Define readonly/mask paths in spec

tonistiigi · tonistiigi · commit 3f81b4935292 · 2016-04-04T18:55:55.000-07:00
This vendors in new spec/runc that supports
setting readonly and masked paths in the 
configuration. Using this allows us to make an
exception for `—-privileged`.

Signed-off-by: Tonis Tiigi &lt;tonistiigi@gmail.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -248,7 +248,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
@@ -181,7 +181,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
@@ -198,7 +198,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
diff --git a/Dockerfile.gccgo b/Dockerfile.gccgo
@@ -74,13 +74,12 @@ WORKDIR /go/src/github.com/docker/docker
 ENV DOCKER_BUILDTAGS apparmor seccomp selinux
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
-	&& (find . -name "*_ffjson.go" | xargs rm) \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
 	&& cp runc /usr/local/bin/docker-runc
 
diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le
@@ -196,7 +196,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
diff --git a/Dockerfile.s390x b/Dockerfile.s390x
@@ -178,7 +178,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
diff --git a/Dockerfile.simple b/Dockerfile.simple
@@ -57,7 +57,7 @@ ENV GOPATH /go:/go/src/github.com/docker/docker/vendor
 ENV CGO_LDFLAGS -L/lib
 
 # Install runc
-ENV RUNC_COMMIT 0c1c615ebd6a15545b6a82ead01d2745ea49b242
+ENV RUNC_COMMIT 6c88a526cdd74aab90cc88018368c452c7294a06
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
@@ -536,6 +536,8 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
 				}
 			}
 		}
+		s.Linux.ReadonlyPaths = nil
+		s.Linux.MaskedPaths = nil
 	}
 
 	// TODO: until a kernel/mount solution exists for handling remount in a user namespace,
@@ -660,10 +662,10 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e
 
 	if apparmor.IsEnabled() {
 		appArmorProfile := "docker-default"
-		if c.HostConfig.Privileged {
-			appArmorProfile = "unconfined"
-		} else if len(c.AppArmorProfile) > 0 {
+		if len(c.AppArmorProfile) > 0 {
 			appArmorProfile = c.AppArmorProfile
+		} else if c.HostConfig.Privileged {
+			appArmorProfile = "unconfined"
 		}
 		s.Process.ApparmorProfile = appArmorProfile
 	}
diff --git a/hack/vendor.sh b/hack/vendor.sh
@@ -60,7 +60,7 @@ clone git github.com/docker/go v1.5.1-1-1-gbaf439e
 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
 clone git github.com/opencontainers/runc 2441732d6fcc0fb0a542671a4372e0c7bc99c19e # libcontainer
-clone git github.com/opencontainers/specs 3ce138b1934bf227a418e241ead496c383eaba1c # specs
+clone git github.com/opencontainers/specs 93ca97e83ca7fb4fba6d9e30d5470f99ddc02d11 # specs
 clone git github.com/seccomp/libseccomp-golang 1b506fc7c24eec5a3693cdcbed40d9c226cfc6a1
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)
 clone git github.com/coreos/go-systemd v4
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
@@ -1106,7 +1106,7 @@ func (s *DockerSuite) TestRunProcNotWritableInNonPrivilegedContainers(c *check.C
 func (s *DockerSuite) TestRunProcWritableInPrivilegedContainers(c *check.C) {
 	// Not applicable for Windows as there is no concept of --privileged
 	testRequires(c, DaemonIsLinux, NotUserNamespace)
-	if _, code := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "umount /proc/sysrq-trigger && touch /proc/sysrq-trigger"); code != 0 {
+	if _, code := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "touch /proc/sysrq-trigger"); code != 0 {
 		c.Fatalf("proc should be writable in privileged container")
 	}
 }
diff --git a/oci/defaults_linux.go b/oci/defaults_linux.go
@@ -79,6 +79,20 @@ func DefaultSpec() specs.Spec {
 	}
 
 	s.Linux = specs.Linux{
+		MaskedPaths: []string{
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+		},
+		ReadonlyPaths: []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		},
 		Namespaces: []specs.Namespace{
 			{Type: "mount"},
 			{Type: "network"},
diff --git a/vendor/src/github.com/opencontainers/specs/specs-go/config.go b/vendor/src/github.com/opencontainers/specs/specs-go/config.go
@@ -96,9 +96,10 @@ type Mount struct {
 
 // Hook specifies a command that is run at a particular event in the lifecycle of a container
 type Hook struct {
-	Path string   `json:"path"`
-	Args []string `json:"args,omitempty"`
-	Env  []string `json:"env,omitempty"`
+	Path    string   `json:"path"`
+	Args    []string `json:"args,omitempty"`
+	Env     []string `json:"env,omitempty"`
+	Timeout *int     `json:"timeout,omitempty"`
 }
 
 // Hooks for container setup and teardown
@@ -128,13 +129,17 @@ type Linux struct {
 	// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
 	CgroupsPath *string `json:"cgroupsPath,omitempty"`
 	// Namespaces contains the namespaces that are created and/or joined by the container
-	Namespaces []Namespace `json:"namespaces"`
+	Namespaces []Namespace `json:"namespaces,omitempty"`
 	// Devices are a list of device nodes that are created for the container
-	Devices []Device `json:"devices"`
+	Devices []Device `json:"devices,omitempty"`
 	// Seccomp specifies the seccomp security settings for the container.
 	Seccomp *Seccomp `json:"seccomp,omitempty"`
 	// RootfsPropagation is the rootfs mount propagation mode for the container.
 	RootfsPropagation string `json:"rootfsPropagation,omitempty"`
+	// MaskedPaths masks over the provided paths inside the container.
+	MaskedPaths []string `json:"maskedPaths,omitempty"`
+	// ReadonlyPaths sets the provided paths as RO inside the container.
+	ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
 }
 
 // Namespace is the configuration for a Linux namespace
diff --git a/vendor/src/github.com/opencontainers/specs/specs-go/version.go b/vendor/src/github.com/opencontainers/specs/specs-go/version.go
@@ -6,12 +6,12 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 0
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 4
+	VersionMinor = 5
 	// VersionPatch is for backwards-compatible bug fixes
 	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = ""
+	VersionDev = "-dev"
 )
 
 // Version is the specification version that the package types support.

Original file line number	Diff line number	Diff line change
`@@ -536,6 +536,8 @@ func setMounts(daemon Daemon, s specs.Spec, c *container.Container, mounts []c`
`536`	`536`	`}`
`537`	`537`	`}`
`538`	`538`	`}`
	`539`	`+ s.Linux.ReadonlyPaths = nil`
	`540`	`+ s.Linux.MaskedPaths = nil`
`539`	`541`	`}`
`540`	`542`
`541`	`543`	`// TODO: until a kernel/mount solution exists for handling remount in a user namespace,`
`@@ -660,10 +662,10 @@ func (daemon Daemon) createSpec(c container.Container) (*libcontainerd.Spec, e`
`660`	`662`
`661`	`663`	`if apparmor.IsEnabled() {`
`662`	`664`	`appArmorProfile := "docker-default"`
`663`		`- if c.HostConfig.Privileged {`
`664`		`- appArmorProfile = "unconfined"`
`665`		`- } else if len(c.AppArmorProfile) > 0 {`
	`665`	`+ if len(c.AppArmorProfile) > 0 {`
`666`	`666`	`appArmorProfile = c.AppArmorProfile`
	`667`	`+ } else if c.HostConfig.Privileged {`
	`668`	`+ appArmorProfile = "unconfined"`
`667`	`669`	`}`
`668`	`670`	`s.Process.ApparmorProfile = appArmorProfile`
`669`	`671`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1106,7 +1106,7 @@ func (s DockerSuite) TestRunProcNotWritableInNonPrivilegedContainers(c check.C`
`1106`	`1106`	`func (s DockerSuite) TestRunProcWritableInPrivilegedContainers(c check.C) {`
`1107`	`1107`	`// Not applicable for Windows as there is no concept of --privileged`
`1108`	`1108`	`testRequires(c, DaemonIsLinux, NotUserNamespace)`
`1109`		`- if _, code := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "umount /proc/sysrq-trigger && touch /proc/sysrq-trigger"); code != 0 {`
	`1109`	`+ if _, code := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "touch /proc/sysrq-trigger"); code != 0 {`
`1110`	`1110`	`c.Fatalf("proc should be writable in privileged container")`
`1111`	`1111`	`}`
`1112`	`1112`	`}`