1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Apply apparmor before restrictions

There is not need for the remount hack, we use aa_change_onexec so the
apparmor profile is not applied until we exec the users app.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-05-01 19:09:12 -07:00
parent 24e0df8136
commit 76fa7d588a
5 changed files with 12 additions and 37 deletions

View file

@ -20,7 +20,7 @@ func IsEnabled() bool {
return false
}
func ApplyProfile(pid int, name string) error {
func ApplyProfile(name string) error {
if name == "" {
return nil
}

View file

@ -2,12 +2,10 @@
package apparmor
import ()
func IsEnabled() bool {
return false
}
func ApplyProfile(pid int, name string) error {
func ApplyProfile(name string) error {
return nil
}

View file

@ -4,11 +4,12 @@ package console
import (
"fmt"
"github.com/dotcloud/docker/pkg/label"
"github.com/dotcloud/docker/pkg/system"
"os"
"path/filepath"
"syscall"
"github.com/dotcloud/docker/pkg/label"
"github.com/dotcloud/docker/pkg/system"
)
// Setup initializes the proper /dev/console inside the rootfs path

View file

@ -72,18 +72,17 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,
runtime.LockOSThread()
if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
}
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
return fmt.Errorf("set process label %s", err)
}
if container.Context["restrictions"] != "" {
if err := restrict.Restrict(); err != nil {
return err
}
}
if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
return err
}
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
return fmt.Errorf("set process label %s", err)
}
if err := FinalizeNamespace(container); err != nil {
return fmt.Errorf("finalize namespace %s", err)
}

View file

@ -4,8 +4,6 @@ package restrict
import (
"fmt"
"os"
"path/filepath"
"syscall"
"github.com/dotcloud/docker/pkg/system"
@ -23,26 +21,5 @@ func Restrict() error {
if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil {
return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore")
}
// This weird trick will allow us to mount /proc read-only, while being able to use AppArmor.
// This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr.
// So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it.
if err := os.Mkdir(".proc", 0700); err != nil {
return fmt.Errorf("unable to create temporary proc mountpoint .proc: %s", err)
}
if err := system.Mount("proc", ".proc", "proc", 0, ""); err != nil {
return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err)
}
if err := system.Mount("proc", ".proc", "", syscall.MS_REMOUNT, ""); err != nil {
return fmt.Errorf("unable to remount proc read-write: %s", err)
}
for _, path := range []string{"attr", "task"} {
if err := system.Mount(filepath.Join(".proc", "1", path), filepath.Join("proc", "1", path), "", syscall.MS_BIND, ""); err != nil {
return fmt.Errorf("unable to bind-mount %s: %s", path, err)
}
}
if err := system.Unmount(".proc", 0); err != nil {
return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err)
}
return os.RemoveAll(".proc")
return nil
}