moby/daemon
Brian Goff e908cc3901 Use real root with 0701 perms
Various dirs in /var/lib/docker contain data that needs to be mounted
into a container. For this reason, these dirs are set to be owned by the
remapped root user, otherwise there can be permissions issues.
However, this uneccessarily exposes these dirs to an unprivileged user
on the host.

Instead, set the ownership of these dirs to the real root (or rather the
UID/GID of dockerd) with 0701 permissions, which allows the remapped
root to enter the directories but not read/write to them.
The remapped root needs to enter these dirs so the container's rootfs
can be configured... e.g. to mount /etc/resolve.conf.

This prevents an unprivileged user from having read/write access to
these dirs on the host.
The flip side of this is now any user can enter these directories.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-26 17:23:32 +00:00
..
cluster Fix jobs mode filter spelling 2020-12-15 14:45:05 -06:00
config Added ip6tables config option 2020-11-05 16:18:23 +01:00
discovery bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
events daemon: normalize comment formatting 2019-11-27 15:43:53 +01:00
exec Handle blocked I/O of exec'd processes 2019-06-21 12:02:15 -04:00
graphdriver Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
images Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
initlayer Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
links daemon: normalize comment formatting 2019-11-27 15:43:53 +01:00
listeners daemon/listeners: use pkg/errors 2020-09-14 14:50:54 +02:00
logger Fix windows log file rotation with readers 2020-10-29 18:38:30 +00:00
names Add canonical import comment 2018-02-05 16:51:57 -05:00
network Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
stats daemon/stats: use const for clockTicksPerSecond 2020-07-08 14:22:04 +02:00
testdata Remove libtrust dep from api 2017-09-06 12:05:19 -04:00
apparmor_default.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
apparmor_default_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
archive.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
archive_tarcopyoptions.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
archive_tarcopyoptions_unix.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
archive_tarcopyoptions_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
archive_unix.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00
archive_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
attach.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
auth.go Switch from x/net/context -> context 2018-04-23 13:52:44 -07:00
changes.go daemon: add "isWindows" const 2019-10-17 23:49:43 +02:00
checkpoint.go daemon/checkpoint: rm extra checks 2019-09-18 12:57:22 +02:00
cluster.go Move network conversions out of API router 2018-06-27 17:11:29 -07:00
commit.go daemon: add "isWindows" const 2019-10-17 23:49:43 +02:00
configs.go Merge configs/secrets in unix implementation 2018-02-16 11:25:14 -05:00
configs_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
configs_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
configs_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
container.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
container_linux.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
container_operations.go Move HostGatewayName const to opts, and change vars to consts 2020-10-30 21:17:34 +01:00
container_operations_unix.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
container_operations_windows.go container.ConfigFilePath: use same signature on Windows 2019-09-03 10:51:43 +02:00
container_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
container_windows.go daemon: fix capitalization of some functions 2020-04-14 17:22:19 +02:00
content.go Store image manifests in containerd content store 2020-11-05 20:02:18 +00:00
create.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
create_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
create_unix.go Check tmpfs mounts before create anon volume 2020-02-04 10:12:05 -08:00
create_windows.go Entropy cannot be saved 2019-06-07 11:54:45 +01:00
daemon.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
daemon_linux.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
daemon_linux_test.go Really switch to moby/sys/mount* 2020-03-20 09:46:25 -07:00
daemon_test.go Replace errors.Cause() with errors.Is() / errors.As() 2020-04-29 00:28:41 +02:00
daemon_unix.go Use real root with 0701 perms 2021-01-26 17:23:32 +00:00
daemon_unix_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
daemon_unsupported.go cgroup2: implement docker info 2020-04-17 07:20:01 +09:00
daemon_windows.go Do not call mount.RecursiveUnmount() on Windows 2020-10-29 23:00:16 +01:00
daemon_windows_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
debugtrap_unix.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
debugtrap_unsupported.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
debugtrap_windows.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
delete.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
delete_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
dependency.go Add canonical import comment 2018-02-05 16:51:57 -05:00
devices_linux.go Add DeviceRequests to HostConfig to support NVIDIA GPUs 2019-03-18 17:19:45 +00:00
disk_usage.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
errors.go Merge pull request #38541 from Microsoft/jjh/containerd 2019-03-19 21:09:19 -07:00
events.go Remove SystemInfo() error handling. 2019-08-29 07:44:39 +08:00
events_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
exec.go remove uses of deprecated pkg/term 2020-04-21 16:29:27 +02:00
exec_linux.go Simplify getUser() to use libcontainer built-in functionality 2020-09-09 13:25:59 +02:00
exec_linux_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
exec_windows.go Windows: (WCOW) Generate OCI spec that remote runtime can escape 2019-03-12 18:41:55 -07:00
