Add lxc support for restricting proc

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-04-10 23:27:27 +00:00
parent 60a90970bc
commit 0779a8c328
2 changed files with 29 additions and 14 deletions

View File

@ -59,9 +59,10 @@ func init() {
} }
type driver struct { type driver struct {
root string // root path for the driver to use root string // root path for the driver to use
apparmor bool apparmor bool
sharedRoot bool sharedRoot bool
restrictionPath string
} }
func NewDriver(root string, apparmor bool) (*driver, error) { func NewDriver(root string, apparmor bool) (*driver, error) {
@ -69,10 +70,15 @@ func NewDriver(root string, apparmor bool) (*driver, error) {
if err := linkLxcStart(root); err != nil { if err := linkLxcStart(root); err != nil {
return nil, err return nil, err
} }
restrictionPath := filepath.Join(root, "empty")
if err := os.MkdirAll(restrictionPath, 0700); err != nil {
return nil, err
}
return &driver{ return &driver{
apparmor: apparmor, apparmor: apparmor,
root: root, root: root,
sharedRoot: rootIsShared(), sharedRoot: rootIsShared(),
restrictionPath: restrictionPath,
}, nil }, nil
} }
@ -403,14 +409,16 @@ func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {
if err := LxcTemplateCompiled.Execute(fo, struct { if err := LxcTemplateCompiled.Execute(fo, struct {
*execdriver.Command *execdriver.Command
AppArmor bool AppArmor bool
ProcessLabel string ProcessLabel string
MountLabel string MountLabel string
RestrictionSource string
}{ }{
Command: c, Command: c,
AppArmor: d.apparmor, AppArmor: d.apparmor,
ProcessLabel: process, ProcessLabel: process,
MountLabel: mount, MountLabel: mount,
RestrictionSource: d.restrictionPath,
}); err != nil { }); err != nil {
return "", err return "", err
} }

View File

@ -109,8 +109,15 @@ lxc.mount.entry = {{$value.Source}} {{escapeFstabSpaces $ROOTFS}}/{{escapeFstabS
{{if .AppArmor}} {{if .AppArmor}}
lxc.aa_profile = unconfined lxc.aa_profile = unconfined
{{else}} {{else}}
#lxc.aa_profile = unconfined # not unconfined
{{end}} {{end}}
{{else}}
# restrict access to proc
lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/sys none bind,ro 0 0
lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/irq none bind,ro 0 0
lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/acpi none bind,ro 0 0
lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/sysrq-trigger none bind,ro 0 0
lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/kcore none bind,ro 0 0
{{end}} {{end}}
# limits # limits