From 84a11b7762fdb96b2f5a9566e35d905cd842584d Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 7 Apr 2014 12:40:41 -0700 Subject: [PATCH 1/5] Move -o cli flag and DriverConfig from HostConfig Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) Upstream-commit: ffebcb660f666e3a2a7be6b838ebd55f524d5b5d Component: engine --- components/engine/runconfig/hostconfig.go | 2 -- components/engine/runconfig/parse.go | 10 +--------- components/engine/runtime/container.go | 6 +----- 3 files changed, 2 insertions(+), 16 deletions(-) diff --git a/components/engine/runconfig/hostconfig.go b/components/engine/runconfig/hostconfig.go index 9a92258644..55a308a5b8 100644 --- a/components/engine/runconfig/hostconfig.go +++ b/components/engine/runconfig/hostconfig.go @@ -14,7 +14,6 @@ type HostConfig struct { PortBindings nat.PortMap Links []string PublishAllPorts bool - DriverOptions map[string][]string } func ContainerHostConfigFromJob(job *engine.Job) *HostConfig { @@ -25,7 +24,6 @@ func ContainerHostConfigFromJob(job *engine.Job) *HostConfig { } job.GetenvJson("LxcConf", &hostConfig.LxcConf) job.GetenvJson("PortBindings", &hostConfig.PortBindings) - job.GetenvJson("DriverOptions", &hostConfig.DriverOptions) if Binds := job.GetenvList("Binds"); Binds != nil { hostConfig.Binds = Binds } diff --git a/components/engine/runconfig/parse.go b/components/engine/runconfig/parse.go index c93ec26ed1..3ca326fca6 100644 --- a/components/engine/runconfig/parse.go +++ b/components/engine/runconfig/parse.go @@ -45,7 +45,6 @@ func parseRun(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Conf flDnsSearch = opts.NewListOpts(opts.ValidateDomain) flVolumesFrom opts.ListOpts flLxcOpts opts.ListOpts - flDriverOpts opts.ListOpts flEnvFile opts.ListOpts flAutoRemove = cmd.Bool([]string{"#rm", "-rm"}, false, "Automatically remove the container when it exits (incompatible with -d)") @@ -79,8 +78,7 @@ func parseRun(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Conf cmd.Var(&flDns, []string{"#dns", "-dns"}, "Set custom dns servers") cmd.Var(&flDnsSearch, []string{"-dns-search"}, "Set custom dns search domains") cmd.Var(&flVolumesFrom, []string{"#volumes-from", "-volumes-from"}, "Mount volumes from the specified container(s)") - cmd.Var(&flLxcOpts, []string{"#lxc-conf", "#-lxc-conf"}, "(lxc exec-driver only) Add custom lxc options --lxc-conf=\"lxc.cgroup.cpuset.cpus = 0,1\"") - cmd.Var(&flDriverOpts, []string{"o", "-opt"}, "Add custom driver options") + cmd.Var(&flLxcOpts, []string{"#lxc-conf", "-lxc-conf"}, "(lxc exec-driver only) Add custom lxc options --lxc-conf=\"lxc.cgroup.cpuset.cpus = 0,1\"") if err := cmd.Parse(args); err != nil { return nil, nil, cmd, err @@ -224,11 +222,6 @@ func parseRun(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Conf WorkingDir: *flWorkingDir, } - driverOptions, err := parseDriverOpts(flDriverOpts) - if err != nil { - return nil, nil, cmd, err - } - hostConfig := &HostConfig{ Binds: binds, ContainerIDFile: *flContainerIDFile, @@ -237,7 +230,6 @@ func parseRun(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Conf PortBindings: portBindings, Links: flLinks.GetAll(), PublishAllPorts: *flPublishAll, - DriverOptions: driverOptions, } if sysInfo != nil && flMemory > 0 && !sysInfo.SwapLimit { diff --git a/components/engine/runtime/container.go b/components/engine/runtime/container.go index bd4a6f2bea..a5a2f25c64 100644 --- a/components/engine/runtime/container.go +++ b/components/engine/runtime/container.go @@ -361,12 +361,8 @@ func (container *Container) Attach(stdin io.ReadCloser, stdinCloser io.Closer, s func populateCommand(c *Container) { var ( en *execdriver.Network - driverConfig = c.hostConfig.DriverOptions - ) - - if driverConfig == nil { driverConfig = make(map[string][]string) - } + ) en = &execdriver.Network{ Mtu: c.runtime.config.Mtu, From f0b2c345c00f5711d18de141ebd7e318ee6bd7d3 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 7 Apr 2014 13:29:24 -0700 Subject: [PATCH 2/5] Remove selinux build