p4u1/docker-cli
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
31,769 Commits 2 Branches 295 Tags
d51100a9ef80b51f30cdfd30f2fbe10d6915dd02
Commit Graph

7 Commits

Author SHA1 Message Date
Aaron.L.Xu
cdf7829892 fix some typos from module contrib to man 
Signed-off-by: Aaron.L.Xu <likexu@harmonycloud.cn>
Upstream-commit: e0577d5fe876ec92de21c808c31e97e052654223
Component: engine
 2017-02-18 10:08:55 +08:00
Justin Cormack
9c9701a340 Block obsolete socket families in the default seccomp profile 
Linux supports many obsolete address families, which are usually available in
common distro kernels, but they are less likely to be properly audited and
may have security issues

This blocks all socket families in the socket (and socketcall where applicable) syscall
except
- AF_UNIX - Unix domain sockets
- AF_INET - IPv4
- AF_INET6 - IPv6
- AF_NETLINK - Netlink sockets for communicating with the ekrnel
- AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW

All other socket families are blocked, including Appletalk (native, not
over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally
be used in containers, etc.

Note that users can of course provide a profile per container or in the daemon
config if they have unusual use cases that require these.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 7e3a596a63fd8d0ab958132901b6ded81f8b44c0
Component: engine
 2017-01-17 17:50:44 +00:00
Justin Cormack
b865964d4d Use runc version built without ambient capabilities 
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.

Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.

Test for #27590

Update runc.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: c5251f7116e3d9095a7169fc31bd170dff997c2e
Component: engine
 2016-11-04 17:25:28 +00:00
Justin Cormack
980ac6c629 Add a test that the default seccomp profile allows execution of 32 bit binaries 
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.

This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.

There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 93bbc76ee53240e0862c6f1ff409e7a4ee0883dc
Component: engine
 2016-07-27 18:42:34 +01:00
allencloud
1c3431e16a fix typos 
Signed-off-by: allencloud <allen.sun@daocloud.io>
Upstream-commit: 4e959ef2f7f063803d04e06166f459257eb94b5c
Component: engine
 2016-07-23 11:32:23 +08:00
Tianon Gravi
2365ad5675 Switch "syscall-test" image from "debian:jessie" to "buildpack-deps:jessie" so that "gcc" is already included 
This results in a significant time savings during repeated builds (since we don't have to re-download gcc for every test run).

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: 9b2aab3fc85ab1d8cf7479b153e54d5dcceb7886
Component: engine
 2016-01-14 13:51:30 -08:00
Jessica Frazelle
902a67f4ef add more seccomp profile tests 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: 327421d1df557e156b29d14359a2bfdc59cfb46f
Component: engine
 2015-12-30 17:30:44 -08:00