mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
80d99236c1
The automatic installation of AppArmor policies prevents the management of custom, site-specific apparmor policies for the default container profile. Furthermore, this change will allow a future policy for the engine itself to be written without demanding the engine be able to arbitrarily create and manage AppArmor policies. - Add deb package suggests for apparmor. - Ubuntu postinst use aa-status & fix policy path - Add the policies to the debian packages. - Add apparmor tests for writing proc files Additional restrictions against modifying files in proc are enforced by AppArmor. Ensure that AppArmor is preventing access to these files, not simply Docker's configuration of proc. - Remove /proc/k?mem from AA policy The path to mem and kmem are in /dev, not /proc and cannot be restricted successfully through AppArmor. The device cgroup will need to be sufficient here. - Load contrib/apparmor during integration tests Note that this is somewhat dirty because we cannot restore the host to its original configuration. However, it should be noted that prior to this patch series, the Docker daemon itself was loading apparmor policy from within the tests, so this is no dirtier or uglier than the status-quo. Signed-off-by: Eric Windisch <eric@windisch.us>
75 lines
2.3 KiB
Bash
75 lines
2.3 KiB
Bash
#!/bin/bash
|
|
|
|
# see test-integration-cli for example usage of this script
|
|
|
|
export PATH="$ABS_DEST/../binary:$ABS_DEST/../dynbinary:$ABS_DEST/../gccgo:$ABS_DEST/../dyngccgo:$PATH"
|
|
|
|
if ! command -v docker &> /dev/null; then
|
|
echo >&2 'error: binary or dynbinary must be run before .integration-daemon-start'
|
|
false
|
|
fi
|
|
|
|
# intentionally open a couple bogus file descriptors to help test that they get scrubbed in containers
|
|
exec 41>&1 42>&2
|
|
|
|
export DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER:-vfs}
|
|
export DOCKER_EXECDRIVER=${DOCKER_EXECDRIVER:-native}
|
|
export DOCKER_USERLANDPROXY=${DOCKER_USERLANDPROXY:-true}
|
|
|
|
# example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G"
|
|
storage_params=""
|
|
if [ -n "$DOCKER_STORAGE_OPTS" ]; then
|
|
IFS=','
|
|
for i in ${DOCKER_STORAGE_OPTS}; do
|
|
storage_params="--storage-opt $i $storage_params"
|
|
done
|
|
unset IFS
|
|
fi
|
|
|
|
if [ -z "$DOCKER_TEST_HOST" ]; then
|
|
# Start apparmor if it is enabled
|
|
if [ -e "/sys/module/apparmor/parameters/enabled" ] && [ "$(cat /sys/module/apparmor/parameters/enabled)" == "Y" ]; then
|
|
# reset container variable so apparmor profile is applied to process
|
|
# see https://github.com/docker/libcontainer/blob/master/apparmor/apparmor.go#L16
|
|
export container=""
|
|
(
|
|
set -x
|
|
/etc/init.d/apparmor start
|
|
|
|
/sbin/apparmor_parser -r -W -T contrib/apparmor/
|
|
)
|
|
fi
|
|
|
|
export DOCKER_HOST="unix://$(cd "$DEST" && pwd)/docker.sock" # "pwd" tricks to make sure $DEST is an absolute path, not a relative one
|
|
( set -x; exec \
|
|
docker --daemon --debug \
|
|
--host "$DOCKER_HOST" \
|
|
--storage-driver "$DOCKER_GRAPHDRIVER" \
|
|
--exec-driver "$DOCKER_EXECDRIVER" \
|
|
--pidfile "$DEST/docker.pid" \
|
|
--userland-proxy="$DOCKER_USERLANDPROXY" \
|
|
$storage_params \
|
|
&> "$DEST/docker.log"
|
|
) &
|
|
# make sure that if the script exits unexpectedly, we stop this daemon we just started
|
|
trap 'bundle .integration-daemon-stop' EXIT
|
|
else
|
|
export DOCKER_HOST="$DOCKER_TEST_HOST"
|
|
fi
|
|
|
|
# give it a second to come up so it's "ready"
|
|
tries=10
|
|
while ! docker version &> /dev/null; do
|
|
(( tries-- ))
|
|
if [ $tries -le 0 ]; then
|
|
if [ -z "$DOCKER_HOST" ]; then
|
|
echo >&2 "error: daemon failed to start"
|
|
echo >&2 " check $DEST/docker.log for details"
|
|
else
|
|
echo >&2 "error: daemon at $DOCKER_HOST fails to 'docker version':"
|
|
docker version >&2 || true
|
|
fi
|
|
false
|
|
fi
|
|
sleep 2
|
|
done
|