mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
ba38d58659
mqueue can not be mounted on the host os and then shared into the container. There is only one mqueue per mount namespace, so current code ends up leaking the /dev/mqueue from the host into ALL containers. Since SELinux changes the label of the mqueue, only the last container is able to use the mqueue, all other containers will get a permission denied. If you don't have SELinux protections sharing of the /dev/mqueue allows one container to interact in potentially hostile ways with other containers. Signed-off-by: Dan Walsh <dwalsh@redhat.com>
106 lines
2.2 KiB
Go
106 lines
2.2 KiB
Go
package template
|
|
|
|
import (
|
|
"syscall"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/apparmor"
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
|
)
|
|
|
|
const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
|
|
|
|
// New returns the docker default configuration for libcontainer
|
|
func New() *configs.Config {
|
|
container := &configs.Config{
|
|
Capabilities: []string{
|
|
"CHOWN",
|
|
"DAC_OVERRIDE",
|
|
"FSETID",
|
|
"FOWNER",
|
|
"MKNOD",
|
|
"NET_RAW",
|
|
"SETGID",
|
|
"SETUID",
|
|
"SETFCAP",
|
|
"SETPCAP",
|
|
"NET_BIND_SERVICE",
|
|
"SYS_CHROOT",
|
|
"KILL",
|
|
"AUDIT_WRITE",
|
|
},
|
|
Namespaces: configs.Namespaces([]configs.Namespace{
|
|
{Type: "NEWNS"},
|
|
{Type: "NEWUTS"},
|
|
{Type: "NEWIPC"},
|
|
{Type: "NEWPID"},
|
|
{Type: "NEWNET"},
|
|
{Type: "NEWUSER"},
|
|
}),
|
|
Cgroups: &configs.Cgroup{
|
|
ScopePrefix: "docker", // systemd only
|
|
Resources: &configs.Resources{
|
|
AllowAllDevices: false,
|
|
MemorySwappiness: -1,
|
|
},
|
|
},
|
|
Mounts: []*configs.Mount{
|
|
{
|
|
Source: "proc",
|
|
Destination: "/proc",
|
|
Device: "proc",
|
|
Flags: defaultMountFlags,
|
|
},
|
|
{
|
|
Source: "tmpfs",
|
|
Destination: "/dev",
|
|
Device: "tmpfs",
|
|
Flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME,
|
|
Data: "mode=755",
|
|
},
|
|
{
|
|
Source: "devpts",
|
|
Destination: "/dev/pts",
|
|
Device: "devpts",
|
|
Flags: syscall.MS_NOSUID | syscall.MS_NOEXEC,
|
|
Data: "newinstance,ptmxmode=0666,mode=0620,gid=5",
|
|
},
|
|
{
|
|
Source: "mqueue",
|
|
Destination: "/dev/mqueue",
|
|
Device: "mqueue",
|
|
Flags: defaultMountFlags,
|
|
},
|
|
{
|
|
Source: "sysfs",
|
|
Destination: "/sys",
|
|
Device: "sysfs",
|
|
Flags: defaultMountFlags | syscall.MS_RDONLY,
|
|
},
|
|
{
|
|
Source: "cgroup",
|
|
Destination: "/sys/fs/cgroup",
|
|
Device: "cgroup",
|
|
Flags: defaultMountFlags | syscall.MS_RDONLY,
|
|
},
|
|
},
|
|
MaskPaths: []string{
|
|
"/proc/kcore",
|
|
"/proc/latency_stats",
|
|
"/proc/timer_stats",
|
|
},
|
|
ReadonlyPaths: []string{
|
|
"/proc/asound",
|
|
"/proc/bus",
|
|
"/proc/fs",
|
|
"/proc/irq",
|
|
"/proc/sys",
|
|
"/proc/sysrq-trigger",
|
|
},
|
|
}
|
|
|
|
if apparmor.IsEnabled() {
|
|
container.AppArmorProfile = "docker-default"
|
|
}
|
|
|
|
return container
|
|
}
|