1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Merge pull request #42481 from thaJeztah/seccomp_unconfined_daemon

This commit is contained in:
Brian Goff 2021-08-11 10:02:05 -07:00 committed by GitHub
commit 7681a3eb40
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 83 additions and 17 deletions

View file

@ -58,7 +58,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
flags.StringVar(&conf.InitPath, "init-path", "", "Path to the docker-init binary")
flags.Int64Var(&conf.CPURealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds for the parent cgroup for all containers")
flags.Int64Var(&conf.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds for the parent cgroup for all containers")
flags.StringVar(&conf.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")
flags.StringVar(&conf.SeccompProfile, "seccomp-profile", config.SeccompProfileDefault, `Path to seccomp profile. Use "unconfined" to disable the default seccomp profile`)
flags.Var(&conf.ShmSize, "default-shm-size", "Default shm size for containers")
flags.BoolVar(&conf.NoNewPrivileges, "no-new-privileges", false, "Set no-new-privileges by default for new containers")
flags.StringVar(&conf.IpcMode, "default-ipc-mode", config.DefaultIpcMode, `Default mode for containers ipc ("shareable" | "private")`)

View file

@ -58,6 +58,12 @@ const (
LinuxV1RuntimeName = "io.containerd.runtime.v1.linux"
// LinuxV2RuntimeName is the runtime used to specify the containerd v2 runc shim
LinuxV2RuntimeName = "io.containerd.runc.v2"
// SeccompProfileDefault is the built-in default seccomp profile.
SeccompProfileDefault = "builtin"
// SeccompProfileUnconfined is a special profile name for seccomp to use an
// "unconfined" seccomp profile.
SeccompProfileUnconfined = "unconfined"
)
var builtinRuntimes = map[string]bool{

View file

@ -1706,11 +1706,16 @@ func maybeCreateCPURealTimeFile(configValue int64, file string, path string) err
}
func (daemon *Daemon) setupSeccompProfile() error {
if daemon.configStore.SeccompProfile != "" {
daemon.seccompProfilePath = daemon.configStore.SeccompProfile
b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)
switch profile := daemon.configStore.SeccompProfile; profile {
case "", config.SeccompProfileDefault:
daemon.seccompProfilePath = config.SeccompProfileDefault
case config.SeccompProfileUnconfined:
daemon.seccompProfilePath = config.SeccompProfileUnconfined
default:
daemon.seccompProfilePath = profile
b, err := ioutil.ReadFile(profile)
if err != nil {
return fmt.Errorf("opening seccomp profile (%s) failed: %v", daemon.configStore.SeccompProfile, err)
return fmt.Errorf("opening seccomp profile (%s) failed: %v", profile, err)
}
daemon.seccompProfile = b
}

View file

@ -172,11 +172,10 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
securityOptions = append(securityOptions, "name=apparmor")
}
if sysInfo.Seccomp && supportsSeccomp {
profile := daemon.seccompProfilePath
if profile == "" {
profile = "default"
if daemon.seccompProfilePath != config.SeccompProfileDefault {
v.Warnings = append(v.Warnings, "WARNING: daemon is not using the default seccomp profile")
}
securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))
securityOptions = append(securityOptions, "name=seccomp,profile="+daemon.seccompProfilePath)
}
if selinux.GetEnabled() {
securityOptions = append(securityOptions, "name=selinux")

View file

@ -9,6 +9,7 @@ import (
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
)
const supportsSeccomp = false
@ -16,7 +17,7 @@ const supportsSeccomp = false
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined {
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
}
return nil

