Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

drop Docker patch for privileged and SELinux #1315

Merged
merged 1 commit into from
Feb 12, 2021
Merged

drop Docker patch for privileged and SELinux #1315

merged 1 commit into from
Feb 12, 2021

Conversation

bcressey
Copy link
Contributor

Issue number:
Follow-up to #1013

Description of changes:
This removes a patch that's no longer needed on newer versions of Docker, which vendor go-selinux after v1.0.0 and include the fix from opencontainers/selinux@fd7b61c. That ensures that root filesystems of privileged containers still end up with a writable mount label.

Testing done:
Built the aws-dev variant and exercised the cases from #1011.

Privileged:

docker run -it --privileged amazonlinux:2 bash

bash-4.2# touch test
bash-4.2# head -n1 /proc/mounts
overlay / overlay rw,context="system_u:object_r:local_t:s0:c159,c466",...
bash-4.2# cat /proc/self/attr/current
system_u:system_r:container_t:s0

Label disabled:

docker run -it --security-opt label:disable amazonlinux:2 bash

bash-4.2# touch test
bash-4.2# head -n1 /proc/mounts
overlay / overlay rw,context="system_u:object_r:local_t:s0:c12,c282",...
bash-4.2# cat /proc/self/attr/current
system_u:system_r:container_t:s0

Normal:

docker run -it amazonlinux:2 bash

bash-4.2# touch test
bash-4.2# head -n1 /proc/mounts
overlay / overlay rw,context="system_u:object_r:local_t:s0:c17,c466",...
bash-4.2# cat /proc/self/attr/current
system_u:system_r:container_t:s0:c17,c466

Note that the system_u:system_r:container_t:s0 label assigned to the "privileged" and "label disabled" containers are in theory less privileged than a label like system_u:system_r:container_t:s0:c17,c466.

This isn't a problem yet since we don't enforce MCS separation, but will need to be corrected separately by adjusting the SELinux policy.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
docker-engine: drop patch for privileged and SELinux
9965e63 
We added this patch when we were on Docker 18.09.9, which vendored a
copy of go-selinux at commit b6fa367. In that version, passing the
"disable" option would clear both the process and mount labels. A fix
for this was merged into go-selinux at commit b5cb66b, so the mount
label would no longer be cleared. The fix was present in v1.0.0 and
later versions.

When we moved to Docker 19.03.12, the vendored copy of go-selinux had
been updated to v1.3.1, and we no longer needed the patch to ensure
that the root filesystem of a privileged container would be mounted
with the expected label to allow writes.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@samuelkarp
Copy link
Contributor

This patch is no longer needed after #1264?

@bcressey
Copy link
Contributor Author

This patch is no longer needed after #1264?

It wasn't needed after #1025 but we didn't realize it at the time, since it had just been added in #1013.

@bcressey bcressey merged commit c5eafc0 into bottlerocket-os:develop Feb 12, 2021
@bcressey bcressey deleted the drop-privileged-patch branch February 12, 2021 04:14
@bcressey bcressey mentioned this pull request Feb 23, 2021
Merged
@bcressey bcressey mentioned this pull request Jun 21, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @samuelkarp @tjkirch