mirror of https://github.com/docker/docs.git
Add lxc support for restricting proc
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
parent
60a90970bc
commit
0779a8c328
|
@ -59,9 +59,10 @@ func init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
type driver struct {
|
type driver struct {
|
||||||
root string // root path for the driver to use
|
root string // root path for the driver to use
|
||||||
apparmor bool
|
apparmor bool
|
||||||
sharedRoot bool
|
sharedRoot bool
|
||||||
|
restrictionPath string
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewDriver(root string, apparmor bool) (*driver, error) {
|
func NewDriver(root string, apparmor bool) (*driver, error) {
|
||||||
|
@ -69,10 +70,15 @@ func NewDriver(root string, apparmor bool) (*driver, error) {
|
||||||
if err := linkLxcStart(root); err != nil {
|
if err := linkLxcStart(root); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
restrictionPath := filepath.Join(root, "empty")
|
||||||
|
if err := os.MkdirAll(restrictionPath, 0700); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
return &driver{
|
return &driver{
|
||||||
apparmor: apparmor,
|
apparmor: apparmor,
|
||||||
root: root,
|
root: root,
|
||||||
sharedRoot: rootIsShared(),
|
sharedRoot: rootIsShared(),
|
||||||
|
restrictionPath: restrictionPath,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -403,14 +409,16 @@ func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {
|
||||||
|
|
||||||
if err := LxcTemplateCompiled.Execute(fo, struct {
|
if err := LxcTemplateCompiled.Execute(fo, struct {
|
||||||
*execdriver.Command
|
*execdriver.Command
|
||||||
AppArmor bool
|
AppArmor bool
|
||||||
ProcessLabel string
|
ProcessLabel string
|
||||||
MountLabel string
|
MountLabel string
|
||||||
|
RestrictionSource string
|
||||||
}{
|
}{
|
||||||
Command: c,
|
Command: c,
|
||||||
AppArmor: d.apparmor,
|
AppArmor: d.apparmor,
|
||||||
ProcessLabel: process,
|
ProcessLabel: process,
|
||||||
MountLabel: mount,
|
MountLabel: mount,
|
||||||
|
RestrictionSource: d.restrictionPath,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
|
|
@ -109,8 +109,15 @@ lxc.mount.entry = {{$value.Source}} {{escapeFstabSpaces $ROOTFS}}/{{escapeFstabS
|
||||||
{{if .AppArmor}}
|
{{if .AppArmor}}
|
||||||
lxc.aa_profile = unconfined
|
lxc.aa_profile = unconfined
|
||||||
{{else}}
|
{{else}}
|
||||||
#lxc.aa_profile = unconfined
|
# not unconfined
|
||||||
{{end}}
|
{{end}}
|
||||||
|
{{else}}
|
||||||
|
# restrict access to proc
|
||||||
|
lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/sys none bind,ro 0 0
|
||||||
|
lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/irq none bind,ro 0 0
|
||||||
|
lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/acpi none bind,ro 0 0
|
||||||
|
lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/sysrq-trigger none bind,ro 0 0
|
||||||
|
lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/kcore none bind,ro 0 0
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
# limits
|
# limits
|
||||||
|
|
Loading…
Reference in New Issue