Merge pull request #4477 from creack/apparmor_native

Add AppArmor support to native driver + change pipe/dup logic

execdriver/native/default_template.go

@@ -37,6 +37,7 @@ func createContainer(c *execdriver.Command) *libcontainer.Container {
 	if c.Privileged {
 		container.Capabilities = nil
 		container.Cgroups.DeviceAccess = true
+		container.Context["apparmor_profile"] = "unconfined"
 	}
 	if c.Resources != nil {
 		container.Cgroups.CpuShares = c.Resources.CpuShares
@@ -78,5 +79,8 @@ func getDefaultTemplate() *libcontainer.Container {
 			Parent:       "docker",
 			DeviceAccess: false,
 		},
+		Context: libcontainer.Context{
+			"apparmor_profile": "docker-default",
+		},
 	}
 }

execdriver/native/driver.go

@@ -6,6 +6,7 @@ import (
 	"github.com/dotcloud/docker/execdriver"
 	"github.com/dotcloud/docker/pkg/cgroups"
 	"github.com/dotcloud/docker/pkg/libcontainer"
+	"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
 	"github.com/dotcloud/docker/pkg/libcontainer/nsinit"
 	"github.com/dotcloud/docker/pkg/system"
 	"io/ioutil"
@@ -62,6 +63,9 @@ func NewDriver(root string) (*driver, error) {
 	if err := os.MkdirAll(root, 0700); err != nil {
 		return nil, err
 	}
+	if err := apparmor.InstallDefaultProfile(); err != nil {
+		return nil, err
+	}
 	return &driver{
 		root: root,
 	}, nil

pkg/libcontainer/apparmor/apparmor.go

@@ -0,0 +1,29 @@
+package apparmor
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+)
+
+func IsEnabled() bool {
+	buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
+	return err == nil && len(buf) > 1 && buf[0] == 'Y'
+}
+
+func ApplyProfile(pid int, name string) error {
+	if !IsEnabled() || name == "" {
+		return nil
+	}
+
+	f, err := os.OpenFile(fmt.Sprintf("/proc/%d/attr/current", pid), os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if _, err := fmt.Fprintf(f, "changeprofile %s", name); err != nil {
+		return err
+	}
+	return nil
+}

pkg/libcontainer/apparmor/setup.go

@@ -0,0 +1,98 @@
+package apparmor
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+)
+
+const DefaultProfilePath = "/etc/apparmor.d/docker"
+const DefaultProfile = `
+# AppArmor profile from lxc for containers.
+@{HOME}=@{HOMEDIRS}/*/ /root/
+@{HOMEDIRS}=/home/
+#@{HOMEDIRS}+=
+@{multiarch}=*-linux-gnu*
+@{PROC}=/proc/
+
+profile docker-default flags=(attach_disconnected,mediate_deleted) {
+  network,
+  capability,
+  file,
+  umount,
+  dbus,
+
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) -> /,
+
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
+
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
+  # allow bind mount of /lib/init/fstab for lxcguest
+  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
+  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # allow efivars to be mounted, writing to it will be blocked though
+  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
+  mount fstype=securityfs -> /sys/kernel/security/,
+  mount fstype=debugfs -> /sys/kernel/debug/,
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+  mount fstype=proc -> /proc/,
+  mount fstype=sysfs -> /sys/,
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+
+  # the container may never be allowed to mount devpts.  If it does, it
+  # will remount the host's devpts.  We could allow it to do it with
+  # the newinstance option (but, right now, we don't).
+  deny mount fstype=devpts,
+}
+`
+
+func InstallDefaultProfile() error {
+	if !IsEnabled() {
+		return nil
+	}
+
+	// If the profile already exists, let it be.
+	if _, err := os.Stat(DefaultProfilePath); err == nil {
+		return nil
+	}
+
+	if err := ioutil.WriteFile(DefaultProfilePath, []byte(DefaultProfile), 0644); err != nil {
+		return err
+	}
+
+	output, err := exec.Command("/lib/init/apparmor-profile-load", "docker").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("Error loading docker profile: %s (%s)", err, output)
+	}
+	return nil
+}

pkg/libcontainer/container.go

@@ -20,7 +20,8 @@ type Container struct {
 	Namespaces   Namespaces      `json:"namespaces,omitempty"`   // namespaces to apply
 	Capabilities Capabilities    `json:"capabilities,omitempty"` // capabilities to drop
 	Networks     []*Network      `json:"networks,omitempty"`     // nil for host's network stack
-	Cgroups      *cgroups.Cgroup `json:"cgroups,omitempty"`
+	Cgroups      *cgroups.Cgroup `json:"cgroups,omitempty"`      // cgroups
+	Context      Context         `json:"context,omitempty"`      // generic context for specific options (apparmor, selinux)
 }
 
 // Network defines configuration for a container's networking stack

pkg/libcontainer/nsinit/init.go

@@ -5,6 +5,7 @@ package nsinit
 import (
 	"fmt"
 	"github.com/dotcloud/docker/pkg/libcontainer"
+	"github.com/dotcloud/docker/pkg/libcontainer/apparmor"
 	"github.com/dotcloud/docker/pkg/libcontainer/capabilities"
 	"github.com/dotcloud/docker/pkg/libcontainer/network"
 	"github.com/dotcloud/docker/pkg/libcontainer/utils"
@@ -31,8 +32,6 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 	syncPipe.Close()
 
 	if console != "" {
-		// close pipes so that we can replace it with the pty
-		closeStdPipes()
 		slave, err := system.OpenTerminal(console, syscall.O_RDWR)
 		if err != nil {
 			return fmt.Errorf("open terminal %s", err)
@@ -50,14 +49,20 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		}
 	}
 
-	/*
-		if err := system.ParentDeathSignal(); err != nil {
-			return fmt.Errorf("parent death signal %s", err)
-		}
+	/* this is commented out so that we get the current Ghost functionality
+	if err := system.ParentDeathSignal(); err != nil {
+		return fmt.Errorf("parent death signal %s", err)
+	}
 	*/
+
 	if err := setupNewMountNamespace(rootfs, console, container.ReadonlyFs); err != nil {
 		return fmt.Errorf("setup mount namespace %s", err)
 	}
+
+	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
+		return err
+	}
+
 	if err := setupNetwork(container, context); err != nil {
 		return fmt.Errorf("setup networking %s", err)
 	}
@@ -67,13 +72,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 	if err := finalizeNamespace(container); err != nil {
 		return fmt.Errorf("finalize namespace %s", err)
 	}
-	return system.Execv(args[0], args[0:], container.Env)
-}
 
-func closeStdPipes() {
-	os.Stdin.Close()
-	os.Stdout.Close()
-	os.Stderr.Close()
+	return system.Execv(args[0], args[0:], container.Env)
 }
 
 func setupUser(container *libcontainer.Container) error {
@@ -109,8 +109,8 @@ func setupUser(container *libcontainer.Container) error {
 // dupSlave dup2 the pty slave's fd into stdout and stdin and ensures that
 // the slave's fd is 0, or stdin
 func dupSlave(slave *os.File) error {
-	if slave.Fd() != 0 {
-		return fmt.Errorf("slave fd not 0 %d", slave.Fd())
+	if err := system.Dup2(slave.Fd(), 0); err != nil {
+		return err
 	}
 	if err := system.Dup2(slave.Fd(), 1); err != nil {
 		return err