export.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
health.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
health_test.go daemon: suppress logs in unit tests 2019-10-18 00:57:56 +02:00
info.go vendor: opencontainers/selinux v1.8.0, and remove selinux build-tag and stubs 2020-12-24 00:47:16 +01:00
info_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
info_unix.go Deprecate KernelMemory 2020-07-24 20:44:29 +09:00
info_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
info_windows.go Make cgroup namespaces configurable 2019-05-07 10:22:16 -07:00
inspect.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_linux.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
inspect_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
inspect_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
keys.go Add canonical import comment 2018-02-05 16:51:57 -05:00
keys_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
kill.go Wait for container exit before forcing handler 2020-08-11 21:33:59 +00:00
licensing.go Expose license status in Info (#37612) 2018-08-17 17:05:21 -07:00
licensing_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
links.go Add canonical import comment 2018-02-05 16:51:57 -05:00
list.go Merge pull request #40725 from cpuguy83/check_img_platform 2020-05-21 11:33:27 -07:00
list_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
list_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
list_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
logdrivers_linux.go Support configuration of log cacher. 2020-02-19 17:02:34 -05:00
logdrivers_windows.go Support configuration of log cacher. 2020-02-19 17:02:34 -05:00
logs.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
logs_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
metrics.go daemon: rename all receivers to "daemon" 2020-04-14 17:22:21 +02:00
metrics_unix.go Do not require "experimental" for metrics API 2020-04-20 22:19:00 +02:00
metrics_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
monitor.go handleContainerExit: put a timeout on containerd DeleteTask 2020-11-14 15:23:29 -08:00
mounts.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
names.go Entropy cannot be saved 2019-06-07 11:54:45 +01:00
network.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
network_windows.go daemon.getEndpointInNetwork() is only used on Windows 2019-09-18 12:55:46 +02:00
nvidia_linux.go goimports: fix imports 2019-09-18 12:56:54 +02:00
oci_linux.go use containerd/cgroups to detect cgroups v2 2020-11-09 15:00:32 +01:00
oci_linux_test.go daemon/oci_linux_test: Skip privileged tests when non-root 2020-12-15 09:47:44 +07:00
oci_utils.go goimports: fix imports 2019-09-18 12:56:54 +02:00
oci_windows.go Replace service "Capabilities" w/ add/drop API 2020-07-27 10:09:42 -07:00
oci_windows_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
pause.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
prune.go API: add "prune" events 2020-07-28 12:41:14 +02:00
reload.go Adding ability to change max download attempts 2019-09-19 13:51:40 +02:00
reload_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
reload_unix.go Fix lint error on sprintf call for runtime string 2020-07-09 15:41:44 -07:00
reload_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
rename.go docker rename enhancement 2018-09-21 09:43:06 +08:00
resize.go Merge pull request #38522 from cpuguy83/fix_timers 2019-06-07 13:16:46 +02:00
resize_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
restart.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
runtime_unix.go cgroup v1: change the default runtime to io.containerd.runc.v2 2020-07-15 14:06:21 +09:00
seccomp_disabled.go daemon: make supportsSeccomp a const 2019-10-13 19:16:31 +02:00
seccomp_linux.go Simplify seccomp logic 2020-09-09 18:23:27 +01:00
seccomp_unsupported.go daemon: make supportsSeccomp a const 2019-10-13 19:16:31 +02:00
secrets.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
start.go Don't set image on containerd container. 2020-11-06 04:55:03 +00:00
start_unix.go use containerd/cgroups to detect cgroups v2 2020-11-09 15:00:32 +01:00
start_windows.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
stats.go Merge pull request #40478 from cpuguy83/dont-prime-the-stats 2020-04-16 20:57:06 +02:00
stats_collector.go Add canonical import comment 2018-02-05 16:51:57 -05:00
stats_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
stats_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
stop.go daemon.ContainerStop(): fix for a negative timeout 2018-05-03 10:04:33 -07:00
top_unix.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
top_unix_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
top_windows.go goimports: fix imports 2019-09-18 12:56:54 +02:00
trustkey.go Allow system.MkDirAll() to be used as drop-in for os.MkDirAll() 2019-08-08 15:05:49 +02:00
trustkey_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
unpause.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
update.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
update_linux.go goimports: fix imports 2019-09-18 12:56:54 +02:00
update_windows.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
util_test.go Configure shims from runtime config 2020-07-13 14:18:02 -07:00
volumes.go Fix status code for missing --volumes-from container 2020-06-29 13:28:14 +02:00
volumes_linux.go Fix the several typos detected by github.com/client9/misspell 2018-08-09 00:45:00 +09:00
volumes_linux_test.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
volumes_unit_test.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00
volumes_unix.go daemon: rename variables that collide with imported package names 2020-04-14 17:22:23 +02:00
volumes_unix_test.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00
volumes_windows.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
wait.go Switch from x/net/context -> context 2018-04-23 13:52:44 -07:00
workdir.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00