIG_PROC_KCORE=n in the kernel) Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon) 2014-05-08 15:03:45 +08:00			`if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) {`
			`return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore: %s", err)`
Update restrictions for better handling of mounts This also cleans up some of the left over restriction paths code from before. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-02 01:08:18 +08:00			`}`
Apply apparmor before restrictions There is not need for the remount hack, we use aa_change_onexec so the apparmor profile is not applied until we exec the users app. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-02 10:09:12 +08:00			`return nil`
Add restrictions to proc in libcontainer Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-04-11 07:03:52 +08:00			`}`