From cb4189a292dc181e26e0506a3a0dc67936c5401b Mon Sep 17 00:00:00 2001 From: "Guillaume J. Charmes" Date: Wed, 5 Mar 2014 11:59:31 -0800 Subject: [PATCH] Add AppArmor support to native driver + change pipe/dup logic Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes (github: creack) --- execdriver/native/default_template.go | 4 +++ pkg/libcontainer/apparmor/apparmor.go | 42 +++++++++++++++++++++++++++ pkg/libcontainer/container.go | 3 +- pkg/libcontainer/nsinit/init.go | 22 ++++++++------ 4 files changed, 61 insertions(+), 10 deletions(-) create mode 100644 pkg/libcontainer/apparmor/apparmor.go diff --git a/execdriver/native/default_template.go b/execdriver/native/default_template.go index 8e06ff2e26..3458b2efc6 100644 --- a/execdriver/native/default_template.go +++ b/execdriver/native/default_template.go @@ -37,6 +37,7 @@ func createContainer(c *execdriver.Command) *libcontainer.Container { if c.Privileged { container.Capabilities = nil container.Cgroups.DeviceAccess = true + container.Context["apparmor_profile"] = "unconfined" } if c.Resources != nil { container.Cgroups.CpuShares = c.Resources.CpuShares @@ -78,5 +79,8 @@ func getDefaultTemplate() *libcontainer.Container { Parent: "docker", DeviceAccess: false, }, + Context: libcontainer.Context{ + "apparmor_profile": "lxc-container-default", + }, } } diff --git a/pkg/libcontainer/apparmor/apparmor.go b/pkg/libcontainer/apparmor/apparmor.go new file mode 100644 index 0000000000..044b7661a9 --- /dev/null +++ b/pkg/libcontainer/apparmor/apparmor.go @@ -0,0 +1,42 @@ +package apparmor + +import ( + "errors" + "fmt" + "io/ioutil" + "log" + "os" +) + +var AppArmorEnabled bool + +var ( + ErrAppArmorDisabled = errors.New("Error: AppArmor is not enabled on this system") +) + +func init() { + buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") + AppArmorEnabled = err == nil && len(buf) > 1 && buf[0] == 'Y' +} + +func ApplyProfile(pid int, name string) error { + if !AppArmorEnabled { + return ErrAppArmorDisabled + } + + f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0) + if err != nil { + log.Printf("error open: %s\n", err) + return err + } + defer f.Close() + + if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil { + log.Printf("changeprofile %s", name) + log.Printf("Error write: %s\n", err) + return err + } else { + log.Printf("Write success!") + } + return nil +} diff --git a/pkg/libcontainer/container.go b/pkg/libcontainer/container.go index 12a3d7ba8e..bd16825d99 100644 --- a/pkg/libcontainer/container.go +++ b/pkg/libcontainer/container.go @@ -20,7 +20,8 @@ type Container struct { Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply Capabilities Capabilities `json:"capabilities,omitempty"` // capabilities to drop Networks []*Network `json:"networks,omitempty"` // nil for host's network stack - Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` + Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups + Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux) } // Network defines configuration for a container's networking stack diff --git a/pkg/libcontainer/nsinit/init.go b/pkg/libcontainer/nsinit/init.go index 565030f252..48d9213ad2 100644 --- a/pkg/libcontainer/nsinit/init.go +++ b/pkg/libcontainer/nsinit/init.go @@ -5,6 +5,7 @@ package nsinit import ( "fmt" "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/dotcloud/docker/pkg/libcontainer/apparmor" "github.com/dotcloud/docker/pkg/libcontainer/capabilities" "github.com/dotcloud/docker/pkg/libcontainer/network" "github.com/dotcloud/docker/pkg/libcontainer/utils" @@ -32,7 +33,7 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol if console != "" { // close pipes so that we can replace it with the pty - closeStdPipes() + // closeStdPipes() slave, err := system.OpenTerminal(console, syscall.O_RDWR) if err != nil { return fmt.Errorf("open terminal %s", err) @@ -55,9 +56,17 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol return fmt.Errorf("parent death signal %s", err) } */ + if err := setupNewMountNamespace(rootfs, console, container.ReadonlyFs); err != nil { return fmt.Errorf("setup mount namespace %s", err) } + + if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { + if err != apparmor.ErrAppArmorDisabled { + return err + } + } + if err := setupNetwork(container, context); err != nil { return fmt.Errorf("setup networking %s", err) } @@ -67,13 +76,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol if err := finalizeNamespace(container); err != nil { return fmt.Errorf("finalize namespace %s", err) } - return system.Execv(args[0], args[0:], container.Env) -} -func closeStdPipes() { - os.Stdin.Close() - os.Stdout.Close() - os.Stderr.Close() + return system.Execv(args[0], args[0:], container.Env) } func setupUser(container *libcontainer.Container) error { @@ -109,8 +113,8 @@ func setupUser(container *libcontainer.Container) error { // dupSlave dup2 the pty slave's fd into stdout and stdin and ensures that // the slave's fd is 0, or stdin func dupSlave(slave *os.File) error { - if slave.Fd() != 0 { - return fmt.Errorf("slave fd not 0 %d", slave.Fd()) + if err := system.Dup2(slave.Fd(), 0); err != nil { + return err } if err := system.Dup2(slave.Fd(), 1); err != nil { return err