kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/daemon
History
Brian Goff 7f5e39bd4f
Use real root with 0701 perms 
Various dirs in /var/lib/docker contain data that needs to be mounted
into a container. For this reason, these dirs are set to be owned by the
remapped root user, otherwise there can be permissions issues.
However, this uneccessarily exposes these dirs to an unprivileged user
on the host.

Instead, set the ownership of these dirs to the real root (or rather the
UID/GID of dockerd) with 0701 permissions, which allows the remapped
root to enter the directories but not read/write to them.
The remapped root needs to enter these dirs so the container's rootfs
can be configured... e.g. to mount /etc/resolve.conf.

This prevents an unprivileged user from having read/write access to
these dirs on the host.
The flip side of this is now any user can enter these directories.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e908cc3901)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 		2021-02-02 13:01:25 +01:00
..
cluster Fix jobs mode filter spelling 2020-12-15 14:45:05 -06:00
config Added ip6tables config option 2020-11-05 16:18:23 +01:00
discovery bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
events daemon: normalize comment formatting 2019-11-27 15:43:53 +01:00
exec Handle blocked I/O of exec'd processes 2019-06-21 12:02:15 -04:00
graphdriver Use real root with 0701 perms 2021-02-02 13:01:25 +01:00
images Fix builder inconsistent error on buggy platform 2021-01-14 21:45:45 +00:00
initlayer
links daemon: normalize comment formatting 2019-11-27 15:43:53 +01:00
listeners daemon/listeners: use pkg/errors 2020-09-14 14:50:54 +02:00
logger Handle long log messages correctly on SizedLogger 2021-01-20 16:44:06 -08:00
names
network Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
stats daemon/stats: use const for clockTicksPerSecond 2020-07-08 14:22:04 +02:00
testdata
apparmor_default.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
apparmor_default_unsupported.go
archive.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
archive_tarcopyoptions.go
archive_tarcopyoptions_unix.go
archive_tarcopyoptions_windows.go
archive_unix.go
archive_windows.go
attach.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
auth.go
changes.go daemon: add "isWindows" const 2019-10-17 23:49:43 +02:00
checkpoint.go daemon/checkpoint: rm extra checks 2019-09-18 12:57:22 +02:00
cluster.go
commit.go daemon: add "isWindows" const 2019-10-17 23:49:43 +02:00
configs.go
configs_linux.go
configs_unsupported.go
configs_windows.go
container.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
container_linux.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
container_operations.go Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
container_operations_unix.go Use real root with 0701 perms 2021-02-02 13:01:25 +01:00
container_operations_windows.go container.ConfigFilePath: use same signature on Windows 2019-09-03 10:51:43 +02:00
container_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
container_windows.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
content.go Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
create.go Use real root with 0701 perms 2021-02-02 13:01:25 +01:00
create_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
create_unix.go Check tmpfs mounts before create anon volume 2020-02-04 10:12:05 -08:00
create_windows.go Entropy cannot be saved 2019-06-07 11:54:45 +01:00
daemon.go Use real root with 0701 perms 2021-02-02 13:01:25 +01:00
daemon_linux.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
daemon_linux_test.go Really switch to moby/sys/mount* 2020-03-20 09:46:25 -07:00
daemon_test.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
daemon_unix.go Use real root with 0701 perms 2021-02-02 13:01:25 +01:00
daemon_unix_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
daemon_unsupported.go cgroup2: implement `docker info` 2020-04-17 07:20:01 +09:00
daemon_windows.go Do not call mount.RecursiveUnmount() on Windows 2020-10-29 23:00:16 +01:00
daemon_windows_test.go
debugtrap_unix.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
debugtrap_unsupported.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
debugtrap_windows.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
delete.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
delete_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
dependency.go
devices_linux.go Add DeviceRequests to HostConfig to support NVIDIA GPUs 2019-03-18 17:19:45 +00:00
disk_usage.go
errors.go Merge pull request #38541 from Microsoft/jjh/containerd 2019-03-19 21:09:19 -07:00
events.go Remove `SystemInfo()` error handling. 2019-08-29 07:44:39 +08:00
events_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
exec.go remove uses of deprecated pkg/term 2020-04-21 16:29:27 +02:00
exec_linux.go Simplify getUser() to use libcontainer built-in functionality 2020-09-09 13:25:59 +02:00
