diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec index 11967437a15beaeab9a83f4735330ffeee2d09b3..affba47df873d740459f328c25492f6254014155 100644 --- a/docker-engine-openeuler.spec +++ b/docker-engine-openeuler.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 100 +Release: 101 Summary: The open-source application container engine Group: Tools/Docker diff --git a/patch/0080-selinux-Add-selinux-policy-for-docker.patch b/patch/0080-selinux-Add-selinux-policy-for-docker.patch new file mode 100644 index 0000000000000000000000000000000000000000..1e7ece3e780c1b9347cdc4cd076c95ea58d5912d --- /dev/null +++ b/patch/0080-selinux-Add-selinux-policy-for-docker.patch @@ -0,0 +1,1439 @@ +From 35e53a45a4faa11b6acf33ee2ee0f58a6b2fb39c Mon Sep 17 00:00:00 2001 +From: lujingxiao +Date: Wed, 23 Jan 2019 15:16:09 +0800 +Subject: [PATCH 080/111] selinux: Add selinux policy for docker + +reason: Add selinux policy for docker + +Change-Id: Ife0dd569a89df301ae3496454e1c326b8a663818 +Signed-off-by: Shukui Yang +Signed-off-by: lujingxiao +--- + .../docker-engine-selinux/LICENSE | 339 +++++++++++++ + .../docker-engine-selinux/Makefile | 23 + + .../docker-engine-selinux/README.md | 1 + + .../docker-engine-selinux/docker.fc | 20 + + .../docker-engine-selinux/docker.if | 461 ++++++++++++++++++ + .../docker-engine-selinux/docker.te | 414 ++++++++++++++++ + .../docker-engine-selinux-euleros.spec | 109 +++++ + 10 files changed, 1371 insertions(+), 4 deletions(-) + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/LICENSE + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/Makefile + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/README.md + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te + create mode 100644 components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec + +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/LICENSE b/components/engine/contrib/selinux-euleros/docker-engine-selinux/LICENSE +new file mode 100644 +index 0000000000..d511905c16 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/LICENSE +@@ -0,0 +1,339 @@ ++ GNU GENERAL PUBLIC LICENSE ++ Version 2, June 1991 ++ ++ Copyright (C) 1989, 1991 Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ Everyone is permitted to copy and distribute verbatim copies ++ of this license document, but changing it is not allowed. ++ ++ Preamble ++ ++ The licenses for most software are designed to take away your ++freedom to share and change it. By contrast, the GNU General Public ++License is intended to guarantee your freedom to share and change free ++software--to make sure the software is free for all its users. This ++General Public License applies to most of the Free Software ++Foundation's software and to any other program whose authors commit to ++using it. (Some other Free Software Foundation software is covered by ++the GNU Lesser General Public License instead.) You can apply it to ++your programs, too. ++ ++ When we speak of free software, we are referring to freedom, not ++price. Our General Public Licenses are designed to make sure that you ++have the freedom to distribute copies of free software (and charge for ++this service if you wish), that you receive source code or can get it ++if you want it, that you can change the software or use pieces of it ++in new free programs; and that you know you can do these things. ++ ++ To protect your rights, we need to make restrictions that forbid ++anyone to deny you these rights or to ask you to surrender the rights. ++These restrictions translate to certain responsibilities for you if you ++distribute copies of the software, or if you modify it. ++ ++ For example, if you distribute copies of such a program, whether ++gratis or for a fee, you must give the recipients all the rights that ++you have. You must make sure that they, too, receive or can get the ++source code. And you must show them these terms so they know their ++rights. ++ ++ We protect your rights with two steps: (1) copyright the software, and ++(2) offer you this license which gives you legal permission to copy, ++distribute and/or modify the software. ++ ++ Also, for each author's protection and ours, we want to make certain ++that everyone understands that there is no warranty for this free ++software. If the software is modified by someone else and passed on, we ++want its recipients to know that what they have is not the original, so ++that any problems introduced by others will not reflect on the original ++authors' reputations. ++ ++ Finally, any free program is threatened constantly by software ++patents. We wish to avoid the danger that redistributors of a free ++program will individually obtain patent licenses, in effect making the ++program proprietary. To prevent this, we have made it clear that any ++patent must be licensed for everyone's free use or not licensed at all. ++ ++ The precise terms and conditions for copying, distribution and ++modification follow. ++ ++ GNU GENERAL PUBLIC LICENSE ++ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ++ ++ 0. This License applies to any program or other work which contains ++a notice placed by the copyright holder saying it may be distributed ++under the terms of this General Public License. The "Program", below, ++refers to any such program or work, and a "work based on the Program" ++means either the Program or any derivative work under copyright law: ++that is to say, a work containing the Program or a portion of it, ++either verbatim or with modifications and/or translated into another ++language. (Hereinafter, translation is included without limitation in ++the term "modification".) Each licensee is addressed as "you". ++ ++Activities other than copying, distribution and modification are not ++covered by this License; they are outside its scope. The act of ++running the Program is not restricted, and the output from the Program ++is covered only if its contents constitute a work based on the ++Program (independent of having been made by running the Program). ++Whether that is true depends on what the Program does. ++ ++ 1. You may copy and distribute verbatim copies of the Program's ++source code as you receive it, in any medium, provided that you ++conspicuously and appropriately publish on each copy an appropriate ++copyright notice and disclaimer of warranty; keep intact all the ++notices that refer to this License and to the absence of any warranty; ++and give any other recipients of the Program a copy of this License ++along with the Program. ++ ++You may charge a fee for the physical act of transferring a copy, and ++you may at your option offer warranty protection in exchange for a fee. ++ ++ 2. You may modify your copy or copies of the Program or any portion ++of it, thus forming a work based on the Program, and copy and ++distribute such modifications or work under the terms of Section 1 ++above, provided that you also meet all of