Add option to disable new session keys

This adds an `--no-new-keyring` flag to run and create so that a new
session keyring is not created for the container and the calling
processes keyring is inherited.

Fixes #818

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby 2016-06-03 11:53:07 -07:00
parent c5060ff303
commit 8c9db3a7a5
7 changed files with 36 additions and 17 deletions

View File

@ -42,6 +42,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
Name: "no-pivot", Name: "no-pivot",
Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk", Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk",
}, },
cli.BoolFlag{
Name: "no-new-keyring",
Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key",
},
}, },
Action: func(context *cli.Context) error { Action: func(context *cli.Context) error {
spec, err := setupSpec(context) spec, err := setupSpec(context)

View File

@ -187,6 +187,10 @@ type Config struct {
// Labels are user defined metadata that is stored in the config and populated on the state // Labels are user defined metadata that is stored in the config and populated on the state
Labels []string `json:"labels"` Labels []string `json:"labels"`
// NoNewKeyring will not allocated a new session keyring for the container. It will use the
// callers keyring in this case.
NoNewKeyring bool `json:"no_new_keyring"`
} }
type Hooks struct { type Hooks struct {

View File

@ -25,9 +25,11 @@ func (l *linuxSetnsInit) getSessionRingName() string {
} }
func (l *linuxSetnsInit) Init(s chan os.Signal) error { func (l *linuxSetnsInit) Init(s chan os.Signal) error {
// do not inherit the parent's session keyring if !l.config.Config.NoNewKeyring {
if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil { // do not inherit the parent's session keyring
return err if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil {
return err
}
} }
if l.config.NoNewPrivileges { if l.config.NoNewPrivileges {
if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {

View File

@ -145,6 +145,7 @@ type CreateOpts struct {
CgroupName string CgroupName string
UseSystemdCgroup bool UseSystemdCgroup bool
NoPivotRoot bool NoPivotRoot bool
NoNewKeyring bool
Spec *specs.Spec Spec *specs.Spec
} }
@ -170,11 +171,12 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
labels = append(labels, fmt.Sprintf("%s=%s", k, v)) labels = append(labels, fmt.Sprintf("%s=%s", k, v))
} }
config := &configs.Config{ config := &configs.Config{
Rootfs: rootfsPath, Rootfs: rootfsPath,
NoPivotRoot: opts.NoPivotRoot, NoPivotRoot: opts.NoPivotRoot,
Readonlyfs: spec.Root.Readonly, Readonlyfs: spec.Root.Readonly,
Hostname: spec.Hostname, Hostname: spec.Hostname,
Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)), Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)),
NoNewKeyring: opts.NoNewKeyring,
} }
exists := false exists := false

View File

@ -45,16 +45,18 @@ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
const PR_SET_NO_NEW_PRIVS = 0x26 const PR_SET_NO_NEW_PRIVS = 0x26
func (l *linuxStandardInit) Init(s chan os.Signal) error { func (l *linuxStandardInit) Init(s chan os.Signal) error {
ringname, keepperms, newperms := l.getSessionRingParams() if !l.config.Config.NoNewKeyring {
ringname, keepperms, newperms := l.getSessionRingParams()
// do not inherit the parent's session keyring // do not inherit the parent's session keyring
sessKeyId, err := keyctl.JoinSessionKeyring(ringname) sessKeyId, err := keyctl.JoinSessionKeyring(ringname)
if err != nil { if err != nil {
return err return err
} }
// make session keyring searcheable // make session keyring searcheable
if err := keyctl.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil { if err := keyctl.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
return err return err
}
} }
var console *linuxConsole var console *linuxConsole

4
run.go
View File

@ -53,6 +53,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
Name: "no-pivot", Name: "no-pivot",
Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk", Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk",
}, },
cli.BoolFlag{
Name: "no-new-keyring",
Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key",
},
}, },
Action: func(context *cli.Context) error { Action: func(context *cli.Context) error {
spec, err := setupSpec(context) spec, err := setupSpec(context)

View File

@ -171,6 +171,7 @@ func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcont
CgroupName: id, CgroupName: id,
UseSystemdCgroup: context.GlobalBool("systemd-cgroup"), UseSystemdCgroup: context.GlobalBool("systemd-cgroup"),
NoPivotRoot: context.Bool("no-pivot"), NoPivotRoot: context.Bool("no-pivot"),
NoNewKeyring: context.Bool("no-new-keyring"),
Spec: spec, Spec: spec,
}) })
if err != nil { if err != nil {