The custom configuration will also be used in docker invocations made
by the completion script itself, just like `-H`.
Signed-off-by: Harald Albers <github@albersweb.de>
It's a bit confusing: the "global options" are valid as "global options"
for all client commands (i.e. all but daemon).
Example: `docker --log-level info run`
For `docker daemon`, these "global options" are only valid as "command
options".
Example: `docker daemon --log-level info`
As command completion cannot tell which command the user is going to
type next, completion for the daemon command has to allow illegal
syntaxes like
`docker --log-level info daemon --log-level info`
Signed-off-by: Harald Albers <github@albersweb.de>
Add tools to the apparmor profile that are needed when -s devicemapper is
in the docker daemon's command line.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
The engine policy will now only complain
as a temporary measure to ensure we do not
cause breakages while users exercise this
policy.
This is NOT the policy for containers, but
for the newly-introduced policy for the
daemon itself.
Signed-off-by: Eric Windisch <eric@windisch.us>
Implements the policies for the remaining binaries
called by the Docker engine and eliminates the
giant whitelisted 'all files' permission in favor
of granular whitelisting and child-specific policies.
It should be possible now to remove the 'file' permission,
but for the sake of keeping Docker unbroken, we'll try
to gradually tighten the policy.
Signed-off-by: Eric Windisch <eric@windisch.us>
Will attempt to load profiles automatically. If loading fails
but the profiles are already loaded, execution will continue.
A hard failure will only occur if Docker cannot load
the profiles *and* they have not already been loaded via
some other means.
Also introduces documentation for AppArmor.
Signed-off-by: Eric Windisch <eric@windisch.us>
A bash completion file shouldn't have a executable bit set.
Just change file mode to 644 (instead of 755).
Signed-off-by: Dieter Reuter <dieter.reuter@me.com>
Without this fix, `docker --log-opt ` would not complete anything
because the completions were driver specific.
Signed-off-by: Harald Albers <github@albersweb.de>
Without this fix, `docker --log-driver fluentd --log-opt fluentd-tag=b`
would complete `b` to `build`.
Completion of the commands has to be nailed to __docker_pos_first_nonflag
Signed-off-by: Harald Albers <github@albersweb.de>
Wraps the engine itself with an AppArmor policy.
This restricts what may be done by applications
we call out to, such as 'xz'.
Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.
Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.
Signed-off-by: Eric Windisch <eric@windisch.us>
By using the 'unconfined' policy for privileged
containers, we have inherited the host's apparmor
policies, which really make no sense in the
context of the container's filesystem.
For instance, policies written against
the paths of binaries such as '/usr/sbin/tcpdump'
can be easily circumvented by moving the binary
within the container filesystem.
Fixes GH#5490
Signed-off-by: Eric Windisch <eric@windisch.us>
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
This solves several problems that arise from the special treatment of
"=" in Bash.
The fix was required as some log drivers have options in a key=value
form. It also addresses the --option=value and the negated boolean syntax
(--boolean=false).
Note that this is not a general fix for these problems, it is limited to
the __docker_pos_first_nonflag function.
Signed-off-by: Harald Albers <github@albersweb.de>
- Add fluentd logging driver to zsh completion #12876
- Add inspect --type flag to zsh completion #13187
- Respect -H option in zsh completion #13195
- Fix number of argument limit for pause and unpause in zsh completion
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
