1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

9 commits

Author SHA1 Message Date
Stefan Berger
9dbc36b441 contrib: Extend engine apparmor profile for tools needed by devicemapper
Add tools to the apparmor profile that are needed when -s devicemapper is
in the docker daemon's command line.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
2015-07-30 06:45:57 -04:00
Eric Windisch
6c887be769 Mark engine AA policy as complain-only
The engine policy will now only complain
as a temporary measure to ensure we do not
cause breakages while users exercise this
policy.

This is NOT the policy for containers, but
for the newly-introduced policy for the
daemon itself.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:53 -04:00
Eric Windisch
8b2fcddcd2 AA: Eliminate 'file' permission
Implements the policies for the remaining binaries
called by the Docker engine and eliminates the
giant whitelisted 'all files' permission in favor
of granular whitelisting and child-specific policies.

It should be possible now to remove the 'file' permission,
but for the sake of keeping Docker unbroken, we'll try
to gradually tighten the policy.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:53 -04:00
Eric Windisch
3edc88f76d Restore AppArmor profile generation
Will attempt to load profiles automatically. If loading fails
but the profiles are already loaded, execution will continue.

A hard failure will only occur if Docker cannot load
the profiles *and* they have not already been loaded via
some other means.

Also introduces documentation for AppArmor.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:51 -04:00
David Calavera
94ab0d312f Revert "Introduce a dedicated unconfined AA policy"
This reverts commit 87376c3add.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-07-24 16:35:51 -07:00
David Calavera
ac9fc03c74 Merge pull request #14855 from ewindisch/apparmor-unconfined
Introduce a dedicated unconfined AA policy
2015-07-23 10:21:51 -07:00
Eric Windisch
39dae54a3f Add AppArmor policy for the engine
Wraps the engine itself with an AppArmor policy.

This restricts what may be done by applications
we call out to, such as 'xz'.

Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.

Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-22 14:20:50 -04:00
Eric Windisch
87376c3add Introduce a dedicated unconfined AA policy
By using the 'unconfined' policy for privileged
containers, we have inherited the host's apparmor
policies, which really make no sense in the
context of the container's filesystem.

For instance, policies written against
the paths of binaries such as '/usr/sbin/tcpdump'
can be easily circumvented by moving the binary
within the container filesystem.

Fixes GH#5490

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-22 11:28:32 -04:00
Eric Windisch
80d99236c1 Move AppArmor policy to contrib & deb packaging
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.

- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-21 11:05:53 -04:00