New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined", and rename default profile to "builtin" #42481
Conversation
010dede
to
c0933e6
Compare
33a0d93
to
5682060
Compare
From a security perspective, I agree this isn't super great, but IMO it's not too much different from having a host that doesn't support either AppArmor or SELinux (users generally need to know/trust the security characteristics of the host/daemon they're running on), so I'm +1 on consistency here. |
daemon/config/config.go
Outdated
@@ -58,6 +58,12 @@ const ( | |||
LinuxV1RuntimeName = "io.containerd.runtime.v1.linux" | |||
// LinuxV2RuntimeName is the runtime used to specify the containerd v2 runc shim | |||
LinuxV2RuntimeName = "io.containerd.runc.v2" | |||
|
|||
// SeccompProfileDefault is the built-in default seccomp profile. | |||
SeccompProfileDefault = "default" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this naming choice is probably a little bit ambiguous -- if I set the daemon-wide --secomp-profile
to something other than the built-in profile, does --security-opt seccomp=default
get me the daemon-wide default, or the Docker built-in profile? (Maybe builtin
or docker
are better name options if it's the latter?)
cmd/dockerd/config_unix.go
Outdated
@@ -58,7 +58,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error { | |||
flags.StringVar(&conf.InitPath, "init-path", "", "Path to the docker-init binary") | |||
flags.Int64Var(&conf.CPURealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds for the parent cgroup for all containers") | |||
flags.Int64Var(&conf.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds for the parent cgroup for all containers") | |||
flags.StringVar(&conf.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile") | |||
flags.StringVar(&conf.SeccompProfile, "seccomp-profile", "", `Path to seccomp profile. Use "unconfined" to disable the default seccomp profile`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this default to config.SeccompProfileDefault
so that the effective default value shows up in the help output?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was a bit in doubt; I think for most options we consider ""
(default string value) to also be default
. The ambiguity was a bit in that when using docker info
, it will show default
(if nothing is set), so yes, from that perspective perhaps it makes sense to use it here as well. 😅
ffadfdc
to
5eb2ab7
Compare
I applied two of your suggestions. Remaining questions are (see above);
The other question to answer is: "do we want to allow While custom profiles are "one thing", disabling seccomp altogether (using As said;
Happy to get input / feedback on the above: @justincormack @tonistiigi @tianon @AkihiroSuda |
4c7277f
to
dd548f8
Compare
I feel like I already opined, but I'll do so again 😇
IMO that depends a little bit on whether users can specify the empty string to get the default back (and thus override a config file or similar) -- I think showing our explicit default string is probably clearer though in either case.
I like
yes 😄
If users want this foot-cannon, it's something they can already accomplish, so I don't really see a compelling reason to add a special case in our code to try and stop it; at most, I'd think a warning -- do we do anything in particular when AppArmor or SELinux are either disabled or unavailable? There are already a lot of settings available (both in Docker and outside Docker) that can affect the ability of arbitrary contains to successfully run, and so I don't think that's a very strong justification for denying it (especially when it's only a cosmetic denial that then simply requires more effort to accomplish via an empty profile). By that argument, we really shouldn't be allowing users to specify a new default profile at all. 😅 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with @tianon here.
builtin
is a good name.- We shouldn't try to prevent people from doing what they want to do
I'll add that while we like to make secure containers more accessible, it is not a security product and shouldn't be trying to restrict people from running it the way they need to.
I started rebasing this one, and renaming |
dd548f8
to
e99434c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM; I think builtin
is fine 🤷 😇
e99434c
to
f28dde8
Compare
|
Ah, dang. Missed on |
f28dde8
to
6957572
Compare
Updated! (hope it's green again now) |
otherwise green, but let me kick CI again |
Actually, I don't like that I'm now changing "default" to "builtin" in the first commit; that makes it hard to discover; let me move that to a separate commit; I'll ping when done |
Not sure what changed, but definitely seeing more of these recently:
|
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Using "default" as a name is a bit ambiguous, because the _daemon_ default can be changed using the '--seccomp-profile' daemon flag. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit b237189 implemented an option to set the default seccomp profile in the daemon configuration. When that PR was reviewed, it was discussed to have the option accept the path to a custom profile JSON file; moby#26276 (comment) However, in the implementation, the special "unconfined" value was not taken into account. The "unconfined" value is meant to disable seccomp (more factually: run with an empty profile). While it's likely possible to achieve this by creating a file with an an empty (`{}`) profile, and passing the path to that file, it's inconsistent with the `--security-opt seccomp=unconfined` option on `docker run` and `docker create`, which is both confusing, and makes it harder to use (especially on Docker Desktop, where there's no direct access to the VM's filesystem). This patch adds the missing check for the special "unconfined" value. Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows containers to use the embedded default profile if a different default is set (e.g. "unconfined") in the daemon configuration. Without this option, users would have to copy the default profile to a file in order to use the default. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes sure that the value set in the daemon can be used as-is, without having to replicate the normalization logic elsewhere. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
6957572
to
27aaadb
Compare
Updated; moved renaming the default profile to a separate commit 👍 PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
waiting for #42393, then I can add some tests.
Possibly will be splitting this PR in some chunks as well, in case we want to backport the "unconfined" daemon configuration fix.
Add const for "unconfined" and "default" seccomp profiles
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined"
Commit b237189 implemented an option to
set the default seccomp profile in the daemon configuration. When that PR
was reviewed, it was discussed to have the option accept the path to a custom
profile JSON file; daemon: add a flag to override the default seccomp profile #26276 (comment)
However, in the implementation, the special "unconfined" value was not taken into
account. The "unconfined" value is meant to disable seccomp (more factually:
run with an empty profile).
While it's likely possible to achieve this by creating a file with an an empty
(
{}
) profile, and passing the path to that file, it's inconsistent with the--security-opt seccomp=unconfined
option ondocker run
anddocker create
,which is both confusing, and makes it harder to use (especially on Docker Desktop,
where there's no direct access to the VM's filesystem).
This patch adds the missing check for the special "unconfined" value.
daemon: allow "builtin" as valid value for seccomp profiles
This allows containers to use the embedded default profile if a different
default is set (e.g. "unconfined") in the daemon configuration. Without this
option, users would have to copy the default profile to a file in order to
use the default.
daemon: move custom seccomp profile warning from CLI to daemon side
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)