Change default label of container volumes to shared SELinux Label

Since these will be shared between containers we want to label them as svirt_sandbox_file_t:s0. That will allow multiple containers to write to them. Currently we are allowing container domains to read/write all content in /var/lib/docker because of container volumes. This is a big security hole in our SELinux story. This patch will allow us to tighten up the security of docker containers. Docker-DCO-1.1-Signed-off-by: Dan Walsh <[email protected]> (github: rhatdan)
containers · Sep 9, 2014 · 73617e5 · 73617e5
1 parent f1095b8
commit 73617e5
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/daemon/graphdriver/vfs/driver.go b/daemon/graphdriver/vfs/driver.go
@@ -3,10 +3,12 @@ package vfs
 import (
 	"bytes"
 	"fmt"
-	"github.com/docker/docker/daemon/graphdriver"
 	"os"
 	"os/exec"
 	"path"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/libcontainer/label"
 )
 
 func init() {
@@ -67,6 +69,10 @@ func (d *Driver) Create(id, parent string) error {
 	if err := os.Mkdir(dir, 0755); err != nil {
 		return err
 	}
+	opts := []string{"level:s0"}
+	if _, mountLabel, err := label.InitLabels(opts); err == nil {
+		label.Relabel(dir, mountLabel, "")
+	}
 	if parent == "" {
 		return nil
 	}