Merge pull request #41948 from AkihiroSuda/cherrypick-41892-1903
[19.03 backport] pkg/archive: allow mknodding FIFO inside userns
diff --git a/builder/builder-next/adapters/containerimage/pull.go b/builder/builder-next/adapters/containerimage/pull.go
index 729ef52..9d6e07e 100644
--- a/builder/builder-next/adapters/containerimage/pull.go
+++ b/builder/builder-next/adapters/containerimage/pull.go
@@ -526,6 +526,9 @@
layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
for i, desc := range mfst.Layers {
+ if err := desc.Digest.Validate(); err != nil {
+ return nil, errors.Wrap(err, "layer digest could not be validated")
+ }
ongoing.add(desc)
layers = append(layers, &layerDescriptor{
desc: desc,
diff --git a/builder/builder-next/builder.go b/builder/builder-next/builder.go
index 10c0083..f334a39 100644
--- a/builder/builder-next/builder.go
+++ b/builder/builder-next/builder.go
@@ -76,6 +76,7 @@
Rootless bool
IdentityMapping *idtools.IdentityMapping
DNSConfig config.DNSConfig
+ ApparmorProfile string
}
// Builder can build using BuildKit backend
diff --git a/builder/builder-next/controller.go b/builder/builder-next/controller.go
index 33d3f54..d5fa7f6 100644
--- a/builder/builder-next/controller.go
+++ b/builder/builder-next/controller.go
@@ -116,7 +116,7 @@
dns := getDNSConfig(opt.DNSConfig)
- exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping)
+ exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping, opt.ApparmorProfile)
if err != nil {
return nil, err
}
diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go
index d684b9f..d04334a 100644
--- a/builder/builder-next/executor_unix.go
+++ b/builder/builder-next/executor_unix.go
@@ -24,7 +24,7 @@
const networkName = "bridge"
-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping) (executor.Executor, error) {
+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping, apparmorProfile string) (executor.Executor, error) {
networkProviders := map[pb.NetMode]network.Provider{
pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")},
pb.NetMode_HOST: network.NewHostProvider(),
@@ -38,6 +38,7 @@
NoPivot: os.Getenv("DOCKER_RAMDISK") != "",
IdentityMapping: idmap,
DNS: dnsConfig,
+ ApparmorProfile: apparmorProfile,
}, networkProviders)
}
diff --git a/builder/builder-next/executor_windows.go b/builder/builder-next/executor_windows.go
index 6de6d52..4d80baf 100644
--- a/builder/builder-next/executor_windows.go
+++ b/builder/builder-next/executor_windows.go
@@ -13,7 +13,7 @@
"github.com/moby/buildkit/executor/oci"
)
-func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping) (executor.Executor, error) {
+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping, _ string) (executor.Executor, error) {
return &winExecutor{}, nil
}
diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
index b26e071..c3942f2 100644
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@@ -314,6 +314,7 @@
Rootless: d.Rootless(),
IdentityMapping: d.IdentityMapping(),
DNSConfig: config.DNSConfig,
+ ApparmorProfile: daemon.DefaultApparmorProfile(),
})
if err != nil {
return opts, err
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 461f5c7..78511ea 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -14,6 +14,14 @@
defaultApparmorProfile = "docker-default"
)
+// DefaultApparmorProfile returns the name of the default apparmor profile
+func DefaultApparmorProfile() string {
+ if apparmor.IsEnabled() {
+ return defaultApparmorProfile
+ }
+ return ""
+}
+
func ensureDefaultAppArmorProfile() error {
if apparmor.IsEnabled() {
loaded, err := aaprofile.IsLoaded(defaultApparmorProfile)
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index 51f9c52..dd581dc 100644
--- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -5,3 +5,8 @@
func ensureDefaultAppArmorProfile() error {
return nil
}
+
+// DefaultApparmorProfile returns an empty string.
+func DefaultApparmorProfile() string {
+ return ""
+}
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 3fcdc19..ad8cb4c 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -411,5 +411,5 @@
if err != nil {
return err
}
- return idtools.MkdirAllAndChown(p, 0700, daemon.idMapping.RootPair())
+ return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity())
}
diff --git a/daemon/create.go b/daemon/create.go
index f9db0ca..9f8590b 100644
--- a/daemon/create.go
+++ b/daemon/create.go
@@ -194,12 +194,10 @@
}
container.RWLayer = rwLayer
- rootIDs := daemon.idMapping.RootPair()
-
- if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAndChown(container.Root, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
- if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil {
return nil, err
}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index acc619a..e75cee6 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -748,7 +748,7 @@
}
// set up the tmpDir to use a canonical path
- tmp, err := prepareTempDir(config.Root, rootIDs)
+ tmp, err := prepareTempDir(config.Root)
if err != nil {
return nil, fmt.Errorf("Unable to get the TempDir under %s: %s", config.Root, err)
}
@@ -813,7 +813,7 @@
}
daemonRepo := filepath.Join(config.Root, "containers")
- if err := idtools.MkdirAllAndChown(daemonRepo, 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
@@ -1289,7 +1289,7 @@
// prepareTempDir prepares and returns the default directory to use
// for temporary files.
