mqueue can not be mounted on the host os and then shared into the container.
There is only one mqueue per mount namespace, so current code ends up leaking
the /dev/mqueue from the host into ALL containers. Since SELinux changes the
label of the mqueue, only the last container is able to use the mqueue, all
other containers will get a permission denied. If you don't have SELinux protections
sharing of the /dev/mqueue allows one container to interact in potentially hostile
ways with other containers.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Upstream-commit: ba38d58659cc155aebf89a2ea4cfc3cd7ba04a64
Component: engine
There were a few spelling issues that I noticed when reading about shared mounts.
Signed-off-by: jgeiger <joey.geiger@irco.com>
Upstream-commit: 318b4f0b5f0639149f5e88aba805cdd454d4d9ee
Component: engine
We cannot rely on the tar command for this type of operation because tar
versions, flags, and functionality can very from distro to distro.
Since this is in the container execution path it is not safe to have
this as a dependency from dockers POV where the user cannot change the
fact that docker is adding these pre and post mount commands.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: ae8ec4860e68e945cf6b2c157fa4e243c35c54a5
Component: engine
dockerinit has been around for a very long time. It was originally used
as a way for us to do configuration for LXC containers once the
container had started. LXC is no longer supported, and /.dockerinit has
been dead code for quite a while. This removes all code and references
in code to dockerinit.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
Upstream-commit: 4357ed4a7363a1032edf93cf03232953c805184f
Component: engine
This syscall is used by Go on i386 binaries, although not by libc.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 13a9d4e8993997b2bf9be7e96a8d7978a73d0b9b
Component: engine
It's "/docker" for cgroupfs and "system.slice" for systemd.
Fix#19140
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: c1cd45d547ef26cf988dc72d456430361dafcf08
Component: engine
This version is sometimes used eg by glibc on x86
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 822c4f79ab5c84d48bbdd5534cdfd98990cdcee7
Component: engine
In the default seccomp rule, allow use of 32 bit syscalls on
64 bit architectures, so you can run x86 Linux images on x86_64
without disabling seccomp or using a custom rule.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: ca3ae72e43a0e6ad2f4f548586110c2e296ae1e9
Component: engine
This is used on some 32 bit architectures, eg x86
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: d8e06d54cf3f6478ba85f60cca4a9b03bbc68f10
Component: engine
This is the newer verion of lseek on many 32 bit platforms
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 923609179b18fb5fc9d4ad7820646af7e09786a2
Component: engine
Being able to obtain a file handle is no use as we cannot perform
any operation in it, and it may leak kernel state.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: c1b57fc1c9e230b95c2c76d1eaca0e3622fc72d5
Component: engine
This change is done so that driver_unsupported.go and driver_unsupported_nocgo.go
declare the same signature for NewDriver as driver.go.
Fixes#19032
Signed-off-by: Lukas Waslowski <cr7pt0gr4ph7@gmail.com>
Upstream-commit: 9a03967f0abae4cc1dca00f339c58c31579c45b5
Component: engine
This can be allowed because it should only restrict more per the seccomp docs, and multiple apps use it today.
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: b610fc226afdf663b0ad46ad982c27fdee61f671
Component: engine
Block kcmp, procees_vm_readv, process_vm_writev.
All these require CAP_PTRACE, and are only used for ptrace related
actions, so are not useful as we block ptrace.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: a0a8ca0ae0bc9dc7faa0b8bacf4ca376c7257348
Component: engine
The bpf syscall can load code into the kernel which may
persist beyond container lifecycle. Requires CAP_SYS_ADMIN
already.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 33568405f34f363de49b1146119cc53bcb9e5f16
Component: engine
These provide an in kernel virtual machine for x86 real mode on x86
used by one very early DOS emulator. Not required for any normal use.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 6c3ea7a511ca641cdf4fa4da1d775d5b6f4bef3e
Component: engine
