jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1,386 Commits 5 Branches 25 Tags 17 MiB
Commit Graph

23 Commits

Author SHA1 Message Date
John Howard c712fa0814 Windows: Initial compilation enablement 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2015-05-15 15:26:17 -07:00
Eric Windisch 364d8e1505 Disable all mounts in AppArmor profile 
Allowing mounts in containers is dangerous. Bugs in
mount namespaces or quirks of the container configuration
could allow for various breakouts.

By default, processes in containers will not be able to mount anyway,
rendering the allowances in the default AppArmor profile nearly
useless. Manually created sub-containers were able to mount, but
were yet restricted from performing most of the mounts flags indicated
in the profile.

Signed-off-by: Eric Windisch <eric@windisch.us>
 2015-05-07 14:38:44 -07:00
tifayuki 44c7afad64 also check if "/sbin/apparmor_parser" exists when deciding if apparmor is enabled 
Signed-off-by: Feng, Honglin <fenghonglin@gmail.com>
 2015-04-14 19:18:33 +02:00
Mathieu Lecarme ee1000e153 Fix: typos. 
Docker-DCO-1.1-Signed-off-by: Mathieu Lecarme <mathieu@garambrogne.net> (github: athoune)
 2015-04-02 22:41:41 +02:00
Michael Crosby f4cf808a3d Merge branch 'master' into api 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Conflicts:
	MAINTAINERS
	cgroups/cgroups.go
	cgroups/fs/apply_raw.go
	cgroups/fs/notify_linux.go
	cgroups/fs/notify_linux_test.go
	cgroups/systemd/apply_systemd.go
	config.go
	configs/config_test.go
	console/console.go
	integration/exec_test.go
	integration/init_test.go
	integration/template_test.go
	integration/utils_test.go
	linux_notify.go
	linux_notify_test.go
	mount/init.go
	mount/mount_config.go
	mount/pivotroot.go
	mount/ptmx.go
	namespaces/create.go
	namespaces/exec.go
	namespaces/execin.go
	namespaces/init.go
	namespaces/nsenter/nsenter.c
	namespaces/nsenter/nsenter.go
	namespaces/utils.go
	network/network.go
	network/types.go
	network/veth.go
	notify_linux.go
	notify_linux_test.go
	nsinit/exec.go
	nsinit/main.go
	nsinit/nsenter.go
	nsinit/oom.go
	sample_configs/host-pid.json
	sample_configs/userns.json
	security/capabilities/capabilities.go
	update-vendor.sh
 2015-02-16 15:09:42 -08:00
Tianon Gravi 1cdf742a82 Update a few build tags to be more generic, add a couple more SETNS constants, and update Travis with a bunch of fixes/tweaks (including removing the nonfunctional cross-compile stuff for now) 
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
 2014-07-17 02:24:49 -06:00
Michael Crosby 3b1acc34fb Move libcontainer deps into libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-06-09 15:52:12 -07:00
Michael Crosby 613c48e3dd Move apparmor to top level pkg 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-13 23:33:25 +00:00
Michael Crosby 811700f9f4 Use apparmor_parser directly 
The current load script does alot of things.  If it does not find the
parser loaded on the system it will just exit 0 and not load the
profile.  We think it should fail loudly if it cannot load the profile
and apparmor is enabled on the system.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-13 23:31:10 +00:00
Michael Crosby ca4ab79a9d Check for apparmor enabled on host to populate profile 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-09 10:22:17 +00:00
Guillaume J. Charmes ea96c1f436 Backup current docker apparmor profile and replace it with the new one 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
 2014-04-08 11:09:31 -07:00
Michael Brown e17f472e05 apparmor: pull in variables from tunables/global 
The variables that were defined at the top of the apparmor profile are best
pulled in via the <tunables/global> include.

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
 2014-04-07 03:04:27 -04:00
Michael Brown d704e4a9c7 apparmor: abstractions/base expects pid variable 
Add 'pid' variable pointing to 'self' to allow parsing of profile to succeed

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
 2014-04-07 02:47:43 -04:00
Michael Brown 7e43b7e4f4 apparmor: docker-default: Include base abstraction 
Encountered problems on 14.04 relating to signals between container
processes being blocked by apparmor. The base abstraction contains
appropriate rules to allow this communication.

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
 2014-04-07 02:19:38 -04:00
Guillaume J. Charmes bbc05ca1a3 Fix issue when /etc/apparmor.d does not exists 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
 2014-03-12 11:13:24 -07:00
Guillaume J. Charmes 520773503a Merge pull request #4506 from creack/fix_apparmor 
Use CGO for apparmor profile switch
 2014-03-06 13:37:34 -08:00
Tianon Gravi f883469f02 Update build tags such that we can properly compile on all platforms (especially for packagers), and updated hack/PACKAGERS.md to mention the DOCKER_BUILDTAGS variable that will need to be set for binaries that might be used on AppArmor (such as Debian and especially Ubuntu) 
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
 2014-03-06 13:39:17 -07:00
Guillaume J. Charmes a01ed80bab Add buildflags to allow crosscompilation for apparmor 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)
 2014-03-06 12:05:03 -08:00
Guillaume J. Charmes d5957adbc4 Use CGO for apparmor profile switch 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)
 2014-03-06 11:10:58 -08:00
unclejack 9caf813aa4 remove dbus from apparmor profile 
This removes the dbus entry from the apparmor profile Docker creates.

Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
 2014-03-06 19:47:03 +02:00
Guillaume J. Charmes 9da8ea80c3 Generate and load custom docker profile for apparmor 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)
 2014-03-05 15:02:11 -08:00
Michael Crosby 7c6c6a5a10 Some cleanup around logs 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-03-05 13:50:49 -08:00
Guillaume J. Charmes c486dd90b5 Add AppArmor support to native driver + change pipe/dup logic 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)
 2014-03-05 13:08:24 -08:00