vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Update restrictions for better handling of mounts

Browse source 
This also cleans up some of the left over restriction paths code from
before.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-05-01 10:08:18 -07:00
parent 5d1a3b2ab5
commit af5420420b
4 changed files with 25 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
libcontainer/mount/init.go
View file

@ -123,15 +123,12 @@ func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mo
systemMounts := []mount{ systemMounts := []mount{
{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags}, {source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags}, {source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},
{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
} }
if len(mounts.OfType("devtmpfs")) == 1 { if len(mounts.OfType("devtmpfs")) == 1 {
systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)}) systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)})
} }
systemMounts = append(systemMounts,
mount{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
)
return systemMounts return systemMounts
} }

4
libcontainer/nsinit/init.go
View file

@ -72,8 +72,8 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,
runtime.LockOSThread() runtime.LockOSThread()
if restrictionPath := container.Context["restriction_path"]; restrictionPath != "" { if container.Context["restrictions"] != "" {
if err := restrict.Restrict("/", restrictionPath); err != nil { if err := restrict.Restrict(); err != nil {
return err return err
} }
} }

65
libcontainer/security/restrict/restrict.go
View file

@ -11,67 +11,42 @@ import (
"github.com/dotcloud/docker/pkg/system" "github.com/dotcloud/docker/pkg/system"
) )
// "restrictions" are container paths (files, directories, whatever) that have to be masked.
// maskPath is a "safe" path to be mounted over maskedPath. It can take two special values:
// - if it is "", then nothing is mounted;
// - if it is "EMPTY", then an empty directory is mounted instead.
// If remountRO is true then the maskedPath is remounted read-only (regardless of whether a maskPath was used).
type restriction struct {
maskedPath string
maskPath string
remountRO bool
}
var restrictions = []restriction{
{"/proc", "", true},
{"/sys", "", true},
{"/proc/kcore", "/dev/null", false},
}
// This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts). // This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts).
// However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes). // However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes).
// "empty" should be the path to an empty directory. func Restrict() error {
func Restrict(rootfs, empty string) error { // remount proc and sys as readonly
for _, restriction := range restrictions { for _, dest := range []string{"proc", "sys"} {
dest := filepath.Join(rootfs, restriction.maskedPath) if err := system.Mount("", dest, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil {
if restriction.maskPath != "" { return fmt.Errorf("unable to remount %s readonly: %s", dest, err)
var source string
if restriction.maskPath == "EMPTY" {
source = empty
} else {
source = filepath.Join(rootfs, restriction.maskPath)
}
if err := system.Mount(source, dest, "", syscall.MS_BIND, ""); err != nil {
return fmt.Errorf("unable to bind-mount %s over %s: %s", source, dest, err)
}
}
if restriction.remountRO {
if err := system.Mount("", dest, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil {
return fmt.Errorf("unable to remount %s readonly: %s", dest, err)
}
} }
} }
if err := system.Mount("/proc/kcore", "/dev/null", "", syscall.MS_BIND, ""); err != nil {
return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore")
}
// This weird trick will allow us to mount /proc read-only, while being able to use AppArmor. // This weird trick will allow us to mount /proc read-only, while being able to use AppArmor.
// This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr. // This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr.
// So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it. // So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it.
tmpProcPath := filepath.Join(rootfs, ".proc") var (
if err := os.Mkdir(tmpProcPath, 0700); err != nil { rwAttrPath = filepath.Join(".proc", "1", "attr")
return fmt.Errorf("unable to create temporary proc mountpoint %s: %s", tmpProcPath, err) roAttrPath = filepath.Join("proc", "1", "attr")
)
if err := os.Mkdir(".proc", 0700); err != nil {
return fmt.Errorf("unable to create temporary proc mountpoint .proc: %s", err)
} }
if err := system.Mount("proc", tmpProcPath, "proc", 0, ""); err != nil { if err := system.Mount("proc", ".proc", "proc", 0, ""); err != nil {
return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err) return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err)
} }
if err := system.Mount("proc", tmpProcPath, "", syscall.MS_REMOUNT, ""); err != nil { if err := system.Mount("proc", ".proc", "", syscall.MS_REMOUNT, ""); err != nil {
return fmt.Errorf("unable to remount proc read-write: %s", err) return fmt.Errorf("unable to remount proc read-write: %s", err)
} }
rwAttrPath := filepath.Join(rootfs, ".proc", "1", "attr")
roAttrPath := filepath.Join(rootfs, "proc", "1", "attr")
if err := system.Mount(rwAttrPath, roAttrPath, "", syscall.MS_BIND, ""); err != nil { if err := system.Mount(rwAttrPath, roAttrPath, "", syscall.MS_BIND, ""); err != nil {
return fmt.Errorf("unable to bind-mount %s on %s: %s", rwAttrPath, roAttrPath, err) return fmt.Errorf("unable to bind-mount %s on %s: %s", rwAttrPath, roAttrPath, err)
} }
if err := system.Unmount(tmpProcPath, 0); err != nil { if err := system.Unmount(".proc", 0); err != nil {
return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err) return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err)
} }
return nil return os.RemoveAll(".proc")
} }

2
libcontainer/security/restrict/unsupported.go
View file

@ -4,6 +4,6 @@ package restrict
import "fmt" import "fmt"
func Restrict(rootfs, empty string) error { func Restrict() error {
return fmt.Errorf("not supported") return fmt.Errorf("not supported")
} }