View file

@ -9,6 +9,7 @@ import (
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
"github.com/docker/docker/profiles/seccomp"
"github.com/sirupsen/logrus"
)
@ -18,26 +19,30 @@ const supportsSeccomp = true
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if c.SeccompProfile == "unconfined" {
if c.SeccompProfile == dconfig.SeccompProfileUnconfined {
return nil
}
if c.HostConfig.Privileged {
return nil
}
if !daemon.seccompEnabled {
if c.SeccompProfile != "" {
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
return fmt.Errorf("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
}
logrus.Warn("seccomp is not enabled in your kernel, running container without default profile")
c.SeccompProfile = "unconfined"
c.SeccompProfile = dconfig.SeccompProfileUnconfined
return nil
}
var err error
switch {
case c.SeccompProfile == dconfig.SeccompProfileDefault:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
case c.SeccompProfile != "":
s.Linux.Seccomp, err = seccomp.LoadProfile(c.SeccompProfile, s)
case daemon.seccompProfile != nil:
s.Linux.Seccomp, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
case daemon.seccompProfilePath == dconfig.SeccompProfileUnconfined:
c.SeccompProfile = dconfig.SeccompProfileUnconfined
default:
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s)
}

View file

@ -8,6 +8,7 @@ import (
coci "github.com/containerd/containerd/oci"
config "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
dconfig "github.com/docker/docker/daemon/config"
doci "github.com/docker/docker/oci"
"github.com/docker/docker/profiles/seccomp"
specs "github.com/opencontainers/runtime-spec/specs-go"
@ -32,7 +33,7 @@ func TestWithSeccomp(t *testing.T) {
seccompEnabled: true,
},
c: &container.Container{
SeccompProfile: "unconfined",
SeccompProfile: dconfig.SeccompProfileUnconfined,
HostConfig: &config.HostConfig{
Privileged: false,
},

View file

@ -7,6 +7,7 @@ import (
"testing"
"github.com/docker/docker/client"
"github.com/docker/docker/daemon/config"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
)
@ -27,6 +28,6 @@ func (s *DockerSuite) TestInfoSecurityOptions(c *testing.T) {
assert.Check(c, is.Contains(info.SecurityOptions, "name=apparmor"))
}
if seccompEnabled() {
assert.Check(c, is.Contains(info.SecurityOptions, "name=seccomp,profile=default"))
assert.Check(c, is.Contains(info.SecurityOptions, "name=seccomp,profile="+config.SeccompProfileDefault))
}
}

View file

@ -8,11 +8,11 @@ import (
"runtime"
"testing"
"github.com/docker/docker/daemon/config"
"github.com/docker/docker/testutil/daemon"
"gotest.tools/v3/assert"
"gotest.tools/v3/skip"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/skip"
)
func TestConfigDaemonLibtrustID(t *testing.T) {
@ -99,3 +99,51 @@ func TestDaemonConfigValidation(t *testing.T) {
})
}
}
func TestConfigDaemonSeccompProfiles(t *testing.T) {
skip.If(t, runtime.GOOS != "linux")
d := daemon.New(t)
defer d.Stop(t)
tests := []struct {
doc string
profile string
expectedProfile string
}{
{
doc: "empty profile set",
profile: "",
expectedProfile: config.SeccompProfileDefault,
},
{
doc: "default profile",
profile: config.SeccompProfileDefault,
expectedProfile: config.SeccompProfileDefault,
},
{
doc: "unconfined profile",
profile: config.SeccompProfileUnconfined,
expectedProfile: config.SeccompProfileUnconfined,
},
}
for _, tc := range tests {
tc := tc
t.Run(tc.doc, func(t *testing.T) {
d.Start(t, "--seccomp-profile="+tc.profile)
info := d.Info(t)
assert.Assert(t, is.Contains(info.SecurityOptions, "name=seccomp,profile="+tc.expectedProfile))
d.Stop(t)
cfg := filepath.Join(d.RootDir(), "daemon.json")
err := ioutil.WriteFile(cfg, []byte(`{"seccomp-profile": "`+tc.profile+`"}`), 0644)
assert.NilError(t, err)
d.Start(t, "--config-file", cfg)
info = d.Info(t)
assert.Assert(t, is.Contains(info.SecurityOptions, "name=seccomp,profile="+tc.expectedProfile))
d.Stop(t)
})
}
}