// If it doesn't exist, it is created. If it exists, its content is removed.
-func prepareTempDir(rootDir string, rootIdentity idtools.Identity) (string, error) {
+func prepareTempDir(rootDir string) (string, error) {
var tmpDir string
if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" {
tmpDir = filepath.Join(rootDir, "tmp")
@@ -1307,9 +1307,7 @@
}
}
}
- // We don't remove the content of tmpdir if it's not the default,
- // it may hold things that do not belong to us.
- return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, rootIdentity)
+ return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, idtools.CurrentIdentity())
}
func (daemon *Daemon) setGenericResources(conf *config.Config) error {
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index a14f029..44dd67a 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -1206,7 +1206,7 @@
return &idtools.IdentityMapping{}, nil
}
-func setupDaemonRoot(config *config.Config, rootDir string, rootIdentity idtools.Identity) error {
+func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools.Identity) error {
config.Root = rootDir
// the docker root metadata directory needs to have execute permissions for all users (g+x,o+x)
// so that syscalls executing as non-root, operating on subdirectories of the graph root
@@ -1231,10 +1231,16 @@
// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
// `chdir()` to work for containers namespaced to that uid/gid)
if config.RemappedRoot != "" {
- config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", rootIdentity.UID, rootIdentity.GID))
+ id := idtools.CurrentIdentity()
+ // First make sure the current root dir has the correct perms.
+ if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
+ return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root)
+ }
+
+ config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID))
logrus.Debugf("Creating user namespaced daemon root: %s", config.Root)
// Create the root directory if it doesn't exist
- if err := idtools.MkdirAllAndChown(config.Root, 0700, rootIdentity); err != nil {
+ if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)
}
// we also need to verify that any pre-existing directories in the path to
@@ -1247,7 +1253,7 @@
if dirPath == "/" {
break
}
- if !idtools.CanAccess(dirPath, rootIdentity) {
+ if !idtools.CanAccess(dirPath, remappedRoot) {
return fmt.Errorf("a subdirectory in your graphroot path (%s) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories", config.Root)
}
}
diff --git a/daemon/graphdriver/aufs/aufs.go b/daemon/graphdriver/aufs/aufs.go
index bbd19a8..086e75b 100644
--- a/daemon/graphdriver/aufs/aufs.go
+++ b/daemon/graphdriver/aufs/aufs.go
@@ -130,18 +130,15 @@
locker: locker.New(),
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
+ currentID := idtools.CurrentIdentity()
// Create the root aufs driver dir
- if err := idtools.MkdirAllAndChown(root, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil {
return nil, err
}
// Populate the dir structure
for _, p := range paths {
- if err := idtools.MkdirAllAndChown(path.Join(root, p), 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil {
return nil, err
}
}
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
index fcaedc6..b1b2879 100644
--- a/daemon/graphdriver/btrfs/btrfs.go
+++ b/daemon/graphdriver/btrfs/btrfs.go
@@ -70,11 +70,7 @@
return nil, graphdriver.ErrPrerequisites
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
- if err := idtools.MkdirAllAndChown(home, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
@@ -525,7 +521,7 @@
if err != nil {
return err
}
- if err := idtools.MkdirAllAndChown(subvolumes, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil {
return err
}
if parent == "" {
@@ -560,7 +556,7 @@
if err := d.setStorageSize(path.Join(subvolumes, id), driver); err != nil {
return err
}
- if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.CurrentIdentity()); err != nil {
return err
}
if err := ioutil.WriteFile(path.Join(quotas, id), []byte(fmt.Sprint(driver.options.size)), 0644); err != nil {
diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
index e837a59..3edffd2 100644
--- a/daemon/graphdriver/overlay/overlay.go
+++ b/daemon/graphdriver/overlay/overlay.go
@@ -156,12 +156,8 @@
logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs))
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
// Create the driver home dir
- if err := idtools.MkdirAllAndChown(home, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
@@ -265,10 +261,11 @@
}
root := idtools.Identity{UID: rootUID, GID: rootGID}
- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil {
