Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privileged containers running under Docker cannot write to their rootfs #1011

Closed
bcressey opened this issue Aug 6, 2020 · 1 comment · Fixed by #1013
Closed

privileged containers running under Docker cannot write to their rootfs #1011

bcressey opened this issue Aug 6, 2020 · 1 comment · Fixed by #1013

Comments

@bcressey
Copy link
Contributor

bcressey commented Aug 6, 2020

Image I'm using:
aws-dev

What I expected to happen:
Running a privileged container under docker should add the "context=" option so that the rootfs is writable.

What actually happened:
The context option not added and an AVC denial is logged when attempting to write to the rootfs.

How to reproduce the problem:

$ docker run -it --privileged amazonlinux:2 bash
$ touch test
touch: cannot touch 'test': Permission denied
@samuelkarp
Copy link
Contributor

When a container is --privileged, Docker injects the equivalent of --security-opt label:disable. This has the effect of short-circuiting the logic for finding the appropriate mount label, causing the rootfs to be mounted without the appropriate label.

We can add a patch removing the injection of --security-opt label:disable (and thus making --privileged containers have both process labeling and mount labeling) or add a patch that ensures we have a default mount label regardless of whether label:disable is used. My inclination is toward the first patch; customers who want fully-privileged containers on Bottlerocket can add label:type:super_t or who want to disable all labeling can add label:disable.

@samuelkarp samuelkarp mentioned this issue Aug 7, 2020
Merged
samuelkarp added a commit to samuelkarp/bottlerocket that referenced this issue Aug 8, 2020
@samuelkarp
docker: privileged containers should have SELinux
c0c9775 
By default, Docker injects the equivalent of --security-opt
label:disable for containers launched with the --privileged option with
the intent of providing as much privilege as possible.  This option
disables both process and mount labeling for the container.
Unfortunately, disabling labeling does not provide additional privileges
when Bottlerocket's SELinux policy is enforced but instead reduces
privileges.  This change removes the injection of the label:disable
option so privileged containers receive the same default labels as
non-privileged containers.

To launch a container with all SELinux labeling disabled, the explicit
--security-opt label:disable can still be used.
To launch a container with a label that provides additional privileges,
--security-opt label:type:super_t can be used.

Fixes: bottlerocket-os#1011
@bcressey bcressey mentioned this issue Feb 10, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docker: privileged containers should have SELinux samuelkarp/bottlerocket
2 participants
@bcressey @samuelkarp