kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #15161 from ewindisch/fix-netns

Browse source 
Only explicitly deny ptrace for container-originated procs
This commit is contained in:
Tibor Vass 2015-07-30 15:11:12 -04:00
commit 5fa26e3df8
2 changed files with 40 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
daemon/execdriver/native/apparmor.go
View file

@ -53,7 +53,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny @{PROC}/sys/kernel/*/** wklx,
deny mount,
deny ptrace,
deny ptrace (trace) peer=docker-default,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,

39
integration-cli/docker_cli_run_test.go
View file

@ -2737,3 +2737,42 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
c.Fatalf("Missing expected output on trusted push:\n%s", out)
}
}
func (s *DockerSuite) TestPtraceContainerProcsFromHost(c *check.C) {
testRequires(c, SameHostDaemon)
out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
id := strings.TrimSpace(out)
if err := waitRun(id); err != nil {
c.Fatal(err)
}
pid1, err := inspectField(id, "State.Pid")
c.Assert(err, check.IsNil)
_, err = os.Readlink(fmt.Sprintf("/proc/%s/ns/net", pid1))
if err != nil {
c.Fatal(err)
}
}
func (s *DockerSuite) TestAppArmorDeniesPtrace(c *check.C) {
testRequires(c, SameHostDaemon)
testRequires(c, Apparmor)
// Run through 'sh' so we are NOT pid 1. Pid 1 may be able to trace
// itself, but pid>1 should not be able to trace pid1.
_, exitCode, _ := dockerCmdWithError("run", "busybox", "sh", "-c", "readlink /proc/1/ns/net")
if exitCode == 0 {
c.Fatal("ptrace was not successfully restricted by AppArmor")
}
}
func (s *DockerSuite) TestAppArmorTraceSelf(c *check.C) {
testRequires(c, SameHostDaemon)
testRequires(c, Apparmor)
_, exitCode, _ := dockerCmdWithError("run", "busybox", "readlink", "/proc/1/ns/net")
if exitCode != 0 {
c.Fatal("ptrace of self failed.")
}
}