Browse code
Merge pull request #397 from thaJeztah/19.03_backport_slirp4netns_sandbox
[19.03 backport] rootless: harden slirp4netns with mount namespace and seccomp
Andrew Hsu authored on 2019/10/29 02:45:18Showing 2 changed files
| ... | ... |
@@ -39,6 +39,9 @@ fi |
| 39 | 39 |
|
| 40 | 40 |
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"
|
| 41 | 41 |
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"
|
| 42 |
+# if slirp4netns v0.4.0+ is installed, slirp4netns is hardened using sandbox (mount namespace) and seccomp |
|
| 43 |
+: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX:=auto}"
|
|
| 44 |
+: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}"
|
|
| 42 | 45 |
net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET |
| 43 | 46 |
mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU |
| 44 | 47 |
if [ -z $net ]; then |
| ... | ... |
@@ -77,6 +80,8 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then |
| 77 | 77 |
# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace |
| 78 | 78 |
exec $rootlesskit \ |
| 79 | 79 |
--net=$net --mtu=$mtu \ |
| 80 |
+ --slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \ |
|
| 81 |
+ --slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \ |
|
| 80 | 82 |
--disable-host-loopback --port-driver=builtin \ |
| 81 | 83 |
--copy-up=/etc --copy-up=/run \ |
| 82 | 84 |
$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \ |