kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/daemon
History
Brian Goff e908cc3901 Use real root with 0701 perms 
Various dirs in /var/lib/docker contain data that needs to be mounted
into a container. For this reason, these dirs are set to be owned by the
remapped root user, otherwise there can be permissions issues.
However, this uneccessarily exposes these dirs to an unprivileged user
on the host.

Instead, set the ownership of these dirs to the real root (or rather the
UID/GID of dockerd) with 0701 permissions, which allows the remapped
root to enter the directories but not read/write to them.
The remapped root needs to enter these dirs so the container's rootfs
can be configured... e.g. to mount /etc/resolve.conf.

This prevents an unprivileged user from having read/write access to
these dirs on the host.
The flip side of this is now any user can enter these directories.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-26 17:23:32 +00:00
..
cluster Fix jobs mode filter spelling 2020-12-15 14:45:05 -06:00
config Added ip6tables config option 2020-11-05 16:18:23 +01:00
discovery bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
events
exec
graphdriver Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
images Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
initlayer
links
listeners daemon/listeners: use pkg/errors 2020-09-14 14:50:54 +02:00
logger Fix windows log file rotation with readers 2020-10-29 18:38:30 +00:00
names
network Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
stats daemon/stats: use const for clockTicksPerSecond 2020-07-08 14:22:04 +02:00
testdata
apparmor_default.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
apparmor_default_unsupported.go
archive.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
archive_tarcopyoptions.go
archive_tarcopyoptions_unix.go
archive_tarcopyoptions_windows.go
archive_unix.go
archive_windows.go
attach.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
auth.go
changes.go
checkpoint.go
cluster.go
commit.go
configs.go
configs_linux.go
configs_unsupported.go
configs_windows.go
container.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
container_linux.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
container_operations.go Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
container_operations_unix.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
container_operations_windows.go
container_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
container_windows.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
content.go Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
create.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
create_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
create_unix.go
create_windows.go
daemon.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
daemon_linux.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
daemon_linux_test.go Really switch to moby/sys/mount* 2020-03-20 09:46:25 -07:00
daemon_test.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
daemon_unix.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
daemon_unix_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
daemon_unsupported.go cgroup2: implement docker info 2020-04-17 07:20:01 +09:00
daemon_windows.go Do not call mount.RecursiveUnmount() on Windows 2020-10-29 23:00:16 +01:00
daemon_windows_test.go
debugtrap_unix.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
debugtrap_unsupported.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
debugtrap_windows.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
delete.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
delete_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
dependency.go
devices_linux.go
disk_usage.go
errors.go
events.go
events_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
exec.go remove uses of deprecated pkg/term 2020-04-21 16:29:27 +02:00
exec_linux.go Simplify getUser() to use libcontainer built-in functionality 2020-09-09 13:25:59 +02:00
exec_linux_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
exec_windows.go
export.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
health.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
health_test.go
info.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
info_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
info_unix.go Deprecate KernelMemory 2020-07-24 20:44:29 +09:00
info_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
info_windows.go
inspect.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_linux.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
inspect_windows.go
keys.go
keys_unsupported.go
kill.go Wait for container exit before forcing handler 2020-08-11 21:33:59 +00:00
licensing.go
licensing_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
links.go
list.go Merge pull request #40725 from cpuguy83/check_img_platform 2020-05-21 11:33:27 -07:00
list_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
list_unix.go
list_windows.go
logdrivers_linux.go Support configuration of log cacher. 2020-02-19 17:02:34 -05:00
logdrivers_windows.go Support configuration of log cacher. 2020-02-19 17:02:34 -05:00
logs.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
logs_test.go
metrics.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
metrics_unix.go Do not require "experimental" for metrics API 2020-04-20 22:19:00 +02:00
metrics_unsupported.go
monitor.go handleContainerExit: put a timeout on containerd DeleteTask 2020-11-14 15:23:29 -08:00
mounts.go
names.go
network.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
network_windows.go
nvidia_linux.go
oci_linux.go use containerd/cgroups to detect cgroups v2 2020-11-09 15:00:32 +01:00
oci_linux_test.go daemon/oci_linux_test: Skip privileged tests when non-root 2020-12-15 09:47:44 +07:00
oci_utils.go
oci_windows.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
oci_windows_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
pause.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
prune.go API: add "prune" events 2020-07-28 12:41:14 +02:00
reload.go
reload_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
reload_unix.go Fix lint error on sprintf call for runtime string 2020-07-09 15:41:44 -07:00
reload_windows.go
rename.go
resize.go
resize_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
restart.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
runtime_unix.go cgroup v1: change the default runtime to io.containerd.runc.v2 2020-07-15 14:06:21 +09:00
seccomp_disabled.go
seccomp_linux.go Simplify seccomp logic 2020-09-09 18:23:27 +01:00
seccomp_unsupported.go
secrets.go
secrets_linux.go
secrets_unsupported.go
secrets_windows.go
start.go Don't set image on containerd container. 2020-11-06 04:55:03 +00:00
start_unix.go use containerd/cgroups to detect cgroups v2 2020-11-09 15:00:32 +01:00
start_windows.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
stats.go Merge pull request #40478 from cpuguy83/dont-prime-the-stats 2020-04-16 20:57:06 +02:00
stats_collector.go
stats_unix.go
stats_windows.go
stop.go
top_unix.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
top_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
top_windows.go
trustkey.go
trustkey_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
unpause.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
update.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
update_linux.go
update_windows.go
util_test.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
volumes.go Fix status code for missing --volumes-from container 2020-06-29 13:28:14 +02:00
volumes_linux.go
volumes_linux_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
volumes_unit_test.go
volumes_unix.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
volumes_unix_test.go
volumes_windows.go
wait.go
workdir.go