From c0c9775e00b02f8f3d68460d0ac97ed0c639bfbd Mon Sep 17 00:00:00 2001 From: Samuel Karp Date: Thu, 6 Aug 2020 16:47:53 -0700 Subject: [PATCH] docker: privileged containers should have SELinux By default, Docker injects the equivalent of --security-opt label:disable for containers launched with the --privileged option with the intent of providing as much privilege as possible. This option disables both process and mount labeling for the container. Unfortunately, disabling labeling does not provide additional privileges when Bottlerocket's SELinux policy is enforced but instead reduces privileges. This change removes the injection of the label:disable option so privileged containers receive the same default labels as non-privileged containers. To launch a container with all SELinux labeling disabled, the explicit --security-opt label:disable can still be used. To launch a container with a label that provides additional privileges, --security-opt label:type:super_t can be used. Fixes: https://github.com/bottlerocket-os/bottlerocket/issues/1011 --- ...privileged-shouldn-t-disable-SELinux.patch | 59 +++++++++++++++++++ packages/docker-engine/docker-engine.spec | 4 ++ 2 files changed, 63 insertions(+) create mode 100644 packages/docker-engine/0001-bottlerocket-privileged-shouldn-t-disable-SELinux.patch diff --git a/packages/docker-engine/0001-bottlerocket-privileged-shouldn-t-disable-SELinux.patch b/packages/docker-engine/0001-bottlerocket-privileged-shouldn-t-disable-SELinux.patch new file mode 100644 index 00000000000..fb2528909c2 --- /dev/null +++ b/packages/docker-engine/0001-bottlerocket-privileged-shouldn-t-disable-SELinux.patch @@ -0,0 +1,59 @@ +From ad791e1881941490a3ee6e13c0712b620d6c1af6 Mon Sep 17 00:00:00 2001 +From: Samuel Karp +Date: Fri, 7 Aug 2020 10:24:15 -0700 +Subject: [PATCH] bottlerocket: privileged shouldn't disable SELinux + +In Bottlerocket, the SELinux policy prevents writes to the files +underlying the root filesystem by all processes except container +runtimes. In the absence of a context override, the root filesystem on +the upper layer has the same restricted label as the lower layers. +Disabling SELinux labeling for privileged containers effectively +prevents privileged containers from being able to write to mounted +filesystems, including their own root filesystem. Rather than +increasing privilege by disabling SELinux, the removal of labeling +decreases privilege. + +This change removes the automatic disable of SELinux labeling for +privileged containers. Privileged containers will now receive the same +default labels as non-privileged containers and be subject to the same +set of policies. To increase privilege, containers can be launched with +both --privileged and --security-opt label:type:super_t. +--- + container/container.go | 5 ----- + daemon/create.go | 4 ---- + 2 files changed, 9 deletions(-) + +diff --git a/container/container.go b/container/container.go +index 1c82c4c296..c2c621dc7d 100644 +--- a/container/container.go ++++ b/container/container.go +@@ -420,11 +420,6 @@ func (container *Container) StartLogger() (logger.Logger, error) { + + // GetProcessLabel returns the process label for the container. + func (container *Container) GetProcessLabel() string { +- // even if we have a process label return "" if we are running +- // in privileged mode +- if container.HostConfig.Privileged { +- return "" +- } + return container.ProcessLabel + } + +diff --git a/daemon/create.go b/daemon/create.go +index 1afb1bebea..ec517def1b 100644 +--- a/daemon/create.go ++++ b/daemon/create.go +@@ -212,10 +212,6 @@ func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) + } + ipcMode := hostConfig.IpcMode + pidMode := hostConfig.PidMode +- privileged := hostConfig.Privileged +- if ipcMode.IsHost() || pidMode.IsHost() || privileged { +- return toHostConfigSelinuxLabels(label.DisableSecOpt()), nil +- } + + var ipcLabel []string + var pidLabel []string +-- +2.28.0 + diff --git a/packages/docker-engine/docker-engine.spec b/packages/docker-engine/docker-engine.spec index 0741c301983..85f8110c718 100644 --- a/packages/docker-engine/docker-engine.spec +++ b/packages/docker-engine/docker-engine.spec @@ -26,6 +26,10 @@ Source4: daemon.json Source5: docker-tmpfiles.conf Source1000: clarify.toml +# Bottlerocket-specific - Privileged containers should receive SELinux labels +# https://github.com/bottlerocket-os/bottlerocket/issues/1011 +Patch0001: 0001-bottlerocket-privileged-shouldn-t-disable-SELinux.patch + BuildRequires: git BuildRequires: %{_cross_os}glibc-devel BuildRequires: %{_cross_os}libseccomp-devel