Commit Graph

25 Commits

Author SHA1 Message Date
Andrey Vagin 444cc2989a namespaces: allow to use pid namespace without mount namespace
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.

In this case it can use /proc/self/status, which is always the right one.

Signed-off-by: Andrew Vagin <avagin@openvz.org>
2015-02-04 01:01:43 +03:00
Michael Crosby e9ec77ab34 Migrate selinux system xattr calls and prctl calls
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-07-14 16:55:49 -07:00
Victor Vieux 35e32b98cc remove 2 duplicate caps
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 00:31:35 +00:00
Lee Treveil 6a3cea177c Fix spelling
Docker-DCO-1.1-Signed-off-by: Lee Treveil <leetreveil@gmail.com> (github: leetreveil)
2014-07-09 00:14:51 +01:00
Vishnu Kannan ece2d83558 Added DropCapabilities() and DropBoundingSet() API to libcontainer.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-06-23 18:36:38 +00:00
Vishnu Kannan b50266335e Updated libcontainer subpackage dependencies. Most subpackages now do not depend on their parent ('libcontainer') package. 'namespaces' and 'nsinit' still do.
'namespaces' need to refactored a bit more to move the API part of it to 'libcontainer' package and keep the namespace specific code inside that package.
This change is not expected to break docker.

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-06-20 22:52:43 +00:00
Michael Crosby 874953d781 Ignore isnotexist errors for restrict paths
Handle the error when remounting certain files and paths as readonly if
they do not exist.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-16 12:32:15 -07:00
Michael Crosby 6ab3ef56f4 Update imports for new repository path 2014-06-10 08:14:16 -07:00
Michael Crosby d5d4b2b141 Handle EBUSY on remount
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-28 18:10:50 -07:00
Bernerd Schaefer 864d77dad0 SETUID/SETGID not required for changing user
It is no longer necessary to pass "SETUID" or "SETGID" capabilities to
the container when a "user" is specified in the config.

Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
2014-05-28 16:41:48 +02:00
Alexander Larsson 73c607b7ad Make /proc writable, but not /proc/sys and /proc/sysrq-trigger
Some applications want to write to /proc. For instance:

docker run -it centos groupadd foo

Gives: groupadd: failure while writing changes to /etc/group

And strace reveals why:

open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)

I've looked at what other systems do, and systemd-nspawn makes /proc read-write
and /proc/sys readonly, while lxc allows "proc:mixed" which does the same,
plus it makes /proc/sysrq-trigger also readonly.

The later seems like a prudent idea, so we follows lxc proc:mixed.
Additionally we make /proc/irq and /proc/bus, as these seem to let
you control various hardware things.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-19 20:46:05 +02:00
Victor Marmol 6ecb140618 Make libcontainer's CapabilitiesMask into a []string (Capabilities).
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-17 00:44:10 +00:00
Victor Marmol e0f356a13a Change libcontainer to drop all capabilities by default. Only keeps
those that were specified in the config. This commit also explicitly
adds a set of capabilities that we were silently not dropping and were
assumed by the tests.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-16 00:57:58 +00:00
Tianon Gravi b64310a3ce Update restrict.Restrict to both show the error message when failing to mount /dev/null over /proc/kcore, and to ignore "not exists" errors while doing so (for when CONFIG_PROC_KCORE=n in the kernel)
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-05-08 01:03:45 -06:00
Michael Crosby 6c1bf629ef Improve libcontainer namespace and cap format
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 12:34:21 -07:00
Michael Crosby da71a207cb Don't restrict lxc because of apparmor
We don't have the flexibility to do extra things with lxc because it is
a black box and most fo the magic happens before we get a chance to
interact with it in dockerinit.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-02 11:14:24 -07:00
Michael Crosby 08dbd53706 Apply apparmor before restrictions
There is not need for the remount hack, we use aa_change_onexec so the
apparmor profile is not applied until we exec the users app.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 19:09:12 -07:00
Michael Crosby 3720dca241 Fix /proc/kcore mount of /dev/null
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
Michael Crosby ab60f78e8b Mount attr and task as rw for selinux support
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
Michael Crosby df78075a8e Update restrictions for better handling of mounts
This also cleans up some of the left over restriction paths code from
before.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
Michael Crosby dcc4061db3 Update to enable cross compile
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
Jérôme Petazzoni 5a6b042e53 Mount /proc and /sys read-only, except in privileged containers.
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.

This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.

Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.

All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.

Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
2014-05-01 15:26:58 -07:00
Michael Crosby 5d4927c9b1 Ignore isnot exists errors for proc paths
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 39efc20b0f Move capabilities into security pkg
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 4d2d63546b Add restrictions to proc in libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:19 -07:00