We use cookies to ensure you get the best experience on our website
ホーム エクスプローラ ヘルプ
登録 サインイン
0ct0pu5
/
moby
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ソースを参照

Add lxc support for restricting proc
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

Michael Crosby 11 年 前
60a90970bc
コミット
0779a8c328
2 ファイル変更29 行追加14 行削除
一括表示 差分情報を表示
  1. 21 13
      daemon/execdriver/lxc/driver.go
  2. 8 1
      daemon/execdriver/lxc/lxc_template.go

+ 21 - 13
daemon/execdriver/lxc/driver.go
ファイルの表示 

@@ -59,9 +59,10 @@ func init() {
 
 }
 
 }
 
 
 
 type driver struct {
 
 type driver struct {
 
-	root       string // root path for the driver to use
 
-	apparmor   bool
 
-	sharedRoot bool
 
+	root            string // root path for the driver to use
 
+	apparmor        bool
 
+	sharedRoot      bool
 
+	restrictionPath string
 
 }
 
 }
 
 
 
 func NewDriver(root string, apparmor bool) (*driver, error) {
 
 func NewDriver(root string, apparmor bool) (*driver, error) {
 
@@ -69,10 +70,15 @@ func NewDriver(root string, apparmor bool) (*driver, error) {
 
 	if err := linkLxcStart(root); err != nil {
 
 	if err := linkLxcStart(root); err != nil {
 
 		return nil, err
 
 		return nil, err
 
 	}
 
 	}
 
+	restrictionPath := filepath.Join(root, "empty")
 
+	if err := os.MkdirAll(restrictionPath, 0700); err != nil {
 
+		return nil, err
 
+	}
 
 	return &driver{
 
 	return &driver{
 
-		apparmor:   apparmor,
 
-		root:       root,
 
-		sharedRoot: rootIsShared(),
 
+		apparmor:        apparmor,
 
+		root:            root,
 
+		sharedRoot:      rootIsShared(),
 
+		restrictionPath: restrictionPath,
 
 	}, nil
 
 	}, nil
 
 }
 
 }
 
 
 
@@ -403,14 +409,16 @@ func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {
 
 
 
 	if err := LxcTemplateCompiled.Execute(fo, struct {
 
 	if err := LxcTemplateCompiled.Execute(fo, struct {
 
 		*execdriver.Command
 
 		*execdriver.Command
 
-		AppArmor     bool
 
-		ProcessLabel string
 
-		MountLabel   string
 
+		AppArmor          bool
 
+		ProcessLabel      string
 
+		MountLabel        string
 
+		RestrictionSource string
 
 	}{
 
 	}{
 
-		Command:      c,
 
-		AppArmor:     d.apparmor,
 
-		ProcessLabel: process,
 
-		MountLabel:   mount,
 
+		Command:           c,
 
+		AppArmor:          d.apparmor,
 
+		ProcessLabel:      process,
 
+		MountLabel:        mount,
 
+		RestrictionSource: d.restrictionPath,
 
 	}); err != nil {
 
 	}); err != nil {
 
 		return "", err
 
 		return "", err
 
 	}
 
 	}

+ 8 - 1
daemon/execdriver/lxc/lxc_template.go
ファイルの表示 

@@ -109,8 +109,15 @@ lxc.mount.entry = {{$value.Source}} {{escapeFstabSpaces $ROOTFS}}/{{escapeFstabS
 
 {{if .AppArmor}}
 
 {{if .AppArmor}}
 
 lxc.aa_profile = unconfined
 
 lxc.aa_profile = unconfined
 
 {{else}}
 
 {{else}}
 
-#lxc.aa_profile = unconfined
 
+# not unconfined
 
 {{end}}
 
 {{end}}
 
+{{else}}
 
+# restrict access to proc
 
+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/sys none bind,ro 0 0
 
+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/irq none bind,ro 0 0
 
+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/acpi none bind,ro 0 0
 
+lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/sysrq-trigger none bind,ro 0 0
 
+lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/kcore none bind,ro 0 0
 
 {{end}}
 
 {{end}}
 
 
 
 # limits
 
 # limits

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5