X Tutup
Skip to content

If caller specifies label overrides, don't override security options#30652

Merged
cpuguy83 merged 1 commit intomoby:masterfrom
rhatdan:selinux
Mar 28, 2017
Merged

If caller specifies label overrides, don't override security options#30652
cpuguy83 merged 1 commit intomoby:masterfrom
rhatdan:selinux

Conversation

@rhatdan
Copy link
Contributor

@rhatdan rhatdan commented Feb 1, 2017

If a caller specifies an SELinux type or MCS Label and still wants to
share an IPC Namespace or the host namespace, we should allow them.
Currently we are ignoring the label specification if ipcmod=container
or pidmode=host.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@rhatdan rhatdan mentioned this pull request Feb 3, 2017
Closed
mrunalp
mrunalp reviewed Feb 3, 2017
View reviewed changes
daemon/create.go Outdated
Copy link
Contributor

@mrunalp mrunalp Feb 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Remove empty line here.

Copy link
Contributor Author

@rhatdan rhatdan Feb 4, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

vdemeester
vdemeester reviewed Feb 7, 2017
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @justincormack @runcom @cpuguy83

@runcom
Copy link
Member

runcom commented Feb 15, 2017

LGTM ping @cpuguy83 @mrunalp

@cpuguy83
Copy link
Member

cpuguy83 commented Feb 22, 2017

Not sure I feel comfortable reviewing this change...

@justincormack ?

@mdshuai mdshuai mentioned this pull request Feb 24, 2017
Closed
@thaJeztah
Copy link
Member

thaJeztah commented Feb 28, 2017

ping @justincormack PTAL

@rhatdan
If caller specifies label overrides, don't override security options
881e20e 
If a caller specifies an SELinux type or MCS Label and still wants to
share an IPC Namespace or the host namespace, we should allow them.
Currently we are ignoring the label specification if ipcmod=container
or pidmode=host.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@rhatdan
Copy link
Contributor Author

rhatdan commented Mar 17, 2017

Any chance we can get people to look at this? This is a serious problem with kubernetes use of docker.

@cpuguy83
Copy link
Member

cpuguy83 commented Mar 17, 2017

Is this function really more of a getSelinuxLabel? If so, LGTM.
generateSecurityOpt is throwing me off because --security-opt is used for a lot more.

@rhatdan
Copy link
Contributor Author

rhatdan commented Mar 17, 2017

I think we could rename it to generateSELinuxLabel, or duplicateSELinuxLabel.
The idea is that docker generates SELinux labels on the fly for container separation, but if the container is joining an existing containers IPC Namespace you want to use the same label as you are joining, if you are using the pid host namespace, then you will need to run with no labels, since SELinux isolation will break stuff.

BUT if the caller has specified an SELinux Label to use, docker should just use the label, figuring the caller knows what it wants.

This is important for POD situations, where you could potentially want to containers sharing content but running with different SELinux labels.

Imaging you have a daemon container, but you another container to the pod that you want to have limited access, it can not use the network, or it can look at the process but not examine any content. Bottom line it gives better flexibility to the caller of the docker-engine to specify the labels that it wants.

@rhatdan
Copy link
Contributor Author

rhatdan commented Mar 28, 2017

What do you guys want me to do with this? Change the function names or allow it to go in as is?

vdemeester
vdemeester approved these changes Mar 28, 2017
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐯
I guess we can go as is.

@cpuguy83 cpuguy83 merged commit b6cb416 into moby:master Mar 28, 2017
@GordonTheTurtle GordonTheTurtle added this to the 17.05.0 milestone Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@justincormack justincormack Awaiting requested review from justincormack

+2 more reviewers

@mrunalp mrunalp mrunalp left review comments

@vdemeester vdemeester vdemeester approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@thaJeztah thaJeztah

Labels

impact/changelog status/2-code-review

Projects

None yet

Milestone

17.05.0

Development

Successfully merging this pull request may close these issues.

8 participants

@rhatdan @runcom @cpuguy83 @thaJeztah @vdemeester @mrunalp @LK4D4 @GordonTheTurtle
X Tutup