Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootless: disable unsupported security stuff #1834

Conversation

AkihiroSuda
Copy link
Member

Signed-off-by: Akihiro Suda [email protected]

@AkihiroSuda
Copy link
Member Author

cc @cyphar @williammartin @giuseppe

@giuseppe
Copy link
Member

giuseppe commented Jul 2, 2018

I am not a maintainer, but LGTM

// Disable unsupported security stuff
spec.Process.User.AdditionalGids = nil
spec.Process.ApparmorProfile = ""
spec.Process.SelinuxLabel = ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't just disable this stuff like that -- if a user has specified them in the configuration then we have to either fail or try to do what they've asked. If we just ignore it (which is what this change does) then we could lead users into thinking their container has security properties it doesn't.

Also spec.Process.User.AdditionalGids = nil will break containers that are using newgidmap to allow for setgroups and the mapping of multiple users (unless I'm mistaken). The same with CgroupsPath -- if a privileged process has set up cgroups for us then we can use them.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm closing but AdditionalGids is not supported either way at the moment even when newgidmap is used

https://github.com/opencontainers/runc/blob/3a079311a7e9afeab4b722616cefd2f9b4129104/libcontainer/init_linux.go#L286-#L294

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we forgot to fix / remove that check when we added newgidmap support -- in principle it should work now that you can have setgroups=allow in a rootless container.

@cyphar
Copy link
Member

cyphar commented Jul 2, 2018

NACK. I'm pretty sure this'll break configurations that we shouldn't be breaking -- I'm a little confused that the tests are passing when this change breaks cgroupsPath handling (something that we added in #1540).

@rhatdan
Copy link
Contributor

rhatdan commented Jul 2, 2018

SELinux labeling is supported for non privilged users. SELinux does not care about whether you are UID=0 or any other UID.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants