This patch adds SELinux labeling support.
docker will run the process(es) within the container with an SELinux label and will label all of the content within the container with mount label. Any temporary file systems created within the container need to be mounted with the same mount label. The user can override the process label by specifying -Z With a string of space separated options. -Z "user=unconfined_u role=unconfined_r type=unconfined_t level=s0" Would cause the process label to run with unconfined_u:unconfined_r:unconfined_t:s0" By default the processes will run execute within the container as svirt_lxc_net_t. All of the content in the container as svirt_sandbox_file_t. The process mcs level is based of the PID of the docker process that is creating the container. If you run the container in --priv mode, the labeling will be disabled. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
parent
e6ecb9032a
commit
5e030fd065
|
@ -4,6 +4,7 @@ package nsinit
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/dotcloud/docker/pkg/label"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||||
"github.com/dotcloud/docker/pkg/system"
|
"github.com/dotcloud/docker/pkg/system"
|
||||||
"os"
|
"os"
|
||||||
|
@ -32,7 +33,11 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s
|
||||||
closeFds()
|
closeFds()
|
||||||
return -1, err
|
return -1, err
|
||||||
}
|
}
|
||||||
|
processLabel, err := label.GetPidCon(nspid)
|
||||||
|
if err != nil {
|
||||||
|
closeFds()
|
||||||
|
return -1, err
|
||||||
|
}
|
||||||
// foreach namespace fd, use setns to join an existing container's namespaces
|
// foreach namespace fd, use setns to join an existing container's namespaces
|
||||||
for _, fd := range fds {
|
for _, fd := range fds {
|
||||||
if fd > 0 {
|
if fd > 0 {
|
||||||
|
@ -80,6 +85,10 @@ dropAndExec:
|
||||||
if err := finalizeNamespace(container); err != nil {
|
if err := finalizeNamespace(container); err != nil {
|
||||||
return -1, err
|
return -1, err
|
||||||
}
|
}
|
||||||
|
err = label.SetProcessLabel(processLabel)
|
||||||
|
if err != nil {
|
||||||
|
return -1, err
|
||||||
|
}
|
||||||
if err := system.Execv(args[0], args[0:], container.Env); err != nil {
|
if err := system.Execv(args[0], args[0:], container.Env); err != nil {
|
||||||
return -1, err
|
return -1, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ package nsinit
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/dotcloud/docker/pkg/label"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
|
"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer/capabilities"
|
"github.com/dotcloud/docker/pkg/libcontainer/capabilities"
|
||||||
|
@ -12,6 +13,7 @@ import (
|
||||||
"github.com/dotcloud/docker/pkg/system"
|
"github.com/dotcloud/docker/pkg/system"
|
||||||
"github.com/dotcloud/docker/pkg/user"
|
"github.com/dotcloud/docker/pkg/user"
|
||||||
"os"
|
"os"
|
||||||
|
"runtime"
|
||||||
"syscall"
|
"syscall"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -57,7 +59,7 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
|
||||||
return fmt.Errorf("parent death signal %s", err)
|
return fmt.Errorf("parent death signal %s", err)
|
||||||
}
|
}
|
||||||
ns.logger.Println("setup mount namespace")
|
ns.logger.Println("setup mount namespace")
|
||||||
if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot); err != nil {
|
if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil {
|
||||||
return fmt.Errorf("setup mount namespace %s", err)
|
return fmt.Errorf("setup mount namespace %s", err)
|
||||||
}
|
}
|
||||||
if err := setupNetwork(container, context); err != nil {
|
if err := setupNetwork(container, context); err != nil {
|
||||||
|
@ -76,6 +78,10 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
runtime.LockOSThread()
|
||||||
|
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
||||||
|
return fmt.Errorf("SetProcessLabel label %s", err)
|
||||||
|
}
|
||||||
ns.logger.Printf("execing %s\n", args[0])
|
ns.logger.Printf("execing %s\n", args[0])
|
||||||
return system.Execv(args[0], args[0:], container.Env)
|
return system.Execv(args[0], args[0:], container.Env)
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ package nsinit
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/dotcloud/docker/pkg/label"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||||
"github.com/dotcloud/docker/pkg/system"
|
"github.com/dotcloud/docker/pkg/system"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
@ -20,7 +21,7 @@ const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NOD
|
||||||
//
|
//
|
||||||
// There is no need to unmount the new mounts because as soon as the mount namespace
|
// There is no need to unmount the new mounts because as soon as the mount namespace
|
||||||
// is no longer in use, the mounts will be removed automatically
|
// is no longer in use, the mounts will be removed automatically
|
||||||
func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, console string, readonly, noPivotRoot bool) error {
|
func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, console string, readonly, noPivotRoot bool, mountLabel string) error {
