This repository has been archived by the owner on Dec 13, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 316
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce support for syscall filtering in containers #237
This PR introduces the ability to filter system calls on a per-container basis on Linux, using libseccomp to support multiple architectures. This adds another layer of security between containers and the kernel. System calls which are unnecessary in a container or problematic from a security perspective can be restricted to prevent their use. Most of the truly problematic syscalls are already restricted by dropping capabilities; this adds an additional, finer-grained layer of protection. This PR adds a vendored library dependency (Go bindings for libseccomp) and a build dependency on libseccomp >= v2.1. The actual changes to libcontainer are fairly minimal, most of the delta is in the libseccomp bindings. Docker-DCO-1.1-Signed-off-by: Dan Walsh <[email protected]> (github: rhatdan) Docker-DCO-1.1-Signed-off-by: Matt Heon <[email protected]> (github: mheon)
- Loading branch information
Showing
16 changed files
with
2,530 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
// +build seccomp,linux,cgo | ||
|
||
package integration | ||
|
||
import ( | ||
"strings" | ||
"testing" | ||
|
||
"github.com/docker/libcontainer/security/seccomp" | ||
) | ||
|
||
func TestSeccompDenyGetcwd(t *testing.T) { | ||
if testing.Short() { | ||
return | ||
} | ||
|
||
rootfs, err := newRootFs() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer remove(rootfs) | ||
|
||
config := newTemplateConfig(rootfs) | ||
config.SeccompConfig = seccomp.SeccompConfig{ | ||
Enable: true, | ||
Whitelist: false, | ||
Syscalls: []seccomp.BlockedSyscall{ | ||
{ | ||
Name: "getcwd", | ||
}, | ||
}, | ||
} | ||
|
||
buffers2, _, err := runContainer(config, "", "pwd") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
t.Logf("Buffer is %s", buffers2.Stdout.String()) | ||
|
||
buffers, exitCode, err := runContainer(config, "", "pwd") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
if exitCode != 1 { | ||
t.Fatalf("Getcwd should fail with exit code 1, instead got %d!", exitCode) | ||
} | ||
|
||
expected := "pwd: getcwd: Operation not permitted" | ||
actual := strings.Trim(buffers.Stderr.String(), "\n") | ||
if actual != expected { | ||
t.Fatalf("Expected output %s but got %s\n", expected, actual) | ||
} | ||
} | ||
|
||
func TestSeccompDenyMmap(t *testing.T) { | ||
if testing.Short() { | ||
return | ||
} | ||
|
||
rootfs, err := newRootFs() | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
defer remove(rootfs) | ||
|
||
config := newTemplateConfig(rootfs) | ||
config.SeccompConfig = seccomp.SeccompConfig{ | ||
Enable: true, | ||
Whitelist: false, | ||
Syscalls: []seccomp.BlockedSyscall{ | ||
{ | ||
Name: "mmap", | ||
}, | ||
}, | ||
} | ||
|
||
buffers, exitCode, err := runContainer(config, "", "echo", "hello world") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
if exitCode != 20 { | ||
t.Fatalf("Busybox should fail to start with exit code 20, instead got %d!", exitCode) | ||
} | ||
|
||
expected := "mmap of a spare page failed!" | ||
actual := strings.Trim(buffers.Stderr.String(), "\n") | ||
if actual != expected { | ||
t.Fatalf("Expected output %s but got %s\n", expected, actual) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
// +build selinux,linux | ||
// +build selinux,linux,cgo | ||
|
||
package label | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.