exec_linux_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
exec_windows.go Windows: (WCOW) Generate OCI spec that remote runtime can escape 2019-03-12 18:41:55 -07:00
export.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
health.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
health_test.go daemon: suppress logs in unit tests 2019-10-18 00:57:56 +02:00
info.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
info_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
info_unix.go docker info: adjust warning strings for cgroup v2 2021-01-20 13:42:32 +09:00
info_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
info_windows.go Make cgroup namespaces configurable 2019-05-07 10:22:16 -07:00
inspect.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_linux.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
inspect_windows.go
keys.go
keys_unsupported.go
kill.go Wait for container exit before forcing handler 2020-08-11 21:33:59 +00:00
licensing.go
licensing_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
links.go
list.go Merge pull request #40725 from cpuguy83/check_img_platform 2020-05-21 11:33:27 -07:00
list_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
list_unix.go
list_windows.go
logdrivers_linux.go Support configuration of log cacher. 2020-02-19 17:02:34 -05:00
logdrivers_windows.go Support configuration of log cacher. 2020-02-19 17:02:34 -05:00
logs.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
logs_test.go
metrics.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
metrics_unix.go Do not require "experimental" for metrics API 2020-04-20 22:19:00 +02:00
metrics_unsupported.go
monitor.go handleContainerExit: put a timeout on containerd DeleteTask 2020-11-14 15:23:29 -08:00
mounts.go
names.go Entropy cannot be saved 2019-06-07 11:54:45 +01:00
network.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
network_windows.go daemon.getEndpointInNetwork() is only used on Windows 2019-09-18 12:55:46 +02:00
nvidia_linux.go goimports: fix imports 2019-09-18 12:56:54 +02:00
oci_linux.go use containerd/cgroups to detect cgroups v2 2020-11-09 15:00:32 +01:00
oci_linux_test.go daemon/oci_linux_test: Skip privileged tests when non-root 2020-12-15 09:47:44 +07:00
oci_utils.go goimports: fix imports 2019-09-18 12:56:54 +02:00
oci_windows.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
oci_windows_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
pause.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
prune.go API: add "prune" events 2020-07-28 12:41:14 +02:00
reload.go Adding ability to change max download attempts 2019-09-19 13:51:40 +02:00
reload_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
reload_unix.go Fix lint error on sprintf call for runtime string 2020-07-09 15:41:44 -07:00
reload_windows.go
rename.go
resize.go Merge pull request #38522 from cpuguy83/fix_timers 2019-06-07 13:16:46 +02:00
resize_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
restart.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
runtime_unix.go Add shim config for custom runtimes for plugins 2021-01-14 19:28:28 +00:00
runtime_windows.go Add shim config for custom runtimes for plugins 2021-01-14 19:28:28 +00:00
seccomp_disabled.go daemon: make supportsSeccomp a const 2019-10-13 19:16:31 +02:00
seccomp_linux.go Simplify seccomp logic 2020-09-09 18:23:27 +01:00
seccomp_unsupported.go daemon: make supportsSeccomp a const 2019-10-13 19:16:31 +02:00
secrets.go
secrets_linux.go
secrets_unsupported.go
secrets_windows.go
start.go Don't set image on containerd container. 2020-11-06 04:55:03 +00:00
start_unix.go Add shim config for custom runtimes for plugins 2021-01-14 19:28:28 +00:00
start_windows.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
stats.go Merge pull request #40478 from cpuguy83/dont-prime-the-stats 2020-04-16 20:57:06 +02:00
stats_collector.go
stats_unix.go
stats_windows.go
stop.go
top_unix.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
top_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
top_windows.go goimports: fix imports 2019-09-18 12:56:54 +02:00
trustkey.go Allow system.MkDirAll() to be used as drop-in for os.MkDirAll() 2019-08-08 15:05:49 +02:00
trustkey_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
unpause.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
update.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
update_linux.go goimports: fix imports 2019-09-18 12:56:54 +02:00
update_windows.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
util_test.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
volumes.go Fix status code for missing --volumes-from container 2020-06-29 13:28:14 +02:00
volumes_linux.go
volumes_linux_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
volumes_unit_test.go
volumes_unix.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
volumes_unix_test.go
volumes_windows.go
wait.go
workdir.go