1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/daemon
Brian Goff 93ac040bf0 Lock down docker root dir perms.
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.

0701 on lower directories also happens to allow any user to modify
     things in, for instance, the overlay upper dir which neccessarily
     has 0755 permissions.

This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.

This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-08-19 20:40:15 +00:00
..
cluster Fix possible overlapping IPs 2021-06-18 10:13:59 -07:00
config Added ip6tables config option 2020-11-05 16:18:23 +01:00
discovery
events
exec
graphdriver Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
images docker pull: warn when pulled single-arch image does not match --platform 2021-07-13 17:06:58 +02:00
initlayer
links
listeners daemon/listeners: use pkg/errors 2020-09-14 14:50:54 +02:00
logger jsonfile: more defensive reader implementation 2021-03-19 18:18:55 +01:00
names
network Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
stats daemon/stats: use const for clockTicksPerSecond 2020-07-08 14:22:04 +02:00
testdata
apparmor_default.go buildkit: Apply apparmor profile 2021-01-28 21:33:12 +00:00
apparmor_default_unsupported.go buildkit: Apply apparmor profile 2021-01-28 21:33:12 +00:00
archive.go
archive_tarcopyoptions.go
archive_tarcopyoptions_unix.go
archive_tarcopyoptions_windows.go
archive_unix.go
archive_windows.go
attach.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
auth.go
changes.go
checkpoint.go
cluster.go
commit.go
configs.go
configs_linux.go
configs_unsupported.go
configs_windows.go
container.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
container_linux.go
container_operations.go Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
container_operations_unix.go Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
container_operations_windows.go
container_unix_test.go
container_windows.go
content.go Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
create.go Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
create_test.go
create_unix.go
create_windows.go
daemon.go Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
daemon_linux.go
daemon_linux_test.go
daemon_test.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
daemon_unix.go Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
daemon_unix_test.go
daemon_unsupported.go
daemon_windows.go Do not call mount.RecursiveUnmount() on Windows 2020-10-29 23:00:16 +01:00
daemon_windows_test.go
debugtrap_unix.go
debugtrap_unsupported.go
debugtrap_windows.go
delete.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
delete_test.go
dependency.go
devices_linux.go
disk_usage.go
errors.go Error string match: do not match command path 2021-04-27 18:46:33 +00:00
events.go
events_test.go
exec.go remove uses of deprecated pkg/term 2020-04-21 16:29:27 +02:00
exec_linux.go Simplify getUser() to use libcontainer built-in functionality 2020-09-09 13:25:59 +02:00
exec_linux_test.go
exec_windows.go
export.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
health.go
health_test.go
info.go Update documentation links 2021-02-25 21:54:39 +01:00
info_test.go
info_unix.go Move cgroup v2 out of experimental 2021-04-07 13:55:48 +09:00
info_unix_test.go
info_windows.go
inspect.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_linux.go
inspect_test.go
inspect_windows.go
keys.go
keys_unsupported.go
kill.go Wait for container exit before forcing handler 2020-08-11 21:33:59 +00:00
licensing.go
licensing_test.go
links.go
list.go Merge pull request #40725 from cpuguy83/check_img_platform 2020-05-21 11:33:27 -07:00
list_test.go
list_unix.go
list_windows.go
logdrivers_linux.go
logdrivers_windows.go
logs.go
logs_test.go
metrics.go
metrics_unix.go
metrics_unsupported.go
monitor.go handleContainerExit: put a timeout on containerd DeleteTask 2020-11-14 15:23:29 -08:00
mounts.go
names.go
network.go
network_windows.go
nvidia_linux.go
oci_linux.go rootless: bind mount: fix "operation not permitted" 2021-04-01 18:45:23 +09:00
oci_linux_test.go daemon/oci_linux_test: Skip privileged tests when non-root 2020-12-15 09:47:44 +07:00
oci_utils.go
oci_windows.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
oci_windows_test.go
pause.go
prune.go API: add "prune" events 2020-07-28 12:41:14 +02:00
reload.go
reload_test.go
reload_unix.go Fix lint error on sprintf call for runtime string 2020-07-09 15:41:44 -07:00
reload_windows.go
rename.go
resize.go
resize_test.go
restart.go
runtime_unix.go Add shim config for custom runtimes for plugins 2021-02-17 21:20:03 +01:00
runtime_windows.go Add shim config for custom runtimes for plugins 2021-02-17 21:20:03 +01:00
seccomp_disabled.go
seccomp_linux.go Simplify seccomp logic 2020-09-09 18:23:27 +01:00
seccomp_unsupported.go
secrets.go
secrets_linux.go
secrets_unsupported.go
secrets_windows.go
start.go Don't set image on containerd container. 2020-11-06 04:55:03 +00:00
start_unix.go Add shim config for custom runtimes for plugins 2021-02-17 21:20:03 +01:00
start_windows.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
stats.go
stats_collector.go
stats_unix.go
stats_windows.go
stop.go
top_unix.go
top_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
top_windows.go
trustkey.go
trustkey_test.go
unpause.go
update.go
update_linux.go
update_windows.go
util_test.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
volumes.go Fix status code for missing --volumes-from container 2020-06-29 13:28:14 +02:00
volumes_linux.go
volumes_linux_test.go
volumes_unit_test.go
volumes_unix.go
volumes_unix_test.go
volumes_windows.go
wait.go
workdir.go