Warn if kernel does not support overlay/overlay2 with selinux
We first added error to not allow overlay with selinux enabled. Then later we removed it as kernel was getting close to get the support. But this means user does not get meaningful message on old kernels. This patch introduces a warning (Instead of error). Difference is that it dynamically tries to detect if underlying kernel supports overlayfs with selinux or not. And if it does not, it warns. It will not warn if it detects that kernel supports overlayfs with selinux. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
Vivek Goyal
parent
c9a0dda586
commit
885b29df09
1 changed files with 46 additions and 0 deletions
|
|
@ -3,6 +3,7 @@
|
|||
package daemon
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
|
|
@ -596,11 +597,56 @@ func configureMaxThreads(config *Config) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func overlaySupportsSelinux() (bool, error) {
|
||||
f, err := os.Open("/proc/kallsyms")
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
var symAddr, symType, symName, text string
|
||||
|
||||
s := bufio.NewScanner(f)
|
||||
for s.Scan() {
|
||||
if err := s.Err(); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
text = s.Text()
|
||||
if _, err := fmt.Sscanf(text, "%s %s %s", &symAddr, &symType, &symName); err != nil {
|
||||
return false, fmt.Errorf("Scanning '%s' failed: %s", text, err)
|
||||
}
|
||||
|
||||
// Check for presence of symbol security_inode_copy_up.
|
||||
if symName == "security_inode_copy_up" {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// configureKernelSecuritySupport configures and validates security support for the kernel
|
||||
func configureKernelSecuritySupport(config *Config, driverName string) error {
|
||||
if config.EnableSelinuxSupport {
|
||||
if !selinuxEnabled() {
|
||||
logrus.Warn("Docker could not enable SELinux on the host system")
|
||||
return nil
|
||||
}
|
||||
|
||||
if driverName == "overlay" || driverName == "overlay2" {
|
||||
// If driver is overlay or overlay2, make sure kernel
|
||||
// supports selinux with overlay.
|
||||
supported, err := overlaySupportsSelinux()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !supported {
|
||||
logrus.Warnf("SELinux is not supported with the %s graph driver on this kernel", driverName)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
selinuxSetDisabled()
|
||||
|
|
|
|||
Loading…
Reference in a new issue