|
||||||
flag := syscall.MS_PRIVATE
|
flag := syscall.MS_PRIVATE
|
||||||
if noPivotRoot {
|
if noPivotRoot {
|
||||||
flag = syscall.MS_SLAVE
|
flag = syscall.MS_SLAVE
|
||||||
|
@ -36,7 +37,7 @@ func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, cons
|
||||||
return fmt.Errorf("mounting %s as readonly %s", rootfs, err)
|
return fmt.Errorf("mounting %s as readonly %s", rootfs, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if err := mountSystem(rootfs); err != nil {
|
if err := mountSystem(rootfs, mountLabel); err != nil {
|
||||||
return fmt.Errorf("mount system %s", err)
|
return fmt.Errorf("mount system %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -64,7 +65,7 @@ func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, cons
|
||||||
if err := setupDev(rootfs); err != nil {
|
if err := setupDev(rootfs); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := setupPtmx(rootfs, console); err != nil {
|
if err := setupPtmx(rootfs, console, mountLabel); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := system.Chdir(rootfs); err != nil {
|
if err := system.Chdir(rootfs); err != nil {
|
||||||
|
@ -196,7 +197,7 @@ func setupDev(rootfs string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// setupConsole ensures that the container has a proper /dev/console setup
|
// setupConsole ensures that the container has a proper /dev/console setup
|
||||||
func setupConsole(rootfs, console string) error {
|
func setupConsole(rootfs, console string, mountLabel string) error {
|
||||||
oldMask := system.Umask(0000)
|
oldMask := system.Umask(0000)
|
||||||
defer system.Umask(oldMask)
|
defer system.Umask(oldMask)
|
||||||
|
|
||||||
|
@ -220,6 +221,9 @@ func setupConsole(rootfs, console string) error {
|
||||||
if err := system.Mknod(dest, (st.Mode&^07777)|0600, int(st.Rdev)); err != nil {
|
if err := system.Mknod(dest, (st.Mode&^07777)|0600, int(st.Rdev)); err != nil {
|
||||||
return fmt.Errorf("mknod %s %s", dest, err)
|
return fmt.Errorf("mknod %s %s", dest, err)
|
||||||
}
|
}
|
||||||
|
if err := label.SetFileLabel(console, mountLabel); err != nil {
|
||||||
|
return fmt.Errorf("SetFileLabel Failed %s %s", dest, err)
|
||||||
|
}
|
||||||
if err := system.Mount(console, dest, "bind", syscall.MS_BIND, ""); err != nil {
|
if err := system.Mount(console, dest, "bind", syscall.MS_BIND, ""); err != nil {
|
||||||
return fmt.Errorf("bind %s to %s %s", console, dest, err)
|
return fmt.Errorf("bind %s to %s %s", console, dest, err)
|
||||||
}
|
}
|
||||||
|
@ -228,7 +232,7 @@ func setupConsole(rootfs, console string) error {
|
||||||
|
|
||||||
// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts
|
// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts
|
||||||
// inside the mount namespace
|
// inside the mount namespace
|
||||||
func mountSystem(rootfs string) error {
|
func mountSystem(rootfs string, mountLabel string) error {
|
||||||
for _, m := range []struct {
|
for _, m := range []struct {
|
||||||
source string
|
source string
|
||||||
path string
|
path string
|
||||||
|
@ -238,8 +242,8 @@ func mountSystem(rootfs string) error {
|
||||||
}{
|
}{
|
||||||
{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
|
{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
|
||||||
{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},
|
{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},
|
||||||
{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: "mode=1777,size=65536k"},
|
{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1755,size=65536k", mountLabel)},
|
||||||
{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: "newinstance,ptmxmode=0666,mode=620,gid=5"},
|
{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
|
||||||
} {
|
} {
|
||||||
if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {
|
if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {
|
||||||
return fmt.Errorf("mkdirall %s %s", m.path, err)
|
return fmt.Errorf("mkdirall %s %s", m.path, err)
|
||||||
|
@ -253,7 +257,7 @@ func mountSystem(rootfs string) error {
|
||||||
|
|
||||||
// setupPtmx adds a symlink to pts/ptmx for /dev/ptmx and
|
// setupPtmx adds a symlink to pts/ptmx for /dev/ptmx and
|
||||||
// finishes setting up /dev/console
|
// finishes setting up /dev/console
|
||||||
func setupPtmx(rootfs, console string) error {
|
func setupPtmx(rootfs, console string, mountLabel string) error {
|
||||||
ptmx := filepath.Join(rootfs, "dev/ptmx")
|
ptmx := filepath.Join(rootfs, "dev/ptmx")
|
||||||
if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {
|
if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {
|
||||||
return err
|
return err
|
||||||
|
@ -262,7 +266,7 @@ func setupPtmx(rootfs, console string) error {
|
||||||
return fmt.Errorf("symlink dev ptmx %s", err)
|
return fmt.Errorf("symlink dev ptmx %s", err)
|
||||||
}
|
}
|
||||||
if console != "" {
|
if console != "" {
|
||||||
if err := setupConsole(rootfs, console); err != nil {
|
if err := setupConsole(rootfs, console, mountLabel); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue