kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/daemon
History
Brian Goff 03f1c3d78f
Lock down docker root dir perms. 
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.

0701 on lower directories also happens to allow any user to modify
     things in, for instance, the overlay upper dir which neccessarily
     has 0755 permissions.

This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.

This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 93ac040bf0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 09:57:00 +02:00
..
cluster refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
config Allow switching Windows runtimes. 2021-09-23 17:44:04 +00:00
discovery
events api/types/events: add "Type" type for event-type enum 2021-08-23 21:14:55 +02:00
exec
graphdriver Lock down docker root dir perms. 2021-10-05 09:57:00 +02:00
images refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
initlayer Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
links
listeners Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
logger Merge pull request #40084 from thaJeztah/hostconfig_const_cleanup 2021-08-28 00:21:31 +09:00
names
network Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
stats Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
testdata
apparmor_default.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
apparmor_default_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
archive.go
archive_tarcopyoptions.go
archive_tarcopyoptions_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
archive_tarcopyoptions_windows.go
archive_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
archive_windows.go
attach.go
auth.go
changes.go
checkpoint.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
cluster.go Fix libnetwork imports 2021-06-01 21:51:23 +00:00
commit.go
configs.go
configs_linux.go
configs_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
configs_windows.go
container.go Merge pull request #42616 from thaJeztah/migrate_pkg_signal 2021-07-26 10:47:28 -07:00
container_linux.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
container_operations.go Fixup libnetwork lint errors 2021-06-01 23:48:32 +00:00
container_operations_unix.go Lock down docker root dir perms. 2021-10-05 09:57:00 +02:00
container_operations_windows.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
container_unix_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
container_windows.go
content.go Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
create.go Lock down docker root dir perms. 2021-10-05 09:57:00 +02:00
create_test.go
create_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
create_windows.go daemon, oci: remove LCOW bits 2021-07-27 13:35:59 +02:00
daemon.go Lock down docker root dir perms. 2021-10-05 09:57:00 +02:00
daemon_linux.go Fix libnetwork imports 2021-06-01 21:51:23 +00:00
daemon_linux_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
daemon_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
daemon_unix.go Lock down docker root dir perms. 2021-10-05 09:57:00 +02:00
daemon_unix_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
daemon_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
daemon_windows.go Allow switching Windows runtimes. 2021-09-23 17:44:04 +00:00
daemon_windows_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
debugtrap_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
debugtrap_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
debugtrap_windows.go pkg/signal: move signal.DumpStacks() to a separate package 2021-07-15 18:09:43 +02:00
delete.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
delete_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
dependency.go
devices_linux.go
disk_usage.go daemon,volume: share disk usage computations 2021-08-09 19:59:39 +02:00
errors.go Error string match: do not match command path 2021-04-14 23:03:18 +00:00
events.go Fix libnetwork imports 2021-06-01 21:51:23 +00:00
events_test.go
exec.go replace pkg/signal with moby/sys/signal v0.5.0 2021-07-23 09:32:54 +02:00
exec_linux.go Use containerd's apparmor package to detect if apparmor can be used 2021-04-08 20:22:08 +02:00
exec_linux_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
exec_windows.go
export.go remove layerstore indexing by OS (used for LCOW) 2021-06-10 17:49:11 +02:00
health.go
health_test.go
info.go daemon: normalize seccomp profile as part of setupSeccompProfile() 2021-08-07 15:41:46 +02:00
info_test.go
info_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
info_unix_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
info_windows.go
inspect.go
inspect_linux.go
inspect_test.go
inspect_windows.go
keys.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
keys_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
kill.go replace pkg/signal with moby/sys/signal v0.5.0 2021-07-23 09:32:54 +02:00
licensing.go
licensing_test.go
links.go
list.go daemon: var-declaration: should omit type bool (revive) 2021-06-10 13:03:45 +02:00
list_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
list_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
list_windows.go
logdrivers_linux.go
logdrivers_windows.go
logs.go
logs_test.go
metrics.go
metrics_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
metrics_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
monitor.go Move container exit state to after cleanup. 2021-01-28 11:28:41 -08:00
mounts.go
names.go
network.go reformat "nolint" comments 2021-06-10 13:03:42 +02:00
network_windows.go Fix libnetwork imports 2021-06-01 21:51:23 +00:00
nvidia_linux.go
oci_linux.go daemon.WithCommonOptions() fix detection of user-namespaces 2021-08-30 19:48:29 +02:00
oci_linux_test.go daemon.WithCommonOptions() fix detection of user-namespaces 2021-08-30 19:48:29 +02:00
oci_utils.go
oci_windows.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
oci_windows_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
pause.go
prune.go Fixup libnetwork lint errors 2021-06-01 23:48:32 +00:00
reload.go
reload_test.go Fixup libnetwork lint errors 2021-06-01 23:48:32 +00:00
reload_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
reload_windows.go
rename.go Fix libnetwork imports 2021-06-01 21:51:23 +00:00
resize.go
resize_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
restart.go
runtime_unix.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
runtime_windows.go Add shim config for custom runtimes for plugins 2021-01-14 19:28:28 +00:00
seccomp_disabled.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
seccomp_linux.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
seccomp_linux_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
seccomp_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
secrets.go
secrets_linux.go
secrets_unsupported.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
secrets_windows.go
start.go volume/mounts: remove "containerOS" argument from NewParser (LCOW code) 2021-07-02 13:51:55 +02:00
start_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
start_windows.go Windows CI: Add support for testing with containerd 2021-08-17 07:09:40 -07:00
stats.go
stats_collector.go
stats_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
stats_windows.go
stop.go Fix log statement 'failed to exit' timeout accuracy 2021-06-08 13:37:58 -07:00
top_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
top_unix_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
top_windows.go
trustkey.go
trustkey_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
unpause.go
update.go volume/mounts: remove "containerOS" argument from NewParser (LCOW code) 2021-07-02 13:51:55 +02:00
update_linux.go
update_windows.go
util_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
volumes.go volume/mounts: remove "containerOS" argument from NewParser (LCOW code) 2021-07-02 13:51:55 +02:00
volumes_linux.go
volumes_linux_test.go
volumes_unit_test.go volume/mounts: remove "containerOS" argument from NewParser (LCOW code) 2021-07-02 13:51:55 +02:00
volumes_unix.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
volumes_unix_test.go Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24 23:33:27 +02:00
volumes_windows.go
wait.go
workdir.go