leaving setfcap in docker containers

Daniel P. Berrange berrange at redhat.com
Mon Sep 30 12:29:01 UTC 2013 

On Mon, Sep 30, 2013 at 08:19:28AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/30/2013 04:23 AM, Daniel P. Berrange wrote:
> > On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote:
> >> Quick backstory: unless run in privledged mode, Docker drops a bunch of 
> >> capabilities when launching a container. One of these is setfcap. This 
> >> breaks of binary RPMs like httpd where the daemon is installed with file 
> >> capabilities instead.
> >> 
> >> We're considering removing setfcap from the list of dropped capabilities.
> >> It seems safe to me (note that you run as root inside the container), but
> >> I'd like some security-minded review. Could this be used for evil?
> >> 
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1012952
> > 
> > Docker with the its sf.net LXC backend does not utilize any kind of MAC
> > driver, nor does it utilizer user namespaces, so even with those 
> > capabilities dropped it is still insecure if the container app runs as the
> > 'root' user. As such allowing CAP_FCAP does not make the situation worse
> > AFAICT
> > 
> > Regards, Daniel
> > 
> Yes lets eliminate the idea that running as root within a container without
> something like SELinux or User Namespace, is going to be much more secure then
> running processes as root outside the container.
> 
> I plan on working on adding SELinux to wrap the docker container as we have
> done for the virt-sandbox containers, but we still allow a lot of privs to a
> privledged process within the container.

I have an RFE open to get user namespaces enabled in Fedora rawhide

  https://bugzilla.redhat.com/show_bug.cgi?id=917708

Both Libvirt & sf.net lxc have support for user namespaces, so the key
missing piece is getting Docker to make use of this & setup its filesystems
with suitable ownership. This would allow the DAC security model to fully
confine docker instances, even if SELinux is not enforcing it. Having both
DAC & MAC confinement for this is valuable long term.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the security mailing list