1. docker
  2. Commit ba38d58659cc155aebf89a2ea4cfc3cd7ba04a64
Browse code

Make mqueue container specific

mqueue can not be mounted on the host os and then shared into the container.
There is only one mqueue per mount namespace, so current code ends up leaking
the /dev/mqueue from the host into ALL containers. Since SELinux changes the
label of the mqueue, only the last container is able to use the mqueue, all
other containers will get a permission denied. If you don't have SELinux protections
sharing of the /dev/mqueue allows one container to interact in potentially hostile
ways with other containers.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>

Dan Walsh authored on 2016/02/01 17:25:25
Showing 3 changed files
container/container_unix.go
History View file @ ba38d58
... ... 
@@ -559,18 +559,6 @@ func (container *Container) UnmountIpcMounts(unmount func(pth string) error) {
559 559 
 		}
560 560 
 	}
561 561
562 
-	if !container.HasMountFor("/dev/mqueue") {
563 
-		mqueuePath, err := container.MqueueResourcePath()
564 
-		if err != nil {
565 
-			logrus.Error(err)
566 
-			warnings = append(warnings, err.Error())
567 
-		} else if mqueuePath != "" {
568 
-			if err := unmount(mqueuePath); err != nil {
569 
-				warnings = append(warnings, fmt.Sprintf("failed to umount %s: %v", mqueuePath, err))
570 
-			}
571 
-		}
572 
-	}
573 
-
574 562 
 	if len(warnings) > 0 {
575 563 
 		logrus.Warnf("failed to cleanup ipc mounts:\n%v", strings.Join(warnings, "\n"))
576 564 
 	}
... ... 
@@ -589,9 +577,8 @@ func (container *Container) IpcMounts() []execdriver.Mount {
589 589 
 			Propagation: volume.DefaultPropagationMode,
590 590 
 		})
591 591 
 	}
592 
-
593 
-	if !container.HasMountFor("/dev/mqueue") {
594 
-		label.SetFileLabel(container.MqueuePath, container.MountLabel)
592 
+	if !container.HasMountFor("/dev/mqueue") &&
593 
+		container.MqueuePath != "" {
595 594 
 		mounts = append(mounts, execdriver.Mount{
596 595 
 			Source:      container.MqueuePath,
597 596 
 			Destination: "/dev/mqueue",
daemon/container_operations_unix.go
History View file @ ba38d58
... ... 
@@ -93,11 +93,6 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
93 93 
 		return err
94 94 
 	}
95 95
96 
-	c.MqueuePath, err = c.MqueueResourcePath()
97 
-	if err != nil {
98 
-		return err
99 
-	}
100 
-
101 96 
 	if c.HostConfig.IpcMode.IsContainer() {
102 97 
 		ic, err := daemon.getIpcContainer(c)
103 98 
 		if err != nil {
... ... 
@@ -105,7 +100,6 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
105 105 
 		}
106 106 
 		ipc.ContainerID = ic.ID
107 107 
 		c.ShmPath = ic.ShmPath
108 
-		c.MqueuePath = ic.MqueuePath
109 108 
 	} else {
110 109 
 		ipc.HostIpc = c.HostConfig.IpcMode.IsHost()
111 110 
 		if ipc.HostIpc {
... ... 
@@ -1062,21 +1056,6 @@ func (daemon *Daemon) setupIpcDirs(c *container.Container) error {
1062 1062 
 		}
1063 1063 
 	}
1064 1064
1065 
-	if !c.HasMountFor("/dev/mqueue") {
1066 
-		mqueuePath, err := c.MqueueResourcePath()
1067 
-		if err != nil {
1068 
-			return err
1069 
-		}
1070 
-
1071 
-		if err := idtools.MkdirAllAs(mqueuePath, 0700, rootUID, rootGID); err != nil {
1072 
-			return err
1073 
-		}
1074 
-
1075 
-		if err := syscall.Mount("mqueue", mqueuePath, "mqueue", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), ""); err != nil {
1076 
-			return fmt.Errorf("mounting mqueue mqueue : %s", err)
1077 
-		}
1078 
-	}
1079 
-
1080 1065 
 	return nil
1081 1066 
 }
1082 1067
daemon/execdriver/native/template/default_template_linux.go
History View file @ ba38d58
... ... 
@@ -65,6 +65,12 @@ func New() *configs.Config {
65 65 
 				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
66 66 
 			},
67 67 
 			{
68 
+				Source:      "mqueue",
69 
+				Destination: "/dev/mqueue",
70 
+				Device:      "mqueue",
71 
+				Flags:       defaultMountFlags,
72 
+			},
73 
+			{
68 74 
 				Source:      "sysfs",
69 75 
 				Destination: "/sys",
70 76 
 				Device:      "sysfs",