Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support "--security-opt systempaths=unconfined" #7537

Closed
cyphar opened this issue Sep 3, 2020 · 11 comments · Fixed by #8408
Closed

support "--security-opt systempaths=unconfined" #7537

cyphar opened this issue Sep 3, 2020 · 11 comments · Fixed by #8408
Assignees
@umohnani8
Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@cyphar
Copy link

cyphar commented Sep 3, 2020
edited
Loading

/kind feature

Description

Right now you can't disable the /proc overmounts. While these are a security feature in general, due to kernel restrictions, this means that you cannot run a subcontainer or other sandbox that tries to mount procfs (even if it uses user namespaces). Having a way to optionally disable this would be neat and would also bring more feature parity with Docker (which supports --security-opt systempaths=unconfined).

In newer kernels you will be able to work around this with mount -t procfs -o subset=pids procfs /proc but right now the only other workaround is to mount some /proc handle into the container. The safest way is with something like:

% mkdir /tmp/empty-procfs
% sudo unshare -pf mount -t proc proc /tmp/empty-procfs
% podman run -v /tmp/empty-procfs:/.stashed-proc # ...

But most people probably end up doing /proc:/.stashed-proc which is quite dangerous. This is also probably needed to completely support AllowedProcMountTypes = Unmasked.
@openshift-ci-robot openshift-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 3, 2020
@mheon
Copy link
Member

mheon commented Sep 3, 2020

We already support passing options to the /proc mount via --security-opt proc-opts (added in #7227). It looks like Docker went ahead and added it at some point at well, using a completely incompatible syntax, so now we'll have to support that as well...

@cyphar
Copy link
Author

cyphar commented Sep 3, 2020

This is separate to procfs mount options. This is about disabling the /proc/scsi et al overmounts (MaskedPaths).

@mheon
Copy link
Member

mheon commented Sep 3, 2020

Ah - I see, you're entirely right. This is definitely worth adding.

@vrothberg
Copy link
Member

@cyphar, do you have cycles to open a PR?

@mheon mheon added the Good First Issue This issue would be a good issue for a first time contributor to undertake. label Sep 9, 2020
@cyphar
Copy link
Author

cyphar commented Sep 13, 2020

I'll write something up this week.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Nov 23, 2020

@umohnani8 PR to handle --security-opt=mask/unmask should fix this Issue.

@umohnani8 We might want to add a unmask=all flag to remove all masking.

@rhatdan rhatdan added In Progress This issue is actively being worked by the assignee, please do not work on this at this time. and removed stale-issue labels Nov 23, 2020
@umohnani8
Copy link
Member

Yup, we have unmask=ALL as an option as well. The PR is #8408

@umohnani8 umohnani8 mentioned this issue Nov 23, 2020
Merged
@cyphar
Copy link
Author

cyphar commented Dec 3, 2020

Uh this isn't quite fixed because you don't have flag-parity with Docker but I can send a PR to fix that up.

@rhatdan
Copy link
Member

rhatdan commented Dec 7, 2020

SGTM

@umohnani8
Copy link
Member

Opened #8630 for the flag-parity

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@umohnani8 umohnani8

Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add mask and unmask option to --security-opt umohnani8/libpod
6 participants
@rhatdan @cyphar @mheon @vrothberg @umohnani8 @openshift-ci-robot