+ currentID := idtools.CurrentIdentity()
+ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil {
return err
}
- if err := idtools.MkdirAndChown(dir, 0700, root); err != nil {
+ if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil {
return err
}
@@ -281,6 +278,7 @@
// Toplevel images are just a "root" dir
if parent == "" {
+ // This must be 0755 otherwise unprivileged users will in the container will not be able to read / in the container
return idtools.MkdirAndChown(path.Join(dir, "root"), 0755, root)
}
@@ -301,7 +299,7 @@
if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil {
return err
}
- return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0666)
+ return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0600)
}
// Otherwise, copy the upper and the lower-id from the parent
@@ -311,7 +309,7 @@
return err
}
- if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0666); err != nil {
+ if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0600); err != nil {
return err
}
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
index 7b2475e..1db8ac4 100644
--- a/daemon/graphdriver/overlay2/overlay.go
+++ b/daemon/graphdriver/overlay2/overlay.go
@@ -165,12 +165,7 @@
logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs))
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
- // Create the driver home dir
- if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
@@ -339,11 +334,12 @@
return err
}
root := idtools.Identity{UID: rootUID, GID: rootGID}
+ current := idtools.CurrentIdentity()
- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil {
+ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil {
return err
}
- if err := idtools.MkdirAndChown(dir, 0700, root); err != nil {
+ if err := idtools.MkdirAndChown(dir, 0701, current); err != nil {
return err
}
diff --git a/daemon/graphdriver/vfs/driver.go b/daemon/graphdriver/vfs/driver.go
index d7f14ec..3134c66 100644
--- a/daemon/graphdriver/vfs/driver.go
+++ b/daemon/graphdriver/vfs/driver.go
@@ -38,8 +38,7 @@
return nil, err
}
- rootIDs := d.idMapping.RootPair()
- if err := idtools.MkdirAllAndChown(home, 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
@@ -141,7 +140,7 @@
func (d *Driver) create(id, parent string, size uint64) error {
dir := d.dir(id)
rootIDs := d.idMapping.RootPair()
- if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil {
return err
}
if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil {
diff --git a/daemon/graphdriver/zfs/zfs.go b/daemon/graphdriver/zfs/zfs.go
index c83446c..b887b09 100644
--- a/daemon/graphdriver/zfs/zfs.go
+++ b/daemon/graphdriver/zfs/zfs.go
@@ -103,11 +103,7 @@
return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, fmt.Errorf("Failed to get root uid/guid: %v", err)
- }
- if err := idtools.MkdirAllAndChown(base, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil {
return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
}
diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
index 3307458..cb47264 100644
--- a/distribution/pull_v2.go
+++ b/distribution/pull_v2.go
@@ -477,6 +477,9 @@
// to top-most, so that the downloads slice gets ordered correctly.
for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
blobSum := verifiedManifest.FSLayers[i].BlobSum
+ if err = blobSum.Validate(); err != nil {
+ return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum)
+ }
var throwAway struct {
ThrowAway bool `json:"throwaway,omitempty"`
@@ -575,6 +578,9 @@
// Note that the order of this loop is in the direction of bottom-most
// to top-most, so that the downloads slice gets ordered correctly.
for _, d := range layers {
+ if err := d.Digest.Validate(); err != nil {
+ return "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest)
+ }
layerDescriptor := &v2LayerDescriptor{
digest: d.Digest,
repo: p.repo,
diff --git a/pkg/idtools/idtools.go b/pkg/idtools/idtools.go
index b3af7a4..bb147b7 100644
--- a/pkg/idtools/idtools.go
+++ b/pkg/idtools/idtools.go
@@ -35,13 +35,13 @@
// MkdirAllAndChown creates a directory (include any along the path) and then modifies
// ownership to the requested uid/gid. If the directory already exists, this
-// function will still change ownership to the requested uid/gid pair.
+// function will still change ownership and permissions.
func MkdirAllAndChown(path string, mode os.FileMode, owner Identity) error {
return mkdirAs(path, mode, owner, true, true)
}
// MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid.
-// If the directory already exists, this function still changes ownership.
+// If the directory already exists, this function still changes ownership and permissions.
// Note that unlike os.Mkdir(), this function does not return IsExist error
// in case path already exists.
func MkdirAndChown(path string, mode os.FileMode, owner Identity) error {
@@ -50,7 +50,7 @@
// MkdirAllAndChownNew creates a directory (include any along the path) and then modifies
// ownership ONLY of newly created directories to the requested uid/gid. If the
-// directories along the path exist, no change of ownership will be performed
+// directories along the path exist, no change of ownership or permissions will be performed
func MkdirAllAndChownNew(path string, mode os.FileMode, owner Identity) error {
return mkdirAs(path, mode, owner, true, false)
}
@@ -262,3 +262,8 @@
}
return rangeList, nil
}
+
+// CurrentIdentity returns the identity of the current process
+func CurrentIdentity() Identity {
+ return Identity{UID: os.Getuid(), GID: os.Getegid()}
+}
diff --git a/pkg/idtools/idtools_unix.go b/pkg/idtools/idtools_unix.go
index fb23974..329d5d0 100644
--- a/pkg/idtools/idtools_unix.go
+++ b/pkg/idtools/idtools_unix.go
@@ -39,7 +39,7 @@
}
// short-circuit--we were called with an existing directory and chown was requested
- return lazyChown(path, owner.UID, owner.GID, stat)
+ return setPermissions(path, mode, owner.UID, owner.GID, stat)
}
if os.IsNotExist(err) {
@@ -70,7 +70,7 @@
// even if it existed, we will chown the requested path + any subpaths that
// didn't exist when we called MkdirAll
for _, pathComponent := range paths {
- if err := lazyChown(pathComponent, owner.UID, owner.GID, nil); err != nil {
+ if err := setPermissions(pathComponent, mode, owner.UID, owner.GID, nil); err != nil {
return err
}
}
@@ -213,10 +213,11 @@
return bytes.NewReader(out), nil
}
-// lazyChown performs a chown only if the uid/gid don't match what's requested
+// setPermissions performs a chown/chmod only if the uid/gid don't match what's requested
// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
// dir is on an NFS share, so don't call chown unless we absolutely must.
-func lazyChown(p string, uid, gid int, stat *system.StatT) error {
+// Likewise for setting permissions.
+func setPermissions(p string, mode os.FileMode, uid, gid int, stat *system.StatT) error {
if stat == nil {
var err error
stat, err = system.Stat(p)
@@ -224,6 +225,11 @@
return err
}
}
+ if os.FileMode(stat.Mode()).Perm() != mode.Perm() {
+ if err := os.Chmod(p, mode.Perm()); err != nil {
+ return err
+ }
+ }
if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) {
return nil
}
diff --git a/vendor.conf b/vendor.conf
index bfdcc17..fc5885a 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -26,7 +26,7 @@
golang.org/x/sync e225da77a7e68af35c70ccbf71af2b83e6acac3c
# buildkit
-github.com/moby/buildkit df89d4dcf73ce414cd76837bfb0e9a0cc0ef3386 # v0.6.4-32-gdf89d4dc
+github.com/moby/buildkit 396bfe20b590914cd77945ef0d70d976a0ed093c # docker-19.03 branch
github.com/tonistiigi/fsutil 6c909ab392c173a4264ae1bfcbc0450b9aac0c7d
github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go b/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
index 5fe8d09..95abc47 100644
--- a/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
+++ b/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
@@ -22,6 +22,8 @@
"github.com/moby/buildkit/util/network"
"github.com/moby/buildkit/util/system"
specs "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
)
@@ -29,7 +31,7 @@
// GenerateSpec generates spec using containerd functionality.
// opts are ignored for s.Process, s.Hostname, and s.Mounts .
-func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, processMode ProcessMode, idmap *idtools.IdentityMapping, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
+func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, processMode ProcessMode, idmap *idtools.IdentityMapping, apparmorProfile string, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
c := &containers.Container{
ID: id,
}
@@ -37,10 +39,11 @@
if !ok {
ctx = namespaces.WithNamespace(ctx, "buildkit")
}
- if meta.SecurityMode == pb.SecurityMode_INSECURE {
- opts = append(opts, entitlements.WithInsecureSpec())
- } else if system.SeccompSupported() && meta.SecurityMode == pb.SecurityMode_SANDBOX {
- opts = append(opts, seccomp.WithDefaultProfile())
+
+ if securityOpts, err := generateSecurityOpts(meta.SecurityMode, apparmorProfile); err == nil {
+ opts = append(opts, securityOpts...)
+ } else {
+ return nil, nil, err
}
switch processMode {
@@ -125,6 +128,9 @@
for _, f := range releasers {
f()
}
+ if s.Process.SelinuxLabel != "" {
+ selinux.ReleaseLabel(s.Process.SelinuxLabel)
+ }
}
for _, m := range mounts {
@@ -165,6 +171,37 @@
unmount func() error
}
+// generateSecurityOpts may affect mounts, so must be called after generateMountOpts
+func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string) (opts []oci.SpecOpts, _ error) {
+ switch mode {
+ case pb.SecurityMode_INSECURE:
+ return []oci.SpecOpts{
+ entitlements.WithInsecureSpec(),
+ oci.WithWriteableCgroupfs,
+ oci.WithWriteableSysfs,
+ func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+ var err error
+ s.Process.SelinuxLabel, s.Linux.MountLabel, err = label.InitLabels([]string{"disable"})
+ return err
+ },
+ }, nil
+ case pb.SecurityMode_SANDBOX:
+ if system.SeccompSupported() {
+ opts = append(opts, seccomp.WithDefaultProfile())
+ }
+ if apparmorProfile != "" {
+ opts = append(opts, oci.WithApparmorProfile(apparmorProfile))
+ }
+ opts = append(opts, func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+ var err error
+ s.Process.SelinuxLabel, s.Linux.MountLabel, err = label.InitLabels(nil)
+ return err
+ })
+ return opts, nil
+ }
+ return nil, nil
+}
+
type submounts struct {
m map[uint64]mountRef
}
diff --git a/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go b/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
index 26e432e..885c10c 100644
--- a/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
+++ b/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
@@ -39,9 +39,10 @@
ProcessMode oci.ProcessMode
IdentityMapping *idtools.IdentityMapping
// runc run --no-pivot (unrecommended)
- NoPivot bool
- DNS *oci.DNSConfig
- OOMScoreAdj *int
+ NoPivot bool
+ DNS *oci.DNSConfig
+ OOMScoreAdj *int
+ ApparmorProfile string
}
var defaultCommandCandidates = []string{"buildkit-runc", "runc"}
@@ -58,6 +59,7 @@
noPivot bool
dns *oci.DNSConfig
oomScoreAdj *int
+ apparmorProfile string
}
func New(opt Opt, networkProviders map[pb.NetMode]network.Provider) (executor.Executor, error) {
@@ -118,6 +120,7 @@
noPivot: opt.NoPivot,
dns: opt.DNS,
oomScoreAdj: opt.OOMScoreAdj,
+ apparmorProfile: opt.ApparmorProfile,
}
return w, nil
}
@@ -223,7 +226,7 @@
}
opts = append(opts, containerdoci.WithCgroup(cgroupsPath))
}
- spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, w.processMode, w.idmap, opts...)
+ spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, w.processMode, w.idmap, w.apparmorProfile, opts...)
if err != nil {
return err
}
diff --git a/vendor/github.com/moby/buildkit/go.mod b/vendor/github.com/moby/buildkit/go.mod
index cf1c7d6..389e752 100644
--- a/vendor/github.com/moby/buildkit/go.mod
+++ b/vendor/github.com/moby/buildkit/go.mod
@@ -46,6 +46,7 @@
github.com/opencontainers/image-spec v1.0.1
github.com/opencontainers/runc v1.0.0-rc8
github.com/opencontainers/runtime-spec v0.0.0-20180909173843-eba862dc2470
+ github.com/opencontainers/selinux v1.0.0-rc1.0.20180628160156-b6fa367ed7f5
github.com/opentracing-contrib/go-stdlib v0.0.0-20171029140428-b1a47cfbdd75
github.com/opentracing/opentracing-go v0.0.0-20171003133519-1361b9cd60be
github.com/pkg/errors v0.8.1
diff --git a/volume/local/local.go b/volume/local/local.go
index 6dc8948..aeb98ab 100644
--- a/volume/local/local.go
+++ b/volume/local/local.go
@@ -49,7 +49,7 @@
func New(scope string, rootIdentity idtools.Identity) (*Root, error) {
rootDirectory := filepath.Join(scope, volumesPathName)
- if err := idtools.MkdirAllAndChown(rootDirectory, 0700, rootIdentity); err != nil {
+ if err := idtools.MkdirAllAndChown(rootDirectory, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
@@ -146,8 +146,15 @@
}
path := r.DataPath(name)
+ volRoot := filepath.Dir(path)
+ // Root dir does not need to be accessed by the remapped root
+ if err := idtools.MkdirAllAndChown(volRoot, 0701, idtools.CurrentIdentity()); err != nil {
+ return nil, errors.Wrapf(errdefs.System(err), "error while creating volume root path '%s'", volRoot)
+ }
+
+ // Remapped root does need access to the data path
if err := idtools.MkdirAllAndChown(path, 0755, r.rootIdentity); err != nil {
- return nil, errors.Wrapf(errdefs.System(err), "error while creating volume path '%s'", path)
+ return nil, errors.Wrapf(errdefs.System(err), "error while creating volume data path '%s'", path)
}
var err error