Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for NoNewPrivileges in docker #20727

Merged
merged 1 commit into from
Mar 8, 2016
Merged

Conversation

mrunalp
Copy link
Contributor

@mrunalp mrunalp commented Feb 26, 2016

Addresses #20329
This PR adds support for setting the NoNewPrivileges in docker as a security-opt.
Here is how to run docker with this bit set.

docker run -it --rm --security-opt=no-new-privileges fedora bash

Here is how to test it:

# Create a setuid binary that displays the effective uid
[root@dhcp-16-129 dockerfiles]# cat testnnp.c 
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(int argc, char *argv[])
{
        printf("Effective uid: %d\n", geteuid());
        return 0;
}
[root@dhcp-16-129 dockerfiles]# make testnnp
cc     testnnp.c   -o testnnp

# Add the binary to a docker image
[root@dhcp-16-129 dockerfiles]# cat Dockerfile 
FROM fedora:latest
ADD testnnp /root/testnnp
RUN chmod +s /root/testnnp
ENTRYPOINT /root/testnnp

[root@dhcp-16-129 dockerfiles]# /root/gosrc/src/github.com/docker/docker/bundles/latest/dynbinary/docker build -t testnnp .
Sending build context to Docker daemon 12.29 kB
Step 1 : FROM fedora:latest
 ---> 760a896a323f
Step 2 : ADD testnnp /root/testnnp
 ---> 6c700f277948
Removing intermediate container 0981144fe404
Step 3 : RUN chmod +s /root/testnnp
 ---> Running in c1215bfbe825
 ---> f1f07d05a691
Removing intermediate container c1215bfbe825
Step 4 : ENTRYPOINT /root/testnnp
 ---> Running in 5a4d324d54fa
 ---> 44f767c67e30
Removing intermediate container 5a4d324d54fa
Successfully built 44f767c67e30

# Running without no-new-privileges
root@dhcp-16-129 dockerfiles]# /root/gosrc/src/github.com/docker/docker/bundles/latest/dynbinary/docker run -it --rm --user=1000  testnnp
Effective uid: 0
# Running with no-new-privileges prevents the uid transition while running a setuid binary
[root@dhcp-16-129 dockerfiles]# /root/gosrc/src/github.com/docker/docker/bundles/latest/dynbinary/docker run -it --rm --user=1000 --security-opt=no-new-privileges testnnp
Effective uid: 1000

Signed-off-by: Mrunal Patel mrunalp@gmail.com

@mrunalp
Copy link
Contributor Author

mrunalp commented Feb 26, 2016

@crosbymichael @LK4D4 PTAL
cc: @rhatdan

@jessfraz
Copy link
Contributor

jessfraz commented Mar 3, 2016

I like it

@jessfraz
Copy link
Contributor

jessfraz commented Mar 3, 2016

Can you add that as a test case for your patch as well if others agree on the design

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 3, 2016

@jfrazelle Not sure how to integrate this into the docker test suite. We need to compile C code and add a binary into an image. Is there an example of anything similar?

@jessfraz
Copy link
Contributor

jessfraz commented Mar 3, 2016

YES the seccomp tests :)
https://github.com/docker/docker/tree/master/contrib/syscall-test
https://github.com/docker/docker/blob/master/hack/make/.ensure-syscall-test

On Thu, Mar 3, 2016 at 12:12 PM, Mrunal Patel notifications@github.com
wrote:

@jfrazelle https://github.com/jfrazelle Not sure how to integrate this
into the docker test suite. We need to compile C code and add a binary into
an image. Is there example of anything similar?


Reply to this email directly or view it on GitHub
#20727 (comment).

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 3, 2016

@jfrazelle Thanks :) I will look into it.

@thaJeztah
Copy link
Member

@mrunalp we reviewed this in the maintainers review session and liked this feature. There was a short discussion (sorry, again) if --security-opt should be used or a different named flag, but we thought it was good to keep it like this. Thanks for implementing this!

@calavera
Copy link
Contributor

calavera commented Mar 3, 2016

Code LGTM.

Can we add some docs about this new option?

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 4, 2016

Added tests.

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 4, 2016

All green! :)

@jessfraz
Copy link
Contributor

jessfraz commented Mar 4, 2016

LGTM, can move to docs review thanks!

@thaJeztah
Copy link
Member

Alright, this probably needs docs in;

https://github.com/docker/docker/blob/master/docs/reference/run.md

Not sure where to put it below
https://github.com/docker/docker/blob/master/docs/security/index.md

As it doesn't fit in apparmor or selinux, so do we need a separate document just for this? Can we expect more options for this?

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 4, 2016

@thaJeztah I just added a commit for docs.

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 4, 2016

@thaJeztah We can probably add a line for this in the same page. I will add it.

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 4, 2016

Actually the security page looks like it has configuration that is set at engine level for all containers while this option is more of a runtime flag.

@thaJeztah
Copy link
Member

@mrunalp can this option be set on the daemon? i.e. as a default for all containers?

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 4, 2016

@thaJeztah We could add that feature later but it could potentially break images so better to opt-in at runtime to start with (as in this PR).

@thaJeztah
Copy link
Member

@mrunalp oh, didn't mean to imply that, just wondering if it was a daemon level option as well

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 5, 2016

No it is not.

Sent from my iPhone

On Mar 4, 2016, at 4:35 PM, Sebastiaan van Stijn notifications@github.com wrote:

@mrunalp oh, didn't mean to imply that, just wondering if it was a daemon level option as well


Reply to this email directly or view it on GitHub.

@icecrime
Copy link
Contributor

icecrime commented Mar 5, 2016

Can the windowsTP4 be related?

18:02:47 FAIL: dockerCmd_utils_test.go:270: DockerCmdSuite.TestDockerCmdInDirWithTimeout
18:02:47 
18:02:47 dockerCmd_utils_test.go:320:
18:02:47     c.Assert(out, check.Equals, cmd.expectedOut, check.Commentf("Expected output %q for arguments %v, got %q", cmd.expectedOut, cmd.args, out))
18:02:47 ... obtained string = ""
18:02:47 ... expected string = "hello"
18:02:47 ... Expected output "hello" for arguments [run -ti ubuntu echo hello], got ""
18:02:47 
18:02:47 OOPS: 7 passed, 1 FAILED

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 5, 2016

No, it can't be.

Sent from my iPhone

On Mar 4, 2016, at 6:13 PM, Arnaud Porterie notifications@github.com wrote:

Can the windowsTP4 be related?

18:02:47 FAIL: dockerCmd_utils_test.go:270: DockerCmdSuite.TestDockerCmdInDirWithTimeout
18:02:47
18:02:47 dockerCmd_utils_test.go:320:
18:02:47 c.Assert(out, check.Equals, cmd.expectedOut, check.Commentf("Expected output %q for arguments %v, got %q", cmd.expectedOut, cmd.args, out))
18:02:47 ... obtained string = ""
18:02:47 ... expected string = "hello"
18:02:47 ... Expected output "hello" for arguments [run -ti ubuntu echo hello], got ""
18:02:47
18:02:47 OOPS: 7 passed, 1 FAILED

Reply to this email directly or view it on GitHub.


$ docker run --security-opt no-new-privileges -it centos bash


> **Note**: You would have to write policy defining a `svirt_apache_t` type.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move this above your example. Because this applies to the example above :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@thaJeztah
Copy link
Member

Thanks @mrunalp I left some suggestions; also, can you squash your commits?

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Add tests for no-new-privileges

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Update documentation for no-new-privileges

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 7, 2016

@thaJeztah Updated and pushed

@calavera
Copy link
Contributor

calavera commented Mar 7, 2016

Docs LGTM

@thaJeztah
Copy link
Member

docs LGTM, thanks @mrunalp!

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 8, 2016

The test failures don't look like they are related.

@mrunalp
Copy link
Contributor Author

mrunalp commented Mar 8, 2016

All green! Merge? :)

cpuguy83 added a commit that referenced this pull request Mar 8, 2016
Add support for NoNewPrivileges in docker
@cpuguy83 cpuguy83 merged commit dc702b6 into moby:master Mar 8, 2016
@thaJeztah
Copy link
Member

Thanks @mrunalp!

@praving5
Copy link

Does this break apparmor as point here.

geminiyellow added a commit to ilivebox/docker-cheat-sheet that referenced this pull request Apr 25, 2016
@anshupande
Copy link

core@ip-10-74-131-107 sandbox-ap-us-east-1a-control ~ $ docker run -it --rm --security-opt=no-new-privileges fedora bash Unable to find image 'fedora:latest' locally latest: Pulling from library/fedora 6888fc827a3f: Pull complete 9bdb5101e5fc: Pull complete Digest: sha256:1fa98be10c550ffabde65246ed2df16be28dc896d6e370dab56b98460bd27823 Status: Downloaded newer image for fedora:latest Error response from daemon: Invalid --security-opt: "no-new-privileges"

@thaJeztah
Copy link
Member

@anshupande what version of docker are you running?

@anshupande
Copy link

@thaJeztah : yes it was 1.9 and not 1.11 and this was addressed #22862

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants