mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Apply apparmor before restrictions
There is not need for the remount hack, we use aa_change_onexec so the apparmor profile is not applied until we exec the users app. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
parent
24e0df8136
commit
76fa7d588a
5 changed files with 12 additions and 37 deletions
|
@ -20,7 +20,7 @@ func IsEnabled() bool {
|
|||
return false
|
||||
}
|
||||
|
||||
func ApplyProfile(pid int, name string) error {
|
||||
func ApplyProfile(name string) error {
|
||||
if name == "" {
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -2,12 +2,10 @@
|
|||
|
||||
package apparmor
|
||||
|
||||
import ()
|
||||
|
||||
func IsEnabled() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func ApplyProfile(pid int, name string) error {
|
||||
func ApplyProfile(name string) error {
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -4,11 +4,12 @@ package console
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/dotcloud/docker/pkg/label"
|
||||
"github.com/dotcloud/docker/pkg/system"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"syscall"
|
||||
|
||||
"github.com/dotcloud/docker/pkg/label"
|
||||
"github.com/dotcloud/docker/pkg/system"
|
||||
)
|
||||
|
||||
// Setup initializes the proper /dev/console inside the rootfs path
|
||||
|
|
|
@ -72,18 +72,17 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,
|
|||
|
||||
runtime.LockOSThread()
|
||||
|
||||
if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
|
||||
return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
|
||||
}
|
||||
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
||||
return fmt.Errorf("set process label %s", err)
|
||||
}
|
||||
if container.Context["restrictions"] != "" {
|
||||
if err := restrict.Restrict(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
||||
return fmt.Errorf("set process label %s", err)
|
||||
}
|
||||
if err := FinalizeNamespace(container); err != nil {
|
||||
return fmt.Errorf("finalize namespace %s", err)
|
||||
}
|
||||
|
|
|
@ -4,8 +4,6 @@ package restrict
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"syscall"
|
||||
|
||||
"github.com/dotcloud/docker/pkg/system"
|
||||
|
@ -23,26 +21,5 @@ func Restrict() error {
|
|||
if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil {
|
||||
return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore")
|
||||
}
|
||||
|
||||
// This weird trick will allow us to mount /proc read-only, while being able to use AppArmor.
|
||||
// This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr.
|
||||
// So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it.
|
||||
if err := os.Mkdir(".proc", 0700); err != nil {
|
||||
return fmt.Errorf("unable to create temporary proc mountpoint .proc: %s", err)
|
||||
}
|
||||
if err := system.Mount("proc", ".proc", "proc", 0, ""); err != nil {
|
||||
return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err)
|
||||
}
|
||||
if err := system.Mount("proc", ".proc", "", syscall.MS_REMOUNT, ""); err != nil {
|
||||
return fmt.Errorf("unable to remount proc read-write: %s", err)
|
||||
}
|
||||
for _, path := range []string{"attr", "task"} {
|
||||
if err := system.Mount(filepath.Join(".proc", "1", path), filepath.Join("proc", "1", path), "", syscall.MS_BIND, ""); err != nil {
|
||||
return fmt.Errorf("unable to bind-mount %s: %s", path, err)
|
||||
}
|
||||
}
|
||||
if err := system.Unmount(".proc", 0); err != nil {
|
||||
return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err)
|
||||
}
|
||||
return os.RemoveAll(".proc")
|
||||
return nil
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue