Add lxc support for restricting proc

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-10 23:27:27 +00:00 · 2014-04-10 23:27:27 +00:00 · 0779a8c328
parent 60a90970bc
commit 0779a8c328
2 changed files with 29 additions and 14 deletions
--- a/daemon/execdriver/lxc/driver.go
+++ b/daemon/execdriver/lxc/driver.go
@ -59,9 +59,10 @@ func init() {
 }

 type driver struct {
-	root       string // root path for the driver to use
-	apparmor   bool
-	sharedRoot bool
+	root            string // root path for the driver to use
+	apparmor        bool
+	sharedRoot      bool
+	restrictionPath string
 }

 func NewDriver(root string, apparmor bool) (*driver, error) {
@ -69,10 +70,15 @@ func NewDriver(root string, apparmor bool) (*driver, error) {
 	if err := linkLxcStart(root); err != nil {
 		return nil, err
 	}
+	restrictionPath := filepath.Join(root, "empty")
+	if err := os.MkdirAll(restrictionPath, 0700); err != nil {
+		return nil, err
+	}
 	return &driver{
-		apparmor:   apparmor,
-		root:       root,
-		sharedRoot: rootIsShared(),
+		apparmor:        apparmor,
+		root:            root,
+		sharedRoot:      rootIsShared(),
+		restrictionPath: restrictionPath,
 	}, nil
 }

@ -403,14 +409,16 @@ func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {

 	if err := LxcTemplateCompiled.Execute(fo, struct {
 		*execdriver.Command
-		AppArmor     bool
-		ProcessLabel string
-		MountLabel   string
+		AppArmor          bool
+		ProcessLabel      string
+		MountLabel        string
+		RestrictionSource string
 	}{
-		Command:      c,
-		AppArmor:     d.apparmor,
-		ProcessLabel: process,
-		MountLabel:   mount,
+		Command:           c,
+		AppArmor:          d.apparmor,
+		ProcessLabel:      process,
+		MountLabel:        mount,
+		RestrictionSource: d.restrictionPath,
 	}); err != nil {
 		return "", err
 	}
--- a/daemon/execdriver/lxc/lxc_template.go
+++ b/daemon/execdriver/lxc/lxc_template.go
@ -109,8 +109,15 @@ lxc.mount.entry = {{$value.Source}} {{escapeFstabSpaces $ROOTFS}}/{{escapeFstabS
 {{if .AppArmor}}
 lxc.aa_profile = unconfined
 {{else}}
-#lxc.aa_profile = unconfined
+# not unconfined
 {{end}}
+{{else}}
+# restrict access to proc
+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/sys none bind,ro 0 0
+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/irq none bind,ro 0 0
+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/acpi none bind,ro 0 0
+lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/sysrq-trigger none bind,ro 0 0
+lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/kcore none bind,ro 0 0
 {{end}}

 # limits