tag Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) Upstream-commit: b1e98e06dc62b0d25f98ea9a2fd94e41cc1d20e2 Component: engine --- components/engine/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/engine/Dockerfile b/components/engine/Dockerfile index 2de5b34171..42438e3946 100644 --- a/components/engine/Dockerfile +++ b/components/engine/Dockerfile @@ -87,7 +87,7 @@ RUN git config --global user.email 'docker-dummy@example.com' VOLUME /var/lib/docker WORKDIR /go/src/github.com/dotcloud/docker -ENV DOCKER_BUILDTAGS apparmor selinux +ENV DOCKER_BUILDTAGS apparmor # Wrap all commands in the "docker-in-docker" script to allow nested containers ENTRYPOINT ["hack/dind"] From b9794db2727ca701066c622dec1ae353ced24ba4 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 7 Apr 2014 14:09:46 -0700 Subject: [PATCH 3/5] Add more label checks for selinux enabled Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) Upstream-commit: aaf018017c88a707b35115a9411e4069d9356748 Component: engine --- components/engine/Dockerfile | 2 +- components/engine/pkg/label/label_selinux.go | 36 +++++++++++--------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/components/engine/Dockerfile b/components/engine/Dockerfile index 42438e3946..2de5b34171 100644 --- a/components/engine/Dockerfile +++ b/components/engine/Dockerfile @@ -87,7 +87,7 @@ RUN git config --global user.email 'docker-dummy@example.com' VOLUME /var/lib/docker WORKDIR /go/src/github.com/dotcloud/docker -ENV DOCKER_BUILDTAGS apparmor +ENV DOCKER_BUILDTAGS apparmor selinux # Wrap all commands in the "docker-in-docker" script to allow nested containers ENTRYPOINT ["hack/dind"] diff --git a/components/engine/pkg/label/label_selinux.go b/components/engine/pkg/label/label_selinux.go index d807b2b408..9f7463f79b 100644 --- a/components/engine/pkg/label/label_selinux.go +++ b/components/engine/pkg/label/label_selinux.go @@ -9,30 +9,31 @@ import ( ) func GenLabels(options string) (string, string, error) { - processLabel, mountLabel := selinux.GetLxcContexts() - if processLabel == "" { // SELinux is disabled + if !selinux.SelinuxEnabled() { return "", "", nil } - - var ( - err error - s = strings.Fields(options) - l = len(s) - ) - if l > 0 { - pcon := selinux.NewContext(processLabel) - for i := 0; i < l; i++ { - o := strings.Split(s[i], "=") - pcon[o[0]] = o[1] + var err error + processLabel, mountLabel := selinux.GetLxcContexts() + if processLabel != "" { + var ( + s = strings.Fields(options) + l = len(s) + ) + if l > 0 { + pcon := selinux.NewContext(processLabel) + for i := 0; i < l; i++ { + o := strings.Split(s[i], "=") + pcon[o[0]] = o[1] + } + processLabel = pcon.Get() + mountLabel, err = selinux.CopyLevel(processLabel, mountLabel) } - processLabel = pcon.Get() - mountLabel, err = selinux.CopyLevel(processLabel, mountLabel) } return processLabel, mountLabel, err } func FormatMountLabel(src string, mountLabel string) string { - if mountLabel != "" { + if selinux.SelinuxEnabled() && mountLabel != "" { switch src { case "": src = fmt.Sprintf("%s,context=%s", src, mountLabel) @@ -65,6 +66,9 @@ func SetFileLabel(path string, fileLabel string) error { } func GetPidCon(pid int) (string, error) { + if !selinux.SelinuxEnabled() { + return "", nil + } return selinux.Getpidcon(pid) } From 3a7c03a563efbac1d76a08717bf49e9ee4cb48db Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 7 Apr 2014 14:43:50 -0700 Subject: [PATCH 4/5] Ensure that selinux is disabled by default This also includes some portability changes so that the package can be imported with the top level runtime. Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) Upstream-commit: 82f37b874ea17c5e0040f3e41dc761c88d576e33 Component: engine --- components/engine/daemonconfig/config.go | 2 ++ components/engine/pkg/selinux/selinux.go | 16 ++++++---------- components/engine/pkg/selinux/selinux_test.go | 5 +---- components/engine/pkg/system/calls_linux.go | 4 ++++ components/engine/pkg/system/unsupported.go | 4 ++++ components/engine/runtime/runtime.go | 4 ++++ 6 files changed, 21 insertions(+), 14 deletions(-) diff --git a/components/engine/daemonconfig/config.go b/components/engine/daemonconfig/config.go index 1abb6f8b89..146916d79a 100644 --- a/components/engine/daemonconfig/config.go +++ b/components/engine/daemonconfig/config.go @@ -28,6 +28,7 @@ type Config struct { ExecDriver string Mtu int DisableNetwork bool + EnableSelinuxSupport bool } // ConfigFromJob creates and returns a new DaemonConfig object @@ -45,6 +46,7 @@ func ConfigFromJob(job *engine.Job) *Config { InterContainerCommunication: job.GetenvBool("InterContainerCommunication"), GraphDriver: job.Getenv("GraphDriver"), ExecDriver: job.Getenv("ExecDriver"), + EnableSelinuxSupport: false, // FIXME: hardcoded default to disable selinux for .10 release } if dns := job.GetenvList("Dns"); dns != nil { config.Dns = dns diff --git a/components/engine/pkg/selinux/selinux.go b/components/engine/pkg/selinux/selinux.go index 5362308617..d2d90b1b37 100644 --- a/components/engine/pkg/selinux/selinux.go +++ b/components/engine/pkg/selinux/selinux.go @@ -39,6 +39,11 @@ var ( type SELinuxContext map[string]string +// SetDisabled disables selinux support for the package +func SetDisabled() { + selinuxEnabled, selinuxEnabledChecked = false, true +} + func GetSelinuxMountPoint() string { if selinuxfs != "unknown" { return selinuxfs @@ -140,15 +145,6 @@ func Setfilecon(path string, scon string) error { return system.Lsetxattr(path, xattrNameSelinux, []byte(scon), 0) } -func Getfilecon(path string) (string, error) { - var scon []byte - - cnt, err := syscall.Getxattr(path, xattrNameSelinux, scon) - scon = make([]byte, cnt) - cnt, err = syscall.Getxattr(path, xattrNameSelinux, scon) - return string(scon), err -} - func Setfscreatecon(scon string) error { return writeCon("/proc/self/attr/fscreate", scon) } @@ -188,7 +184,7 @@ func writeCon(name string, val string) error { } func Setexeccon(scon string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), scon) + return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", system.Gettid()), scon) } func (c SELinuxContext) Get() string { diff --git a/components/engine/pkg/selinux/selinux_test.go b/components/engine/pkg/selinux/selinux_test.go index 6b59c1db11..181452ae75 100644 --- a/components/engine/pkg/selinux/selinux_test.go +++ b/components/engine/pkg/selinux/selinux_test.go @@ -12,9 +12,7 @@ func testSetfilecon(t *testing.T) { out, _ := os.OpenFile(tmp, os.O_WRONLY, 0) out.Close() err := selinux.Setfilecon(tmp, "system_u:object_r:bin_t:s0") - if err == nil { - t.Log(selinux.Getfilecon(tmp)) - } else { + if err != nil { t.Log("Setfilecon failed") t.Fatal(err) } @@ -41,7 +39,6 @@ func TestSELinux(t *testing.T) { pid := os.Getpid() t.Log("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023)) t.Log(selinux.Getcon()) - t.Log(selinux.Getfilecon("/etc/passwd")) err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0") if err == nil { t.Log(selinux.Getfscreatecon()) diff --git a/components/engine/pkg/system/calls_linux.go b/components/engine/pkg/system/calls_linux.go index 43c00ed554..cc4727aaa2 100644 --- a/components/engine/pkg/system/calls_linux.go +++ b/components/engine/pkg/system/calls_linux.go @@ -143,3 +143,7 @@ func SetCloneFlags(cmd *exec.Cmd, flag uintptr) { } cmd.SysProcAttr.Cloneflags = flag } + +func Gettid() int { + return syscall.Gettid() +} diff --git a/components/engine/pkg/system/unsupported.go b/components/engine/pkg/system/unsupported.go index eb3ec7ee92..c52a1e5d00 100644 --- a/components/engine/pkg/system/unsupported.go +++ b/components/engine/pkg/system/unsupported.go @@ -13,3 +13,7 @@ func SetCloneFlags(cmd *exec.Cmd, flag uintptr) { func UsetCloseOnExec(fd uintptr) error { return ErrNotSupportedPlatform } + +func Gettid() int { + return 0 +} diff --git a/components/engine/runtime/runtime.go b/components/engine/runtime/runtime.go index d35e2d653a..864874c8e4 100644 --- a/components/engine/runtime/runtime.go +++ b/components/engine/runtime/runtime.go @@ -11,6 +11,7 @@ import ( "github.com/dotcloud/docker/image" "github.com/dotcloud/docker/pkg/graphdb" "github.com/dotcloud/docker/pkg/mount" + "github.com/dotcloud/docker/pkg/selinux" "github.com/dotcloud/docker/pkg/sysinfo" "github.com/dotcloud/docker/runconfig" "github.com/dotcloud/docker/runtime/execdriver" @@ -723,6 +724,9 @@ func NewRuntime(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, erro } func NewRuntimeFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, error) { + if !config.EnableSelinuxSupport { + selinux.SetDisabled() + } // Set the default driver graphdriver.DefaultDriver = config.GraphDriver From bbc3856401990bc47355dcc9a69c6d8be6a8724e Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 7 Apr 2014 14:59:44 -0700 Subject: [PATCH 5/5] Remove and unexport selinux functions Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) Upstream-commit: 028d44d12683b170704537c3435361ae8a4e74d8 Component: engine --- components/engine/pkg/selinux/selinux.go | 25 +++++++------------ components/engine/pkg/selinux/selinux_test.go | 2 -- 2 files changed, 9 insertions(+), 18 deletions(-) diff --git a/components/engine/pkg/selinux/selinux.go b/components/engine/pkg/selinux/selinux.go index d2d90b1b37..edabc4f7dd 100644 --- a/components/engine/pkg/selinux/selinux.go +++ b/components/engine/pkg/selinux/selinux.go @@ -44,7 +44,7 @@ func SetDisabled() { selinuxEnabled, selinuxEnabledChecked = false, true } -func GetSelinuxMountPoint() string { +func getSelinuxMountPoint() string { if selinuxfs != "unknown" { return selinuxfs } @@ -75,15 +75,15 @@ func SelinuxEnabled() bool { return selinuxEnabled } selinuxEnabledChecked = true - if fs := GetSelinuxMountPoint(); fs != "" { - if con, _ := Getcon(); con != "kernel" { + if fs := getSelinuxMountPoint(); fs != "" { + if con, _ := getcon(); con != "kernel" { selinuxEnabled = true } } return selinuxEnabled } -func ReadConfig(target string) (value string) { +func readConfig(target string) (value string) { var ( val, key string bufin *bufio.Reader @@ -124,8 +124,8 @@ func ReadConfig(target string) (value string) { return "" } -func GetSELinuxPolicyRoot() string { - return selinuxDir + ReadConfig(selinuxTypeTag) +func getSELinuxPolicyRoot() string { + return selinuxDir + readConfig(selinuxTypeTag) } func readCon(name string) (string, error) { @@ -153,7 +153,7 @@ func Getfscreatecon() (string, error) { return readCon("/proc/self/attr/fscreate") } -func Getcon() (string, error) { +func getcon() (string, error) { return readCon("/proc/self/attr/current") } @@ -220,7 +220,7 @@ func SelinuxGetEnforce() int { } func SelinuxGetEnforceMode() int { - switch ReadConfig(selinuxTag) { + switch readConfig(selinuxTag) { case "enforcing": return Enforcing case "permissive": @@ -292,13 +292,6 @@ func uniqMcs(catRange uint32) string { return mcs } -func FreeContext(con string) { - if con != "" { - scon := NewContext(con) - mcsDelete(scon["level"]) - } -} - func GetLxcContexts() (processLabel string, fileLabel string) { var ( val, key string @@ -308,7 +301,7 @@ func GetLxcContexts() (processLabel string, fileLabel string) { if !SelinuxEnabled() { return "", "" } - lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", GetSELinuxPolicyRoot()) + lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", getSELinuxPolicyRoot()) in, err := os.Open(lxcPath) if err != nil { return "", "" diff --git a/components/engine/pkg/selinux/selinux_test.go b/components/engine/pkg/selinux/selinux_test.go index 181452ae75..fde6ab147d 100644 --- a/components/engine/pkg/selinux/selinux_test.go +++ b/components/engine/pkg/selinux/selinux_test.go @@ -38,7 +38,6 @@ func TestSELinux(t *testing.T) { t.Log("getenforcemode ", selinux.SelinuxGetEnforceMode()) pid := os.Getpid() t.Log("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023)) - t.Log(selinux.Getcon()) err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0") if err == nil { t.Log(selinux.Getfscreatecon()) @@ -54,7 +53,6 @@ func TestSELinux(t *testing.T) { t.Fatal(err) } t.Log(selinux.Getpidcon(1)) - t.Log(selinux.GetSelinuxMountPoint()) } else { t.Log("Disabled") }