Browse code
add docs and unconfined to run a container without the default seccomp profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Jessica Frazelle authored on 2015/12/22 12:32:12Showing 4 changed files
- daemon/execdriver/native/create.go
- docs/security/seccomp.md
- hack/make/.ensure-userns-test
- integration-cli/docker_cli_run_unix_test.go
| ... | ... |
@@ -87,7 +87,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks) |
| 87 | 87 |
container.AppArmorProfile = c.AppArmorProfile |
| 88 | 88 |
} |
| 89 | 89 |
|
| 90 |
- if c.SeccompProfile != "" {
|
|
| 90 |
+ if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
|
| 91 | 91 |
container.Seccomp, err = loadSeccompProfile(c.SeccompProfile) |
| 92 | 92 |
if err != nil {
|
| 93 | 93 |
return nil, err |
| ... | ... |
@@ -62,3 +62,22 @@ Then you can run with: |
| 62 | 62 |
``` |
| 63 | 63 |
$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world |
| 64 | 64 |
``` |
| 65 |
+ |
|
| 66 |
+Default Profile |
|
| 67 |
+--------------- |
|
| 68 |
+ |
|
| 69 |
+The default seccomp profile provides a sane default for running |
|
| 70 |
+containers with seccomp. It is moderately protective while |
|
| 71 |
+providing wide application compatibility. |
|
| 72 |
+ |
|
| 73 |
+ |
|
| 74 |
+Overriding the default profile for a container |
|
| 75 |
+---------------------------------------------- |
|
| 76 |
+ |
|
| 77 |
+You can pass `unconfined` to run a container without the default seccomp |
|
| 78 |
+profile. |
|
| 79 |
+ |
|
| 80 |
+``` |
|
| 81 |
+$ docker run --rm -it --security-opt seccomp:unconfined debian:jessie \ |
|
| 82 |
+ unshare --map-root-user --user sh -c whoami |
|
| 83 |
+``` |
| ... | ... |
@@ -7,8 +7,7 @@ set -e |
| 7 | 7 |
dir="$DEST/userns-test" |
| 8 | 8 |
mkdir -p "$dir" |
| 9 | 9 |
( |
| 10 |
- GOOS=${DOCKER_ENGINE_GOOS:="linux"}
|
|
| 11 |
- if [ "$GOOS" = "linux" ]; then |
|
| 10 |
+ if [ "$(go env GOOS)" = "linux" ]; then |
|
| 12 | 11 |
cd "$dir" |
| 13 | 12 |
gcc -g -Wall -static ../../../../contrib/userns-test/main.c -o ./userns-test |
| 14 | 13 |
cp ../../../../contrib/userns-test/Dockerfile . |
| ... | ... |
@@ -598,8 +598,20 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
|
| 598 | 598 |
} |
| 599 | 599 |
} |
| 600 | 600 |
|
| 601 |
-// TestRunSeccompAllowPrivCloneUserns checks that 'docker run userns-test' |
|
| 602 |
-// with a the default seccomp profile exits with operation not permitted. |
|
| 601 |
+// TestRunSeccompUnconfinedCloneUserns checks that |
|
| 602 |
+// 'docker run --security-opt seccomp:unconfined userns-test' allows creating a userns. |
|
| 603 |
+func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
|
|
| 604 |
+ testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace) |
|
| 605 |
+ |
|
| 606 |
+ // make sure running w privileged is ok |
|
| 607 |
+ runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:unconfined", "userns-test", "id") |
|
| 608 |
+ if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "nobody") {
|
|
| 609 |
+ c.Fatalf("expected clone userns with --security-opt seccomp:unconfined to succeed, got %s: %v", out, err)
|
|
| 610 |
+ } |
|
| 611 |
+} |
|
| 612 |
+ |
|
| 613 |
+// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged userns-test' |
|
| 614 |
+// allows creating a userns. |
|
| 603 | 615 |
func (s *DockerSuite) TestRunSeccompAllowPrivCloneUserns(c *check.C) {
|
| 604 | 616 |
testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace) |
| 605 | 617 |
|