add docs and unconfined to run a container without the default seccomp profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
Jessica Frazelle
parent
a48fe62384
commit
15674c5fb7
4 changed files with 35 additions and 5 deletions
|
|
@ -87,7 +87,7 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)
|
|||
container.AppArmorProfile = c.AppArmorProfile
|
||||
}
|
||||
|
||||
if c.SeccompProfile != "" {
|
||||
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
||||
container.Seccomp, err = loadSeccompProfile(c.SeccompProfile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -62,3 +62,22 @@ Then you can run with:
|
|||
```
|
||||
$ docker run --rm -it --security-opt seccomp:/path/to/seccomp/profile.json hello-world
|
||||
```
|
||||
|
||||
Default Profile
|
||||
---------------
|
||||
|
||||
The default seccomp profile provides a sane default for running
|
||||
containers with seccomp. It is moderately protective while
|
||||
providing wide application compatibility.
|
||||
|
||||
|
||||
Overriding the default profile for a container
|
||||
----------------------------------------------
|
||||
|
||||
You can pass `unconfined` to run a container without the default seccomp
|
||||
profile.
|
||||
|
||||
```
|
||||
$ docker run --rm -it --security-opt seccomp:unconfined debian:jessie \
|
||||
unshare --map-root-user --user sh -c whoami
|
||||
```
|
||||
|
|
|
|||
|
|
@ -7,8 +7,7 @@ set -e
|
|||
dir="$DEST/userns-test"
|
||||
mkdir -p "$dir"
|
||||
(
|
||||
GOOS=${DOCKER_ENGINE_GOOS:="linux"}
|
||||
if [ "$GOOS" = "linux" ]; then
|
||||
if [ "$(go env GOOS)" = "linux" ]; then
|
||||
cd "$dir"
|
||||
gcc -g -Wall -static ../../../../contrib/userns-test/main.c -o ./userns-test
|
||||
cp ../../../../contrib/userns-test/Dockerfile .
|
||||
|
|
|
|||
|
|
@ -598,8 +598,20 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
|
|||
}
|
||||
}
|
||||
|
||||
// TestRunSeccompAllowPrivCloneUserns checks that 'docker run userns-test'
|
||||
// with a the default seccomp profile exits with operation not permitted.
|
||||
// TestRunSeccompUnconfinedCloneUserns checks that
|
||||
// 'docker run --security-opt seccomp:unconfined userns-test' allows creating a userns.
|
||||
func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
|
||||
testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
|
||||
|
||||
// make sure running w privileged is ok
|
||||
runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp:unconfined", "userns-test", "id")
|
||||
if out, _, err := runCommandWithOutput(runCmd); err != nil || !strings.Contains(out, "nobody") {
|
||||
c.Fatalf("expected clone userns with --security-opt seccomp:unconfined to succeed, got %s: %v", out, err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged userns-test'
|
||||
// allows creating a userns.
|
||||
func (s *DockerSuite) TestRunSeccompAllowPrivCloneUserns(c *check.C) {
|
||||
testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue