-
Notifications
You must be signed in to change notification settings - Fork 18.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for NoNewPrivileges in docker #20727
Conversation
@crosbymichael @LK4D4 PTAL |
I like it |
Can you add that as a test case for your patch as well if others agree on the design |
@jfrazelle Not sure how to integrate this into the docker test suite. We need to compile C code and add a binary into an image. Is there an example of anything similar? |
YES the seccomp tests :) On Thu, Mar 3, 2016 at 12:12 PM, Mrunal Patel notifications@github.com
Jessie Frazelle |
@jfrazelle Thanks :) I will look into it. |
@mrunalp we reviewed this in the maintainers review session and liked this feature. There was a short discussion (sorry, again) if |
Code LGTM. Can we add some docs about this new option? |
Added tests. |
All green! :) |
LGTM, can move to docs review thanks! |
Alright, this probably needs docs in; https://github.com/docker/docker/blob/master/docs/reference/run.md Not sure where to put it below As it doesn't fit in apparmor or selinux, so do we need a separate document just for this? Can we expect more options for this? |
@thaJeztah I just added a commit for docs. |
@thaJeztah We can probably add a line for this in the same page. I will add it. |
Actually the security page looks like it has configuration that is set at engine level for all containers while this option is more of a runtime flag. |
@mrunalp can this option be set on the daemon? i.e. as a default for all containers? |
@thaJeztah We could add that feature later but it could potentially break images so better to opt-in at runtime to start with (as in this PR). |
@mrunalp oh, didn't mean to imply that, just wondering if it was a daemon level option as well |
No it is not. Sent from my iPhone
|
Can the windowsTP4 be related?
|
No, it can't be. Sent from my iPhone
|
|
||
$ docker run --security-opt no-new-privileges -it centos bash | ||
|
||
|
||
> **Note**: You would have to write policy defining a `svirt_apache_t` type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this above your example. Because this applies to the example above :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Thanks @mrunalp I left some suggestions; also, can you squash your commits? |
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> Add tests for no-new-privileges Signed-off-by: Mrunal Patel <mrunalp@gmail.com> Update documentation for no-new-privileges Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
@thaJeztah Updated and pushed |
Docs LGTM |
docs LGTM, thanks @mrunalp! |
The test failures don't look like they are related. |
All green! Merge? :) |
Add support for NoNewPrivileges in docker
Thanks @mrunalp! |
Does this break apparmor as point here. |
[--pids-limit](moby/moby#18697) [--security-opt=no-new-privileges](moby/moby#20727)
|
@anshupande what version of docker are you running? |
@thaJeztah : yes it was 1.9 and not 1.11 and this was addressed #22862 |
Addresses #20329
This PR adds support for setting the NoNewPrivileges in docker as a security-opt.
Here is how to run docker with this bit set.
Here is how to test it:
Signed-off-by: Mrunal Patel mrunalp@gmail.com