All of lore.kernel.org
 help / color / mirror / Atom feed
* blocking / mount using containers
@ 2018-07-10 14:00 Mclain, Warren
  2018-07-10 16:42 ` Stephen Smalley
  2018-07-11 16:34 ` Daniel Walsh
  0 siblings, 2 replies; 3+ messages in thread
From: Mclain, Warren @ 2018-07-10 14:00 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 1063 bytes --]

I am trying to find a solution for blocking the mounting of / from containers. This is a major security hole for Docker and all of those types of applications.

I found the mount_anyfile  Boolean but nothing that digs into that to show how to disable specific mountings.

Looking for any information that would help the container community in general.

thanks

___________________________________
Warren McLain
Enterprise Engineering Services
IEI Foundation Engineering - Compute, Optum Technology
 warren_mclain@optum.com Office: 763-744-3107


This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.

[-- Attachment #2: Type: text/html, Size: 3179 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: blocking / mount using containers
  2018-07-10 14:00 blocking / mount using containers Mclain, Warren
@ 2018-07-10 16:42 ` Stephen Smalley
  2018-07-11 16:34 ` Daniel Walsh
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2018-07-10 16:42 UTC (permalink / raw)
  To: Mclain, Warren, selinux

On 07/10/2018 10:00 AM, Mclain, Warren wrote:
> I am trying to find a solution for blocking the mounting of / from containers. This is a major security hole for Docker and all of those types of applications.
> 
>  
> 
> I found the mount_anyfile  Boolean but nothing that digs into that to show how to disable specific mountings.
> 
>  
> 
> Looking for any information that would help the container community in general.

Not sure if this answers your question, but Fedora/RHEL ships with a container policy that should already protect the host OS filesystem from the containers.

Even if you mount / into the container when you create it, it isn't writable due to SELinux policy, e.g.
$ sudo docker run -v /:/mnt -i -t fedora /bin/bash 
[root@fb83953335bb /]# cd mnt
[root@fb83953335bb mnt]# cat etc/shadow
cat: etc/shadow: Permission denied
[root@fb83953335bb mnt]# touch foo
touch: cannot touch 'foo': Permission denied
[root@fb83953335bb mnt]# exit
$ sudo ausearch -i -m AVC -ts recent
----
type=PROCTITLE msg=audit(07/10/2018 12:40:11.083:870570) : proctitle=cat etc/shadow 
type=PATH msg=audit(07/10/2018 12:40:11.083:870570) : item=0 name=etc/shadow inode=1311125 dev=fd:01 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/10/2018 12:40:11.083:870570) : cwd=/mnt 
type=SYSCALL msg=audit(07/10/2018 12:40:11.083:870570) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fffe6c7b92f a2=O_RDONLY a3=0x0 items=1 ppid=1992 pid=2044 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts3 ses=unset comm=cat exe=/usr/bin/cat subj=system_u:system_r:container_t:s0:c138,c987 key=(null) 
type=AVC msg=audit(07/10/2018 12:40:11.083:870570) : avc:  denied  { read } for  pid=2044 comm=cat name=shadow dev="dm-1" ino=1311125 scontext=system_u:system_r:container_t:s0:c138,c987 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/10/2018 12:40:19.859:870580) : proctitle=touch foo 
type=PATH msg=audit(07/10/2018 12:40:19.859:870580) : item=0 name=/mnt inode=2 dev=fd:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/10/2018 12:40:19.859:870580) : cwd=/mnt 
type=SYSCALL msg=audit(07/10/2018 12:40:19.859:870580) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc7550f932 a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6 items=1 ppid=1992 pid=2053 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts3 ses=unset comm=touch exe=/usr/bin/touch subj=system_u:system_r:container_t:s0:c138,c987 key=(null) 
type=AVC msg=audit(07/10/2018 12:40:19.859:870580) : avc:  denied  { write } for  pid=2053 comm=touch name=/ dev="dm-1" ino=2 scontext=system_u:system_r:container_t:s0:c138,c987 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: blocking / mount using containers
  2018-07-10 14:00 blocking / mount using containers Mclain, Warren
  2018-07-10 16:42 ` Stephen Smalley
@ 2018-07-11 16:34 ` Daniel Walsh
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel Walsh @ 2018-07-11 16:34 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]

On 07/10/2018 10:00 AM, Mclain, Warren wrote:
>
> I am trying to find a solution for blocking the mounting of / from 
> containers. This is a major security hole for Docker and all of those 
> types of applications.
>
> I found the mount_anyfile  Boolean but nothing that digs into that to 
> show how to disable specific mountings.
>
> Looking for any information that would help the container community in 
> general.
>
This seems mighty arbitrary. I would think you would want to block lots 
of directories from being mounted into the container in addition to /, 
/home, /var, /etc? for example.

What tool are you using, and what access to you want to grant to your users?

> thanks
>
> ___________________________________
>
> Warren McLain
>
> Enterprise Engineering Services
>
> IEI Foundation Engineering - Compute, Optum Technology
>
>  warren_mclain@optum.com Office: 763-744-3107
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.



[-- Attachment #2: Type: text/html, Size: 4774 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-11 16:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-10 14:00 blocking / mount using containers Mclain, Warren
2018-07-10 16:42 ` Stephen Smalley
2018-07-11 16:34 ` Daniel Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.