We use cookies to ensure you get the best experience on our website
Home Esplora Aiuto
Registrati Accedi
0ct0pu5
/
moby
1
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

Warn if kernel does not support overlay/overlay2 with selinux

We first added error to not allow overlay with selinux enabled. Then later
we removed it as kernel was getting close to get the support. But this 
means user does not get meaningful message on old kernels.

This patch introduces a warning (Instead of error). Difference is that it
dynamically tries to detect if underlying kernel supports overlayfs with
selinux or not. And if it does not, it warns.

It will not warn if it detects that kernel supports overlayfs with selinux.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Vivek Goyal 8 anni fa
parent
c9a0dda586
commit
885b29df09
1 ha cambiato i file con 46 aggiunte e 0 eliminazioni
Visualizzazione unificata Mostra Diff Stats
  1. 46 0
      daemon/daemon_unix.go

+ 46 - 0
daemon/daemon_unix.go
Vedi File 

@@ -3,6 +3,7 @@
 
 package daemon
 
 package daemon
 
 
 
 import (
 
 import (
 
+	"bufio"
 
 	"bytes"
 
 	"bytes"
 
 	"fmt"
 
 	"fmt"
 
 	"io/ioutil"
 
 	"io/ioutil"
 
@@ -596,11 +597,56 @@ func configureMaxThreads(config *Config) error {
 
 	return nil
 
 	return nil
 
 }
 
 }
 
 
 
+func overlaySupportsSelinux() (bool, error) {
 
+	f, err := os.Open("/proc/kallsyms")
 
+	if err != nil {
 
+		if os.IsNotExist(err) {
 
+			return false, nil
 
+		}
 
+		return false, err
 
+	}
 
+	defer f.Close()
 
+
 
+	var symAddr, symType, symName, text string
 
+
 
+	s := bufio.NewScanner(f)
 
+	for s.Scan() {
 
+		if err := s.Err(); err != nil {
 
+			return false, err
 
+		}
 
+
 
+		text = s.Text()
 
+		if _, err := fmt.Sscanf(text, "%s %s %s", &symAddr, &symType, &symName); err != nil {
 
+			return false, fmt.Errorf("Scanning '%s' failed: %s", text, err)
 
+		}
 
+
 
+		// Check for presence of symbol security_inode_copy_up.
 
+		if symName == "security_inode_copy_up" {
 
+			return true, nil
 
+		}
 
+	}
 
+	return false, nil
 
+}
 
+
 
 // configureKernelSecuritySupport configures and validates security support for the kernel
 
 // configureKernelSecuritySupport configures and validates security support for the kernel
 
 func configureKernelSecuritySupport(config *Config, driverName string) error {
 
 func configureKernelSecuritySupport(config *Config, driverName string) error {
 
 	if config.EnableSelinuxSupport {
 
 	if config.EnableSelinuxSupport {
 
 		if !selinuxEnabled() {
 
 		if !selinuxEnabled() {
 
 			logrus.Warn("Docker could not enable SELinux on the host system")
 
 			logrus.Warn("Docker could not enable SELinux on the host system")
 
+			return nil
 
+		}
 
+
 
+		if driverName == "overlay" || driverName == "overlay2" {
 
+			// If driver is overlay or overlay2, make sure kernel
 
+			// supports selinux with overlay.
 
+			supported, err := overlaySupportsSelinux()
 
+			if err != nil {
 
+				return err
 
+			}
 
+
 
+			if !supported {
 
+				logrus.Warnf("SELinux is not supported with the %s graph driver on this kernel", driverName)
 
+			}
 
 		}
 
 		}
 
 	} else {
 
 	} else {
 
 		selinuxSetDisabled()
 
 		selinuxSetDisabled()

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5