leaving setfcap in docker containers
Daniel P. Berrange
berrange at redhat.com
Mon Sep 30 12:29:01 UTC 2013
On Mon, Sep 30, 2013 at 08:19:28AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/30/2013 04:23 AM, Daniel P. Berrange wrote:
> > On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote:
> >> Quick backstory: unless run in privledged mode, Docker drops a bunch of
> >> capabilities when launching a container. One of these is setfcap. This
> >> breaks of binary RPMs like httpd where the daemon is installed with file
> >> capabilities instead.
> >>
> >> We're considering removing setfcap from the list of dropped capabilities.
> >> It seems safe to me (note that you run as root inside the container), but
> >> I'd like some security-minded review. Could this be used for evil?
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1012952
> >
> > Docker with the its sf.net LXC backend does not utilize any kind of MAC
> > driver, nor does it utilizer user namespaces, so even with those
> > capabilities dropped it is still insecure if the container app runs as the
> > 'root' user. As such allowing CAP_FCAP does not make the situation worse
> > AFAICT
> >
> > Regards, Daniel
> >
> Yes lets eliminate the idea that running as root within a container without
> something like SELinux or User Namespace, is going to be much more secure then
> running processes as root outside the container.
>
> I plan on working on adding SELinux to wrap the docker container as we have
> done for the virt-sandbox containers, but we still allow a lot of privs to a
> privledged process within the container.
I have an RFE open to get user namespaces enabled in Fedora rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=917708
Both Libvirt & sf.net lxc have support for user namespaces, so the key
missing piece is getting Docker to make use of this & setup its filesystems
with suitable ownership. This would allow the DAC security model to fully
confine docker instances, even if SELinux is not enforcing it. Having both
DAC & MAC confinement for this is valuable long term.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the security
mailing list