GitList

Browse code

Apply apparmor before restrictions

There is not need for the remount hack, we use aa_change_onexec so the
apparmor profile is not applied until we exec the users app.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

Michael Crosby authored on 2014/05/02 11:09:12
Showing 5 changed files

pkg/apparmor/apparmor.go index 6fdb1f8..704ee29 100644
pkg/apparmor/apparmor_disabled.go index 77543e4..8d86ce9 100644
pkg/libcontainer/console/console.go index 05cd08a..5f06aea 100644
pkg/libcontainer/nsinit/init.go index 7558479..22345f6 100644
pkg/libcontainer/security/restrict/restrict.go index 411bc06..cfff09f 100644

pkg/apparmor/apparmor.go

History View file @ 76fa7d5

@@ -20,7 +20,7 @@ func IsEnabled() bool {
 	return false
 }
 
-func ApplyProfile(pid int, name string) error {
+func ApplyProfile(name string) error {
 	if name == "" {
 		return nil
 	}

pkg/apparmor/apparmor_disabled.go

History View file @ 76fa7d5

@@ -2,12 +2,10 @@
                      package apparmor
                     -import ()
+                    -
                      func IsEnabled() bool {
                      	return false
+                     }
                     -func ApplyProfile(pid int, name string) error {
                     +func ApplyProfile(name string) error {
                      	return nil
+                     }

pkg/libcontainer/console/console.go

History View file @ 76fa7d5

@@ -4,11 +4,12 @@ package console
                      import (
                      	"fmt"
                     -	"github.com/dotcloud/docker/pkg/label"
                     -	"github.com/dotcloud/docker/pkg/system"
                      	"os"
                      	"path/filepath"
                      	"syscall"
+                    +
                     +	"github.com/dotcloud/docker/pkg/label"
                     +	"github.com/dotcloud/docker/pkg/system"
+                     )
                      // Setup initializes the proper /dev/console inside the rootfs path

pkg/libcontainer/nsinit/init.go

History View file @ 76fa7d5

@@ -72,18 +72,17 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string,
                      	runtime.LockOSThread()
                     +	if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil {
                     +		return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err)
                     +	}
                     +	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
                     +		return fmt.Errorf("set process label %s", err)
                     +	}
                      	if container.Context["restrictions"] != "" {
                      		if err := restrict.Restrict(); err != nil {
                      			return err
+                     		}
+                     	}
+                    -
                     -	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
                     -		return err
                     -	}
                     -	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
                     -		return fmt.Errorf("set process label %s", err)
                     -	}
                      	if err := FinalizeNamespace(container); err != nil {
                      		return fmt.Errorf("finalize namespace %s", err)
+                     	}

pkg/libcontainer/security/restrict/restrict.go

History View file @ 76fa7d5

@@ -4,8 +4,6 @@ package restrict
                      import (
                      	"fmt"
                     -	"os"
                     -	"path/filepath"
                      	"syscall"
                      	"github.com/dotcloud/docker/pkg/system"
@@ -23,26 +21,5 @@ func Restrict() error {
                      	if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil {
                      		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore")
+                     	}
+                    -
                     -	// This weird trick will allow us to mount /proc read-only, while being able to use AppArmor.
                     -	// This is because apparently, loading an AppArmor profile requires write access to /proc/1/attr.
                     -	// So we do another mount of procfs, ensure it's write-able, and bind-mount a subset of it.
                     -	if err := os.Mkdir(".proc", 0700); err != nil {
                     -		return fmt.Errorf("unable to create temporary proc mountpoint .proc: %s", err)
                     -	}
                     -	if err := system.Mount("proc", ".proc", "proc", 0, ""); err != nil {
                     -		return fmt.Errorf("unable to mount proc on temporary proc mountpoint: %s", err)
                     -	}
                     -	if err := system.Mount("proc", ".proc", "", syscall.MS_REMOUNT, ""); err != nil {
                     -		return fmt.Errorf("unable to remount proc read-write: %s", err)
                     -	}
                     -	for _, path := range []string{"attr", "task"} {
                     -		if err := system.Mount(filepath.Join(".proc", "1", path), filepath.Join("proc", "1", path), "", syscall.MS_BIND, ""); err != nil {
                     -			return fmt.Errorf("unable to bind-mount %s: %s", path, err)
                     -		}
                     -	}
                     -	if err := system.Unmount(".proc", 0); err != nil {
                     -		return fmt.Errorf("unable to unmount temporary proc filesystem: %s", err)
                     -	}
                     -	return os.RemoveAll(".proc")
                     +	return nil
+                     }

...	...	@@ -20,7 +20,7 @@ func IsEnabled() bool {
20	20	return false
21	21	}
22	22
23		-func ApplyProfile(pid int, name string) error {
	23	+func ApplyProfile(name string) error {
24	24	if name == "" {
25	25	return nil
26	26	}