This repository has been archived by the owner on Dec 13, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 316
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce support for syscall filtering in containers #237
This PR introduces the ability to filter system calls on a per-container basis on Linux, using libseccomp to support multiple architectures. This adds another layer of security between containers and the kernel. System calls which are unnecessary in a container or problematic from a security perspective can be restricted to prevent their use. Most of the truly problematic syscalls are already restricted by dropping capabilities; this adds an additional, finer-grained layer of protection. This PR adds a vendored library dependency (Go bindings for libseccomp) and a build dependency on libseccomp >= v2.1. The actual changes to libcontainer are fairly minimal, most of the delta is in the libseccomp bindings. Docker-DCO-1.1-Signed-off-by: Dan Walsh <[email protected]> (github: rhatdan) Docker-DCO-1.1-Signed-off-by: Matt Heon <[email protected]> (github: mheon)
- Loading branch information
Showing
14 changed files
with
2,640 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,207 @@ | ||
// +build seccomp,linux,cgo | ||
|
||
package integration | ||
|
||
import ( | ||
"strings" | ||
"syscall" | ||
"testing" | ||
|
||
"github.com/docker/libcontainer" | ||
"github.com/docker/libcontainer/security/seccomp" | ||
) | ||
|
||
func TestSeccompDenyGetcwd(t *testing.T) { | ||
if testing.Short() { | ||
return | ||
} | ||
|
||
rootfs, err := newRootfs() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer remove(rootfs) | ||
|
||
config := newTemplateConfig(rootfs) | ||
config.SeccompConfig = seccomp.SeccompConfig{ | ||
Enable: true, | ||
Whitelist: false, | ||
Syscalls: []seccomp.BlockedSyscall{ | ||
{ | ||
Name: "getcwd", | ||
}, | ||
}, | ||
} | ||
|
||
container, err := newContainer(config) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer container.Destroy() | ||
|
||
buffers := newStdBuffers() | ||
pwd := &libcontainer.Process{ | ||
Args: []string{"pwd"}, | ||
Env: standardEnvironment, | ||
Stdin: buffers.Stdin, | ||
Stdout: buffers.Stdout, | ||
Stderr: buffers.Stderr, | ||
} | ||
|
||
err = container.Start(pwd) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
ps, err := pwd.Wait() | ||
if err == nil { | ||
t.Fatal("Expecting error (negative return code); instead exited cleanly!") | ||
} | ||
|
||
var exitCode int | ||
status := ps.Sys().(syscall.WaitStatus) | ||
if status.Exited() { | ||
exitCode = status.ExitStatus() | ||
} else if status.Signaled() { | ||
exitCode = -int(status.Signal()) | ||
} else { | ||
t.Fatalf("Unrecognized exit reason!") | ||
} | ||
|
||
if exitCode == 0 { | ||
t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode) | ||
} | ||
|
||
expected := "pwd: getcwd: Operation not permitted" | ||
actual := strings.Trim(buffers.Stderr.String(), "\n") | ||
if actual != expected { | ||
t.Fatalf("Expected output %s but got %s\n", expected, actual) | ||
} | ||
} | ||
|
||
func TestSeccompPermitIoctlConditional(t *testing.T) { | ||
if testing.Short() { | ||
return | ||
} | ||
|
||
rootfs, err := newRootfs() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer remove(rootfs) | ||
|
||
config := newTemplateConfig(rootfs) | ||
config.SeccompConfig = seccomp.SeccompConfig{ | ||
Enable: true, | ||
Whitelist: false, | ||
Syscalls: []seccomp.BlockedSyscall{ | ||
{ | ||
Name: "ioctl", | ||
Conditions: []seccomp.SyscallCondition { | ||
{ | ||
Argument: 0, | ||
Operator: ">", | ||
ValueOne: 1, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
container, err := newContainer(config) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer container.Destroy() | ||
|
||
buffers := newStdBuffers() | ||
dmesg := &libcontainer.Process{ | ||
Args: []string{"busybox", "date"}, | ||
Env: standardEnvironment, | ||
Stdin: buffers.Stdin, | ||
Stdout: buffers.Stdout, | ||
Stderr: buffers.Stderr, | ||
} | ||
|
||
err = container.Start(dmesg) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if _, err := dmesg.Wait(); err != nil { | ||
t.Fatalf("%s: %s", err, buffers.Stderr) | ||
} | ||
} | ||
|
||
func TestSeccompDenyIoctlConditional(t *testing.T) { | ||
if testing.Short() { | ||
return | ||
} | ||
|
||
rootfs, err := newRootfs() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer remove(rootfs) | ||
|
||
config := newTemplateConfig(rootfs) | ||
config.SeccompConfig = seccomp.SeccompConfig{ | ||
Enable: true, | ||
Whitelist: false, | ||
Syscalls: []seccomp.BlockedSyscall{ | ||
{ | ||
Name: "ioctl", | ||
Conditions: []seccomp.SyscallCondition { | ||
{ | ||
Argument: 0, | ||
Operator: ">", | ||
ValueOne: 1, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
container, err := newContainer(config) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer container.Destroy() | ||
|
||
buffers := newStdBuffers() | ||
dmesg := &libcontainer.Process{ | ||
Args: []string{"busybox", "ipaddr"}, | ||
Env: standardEnvironment, | ||
Stdin: buffers.Stdin, | ||
Stdout: buffers.Stdout, | ||
Stderr: buffers.Stderr, | ||
} | ||
|
||
err = container.Start(dmesg) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
ps, err := dmesg.Wait(); | ||
if err == nil { | ||
t.Fatal("Expecting negative return, instead got 0!") | ||
} | ||
|
||
var exitCode int | ||
status := ps.Sys().(syscall.WaitStatus) | ||
if status.Exited() { | ||
exitCode = status.ExitStatus() | ||
} else if status.Signaled() { | ||
exitCode = -int(status.Signal()) | ||
} else { | ||
t.Fatalf("Unrecognized exit reason!") | ||
} | ||
|
||
if exitCode == 0 { | ||
t.Fatalf("Busybox should fail with negative exit code, instead got %d!", exitCode) | ||
} | ||
|
||
expected := "ipaddr: SIOCGIFTXQLEN: Operation not permitted" | ||
actual := strings.Trim(buffers.Stderr.String(), "\n") | ||
if actual != expected { | ||
t.Fatalf("Expected output %s but got %s\n", expected, actual) | ||
} | ||
} |
Oops, something went wrong.