these conditions: ++ ++ a) You must cause the modified files to carry prominent notices ++ stating that you changed the files and the date of any change. ++ ++ b) You must cause any work that you distribute or publish, that in ++ whole or in part contains or is derived from the Program or any ++ part thereof, to be licensed as a whole at no charge to all third ++ parties under the terms of this License. ++ ++ c) If the modified program normally reads commands interactively ++ when run, you must cause it, when started running for such ++ interactive use in the most ordinary way, to print or display an ++ announcement including an appropriate copyright notice and a ++ notice that there is no warranty (or else, saying that you provide ++ a warranty) and that users may redistribute the program under ++ these conditions, and telling the user how to view a copy of this ++ License. (Exception: if the Program itself is interactive but ++ does not normally print such an announcement, your work based on ++ the Program is not required to print an announcement.) ++ ++These requirements apply to the modified work as a whole. If ++identifiable sections of that work are not derived from the Program, ++and can be reasonably considered independent and separate works in ++themselves, then this License, and its terms, do not apply to those ++sections when you distribute them as separate works. But when you ++distribute the same sections as part of a whole which is a work based ++on the Program, the distribution of the whole must be on the terms of ++this License, whose permissions for other licensees extend to the ++entire whole, and thus to each and every part regardless of who wrote it. ++ ++Thus, it is not the intent of this section to claim rights or contest ++your rights to work written entirely by you; rather, the intent is to ++exercise the right to control the distribution of derivative or ++collective works based on the Program. ++ ++In addition, mere aggregation of another work not based on the Program ++with the Program (or with a work based on the Program) on a volume of ++a storage or distribution medium does not bring the other work under ++the scope of this License. ++ ++ 3. You may copy and distribute the Program (or a work based on it, ++under Section 2) in object code or executable form under the terms of ++Sections 1 and 2 above provided that you also do one of the following: ++ ++ a) Accompany it with the complete corresponding machine-readable ++ source code, which must be distributed under the terms of Sections ++ 1 and 2 above on a medium customarily used for software interchange; or, ++ ++ b) Accompany it with a written offer, valid for at least three ++ years, to give any third party, for a charge no more than your ++ cost of physically performing source distribution, a complete ++ machine-readable copy of the corresponding source code, to be ++ distributed under the terms of Sections 1 and 2 above on a medium ++ customarily used for software interchange; or, ++ ++ c) Accompany it with the information you received as to the offer ++ to distribute corresponding source code. (This alternative is ++ allowed only for noncommercial distribution and only if you ++ received the program in object code or executable form with such ++ an offer, in accord with Subsection b above.) ++ ++The source code for a work means the preferred form of the work for ++making modifications to it. For an executable work, complete source ++code means all the source code for all modules it contains, plus any ++associated interface definition files, plus the scripts used to ++control compilation and installation of the executable. However, as a ++special exception, the source code distributed need not include ++anything that is normally distributed (in either source or binary ++form) with the major components (compiler, kernel, and so on) of the ++operating system on which the executable runs, unless that component ++itself accompanies the executable. ++ ++If distribution of executable or object code is made by offering ++access to copy from a designated place, then offering equivalent ++access to copy the source code from the same place counts as ++distribution of the source code, even though third parties are not ++compelled to copy the source along with the object code. ++ ++ 4. You may not copy, modify, sublicense, or distribute the Program ++except as expressly provided under this License. Any attempt ++otherwise to copy, modify, sublicense or distribute the Program is ++void, and will automatically terminate your rights under this License. ++However, parties who have received copies, or rights, from you under ++this License will not have their licenses terminated so long as such ++parties remain in full compliance. ++ ++ 5. You are not required to accept this License, since you have not ++signed it. However, nothing else grants you permission to modify or ++distribute the Program or its derivative works. These actions are ++prohibited by law if you do not accept this License. Therefore, by ++modifying or distributing the Program (or any work based on the ++Program), you indicate your acceptance of this License to do so, and ++all its terms and conditions for copying, distributing or modifying ++the Program or works based on it. ++ ++ 6. Each time you redistribute the Program (or any work based on the ++Program), the recipient automatically receives a license from the ++original licensor to copy, distribute or modify the Program subject to ++these terms and conditions. You may not impose any further ++restrictions on the recipients' exercise of the rights granted herein. ++You are not responsible for enforcing compliance by third parties to ++this License. ++ ++ 7. If, as a consequence of a court judgment or allegation of patent ++infringement or for any other reason (not limited to patent issues), ++conditions are imposed on you (whether by court order, agreement or ++otherwise) that contradict the conditions of this License, they do not ++excuse you from the conditions of this License. If you cannot ++distribute so as to satisfy simultaneously your obligations under this ++License and any other pertinent obligations, then as a consequence you ++may not distribute the Program at all. For example, if a patent ++license would not permit royalty-free redistribution of the Program by ++all those who receive copies directly or indirectly through you, then ++the only way you could satisfy both it and this License would be to ++refrain entirely from distribution of the Program. ++ ++If any portion of this section is held invalid or unenforceable under ++any particular circumstance, the balance of the section is intended to ++apply and the section as a whole is intended to apply in other ++circumstances. ++ ++It is not the purpose of this section to induce you to infringe any ++patents or other property right claims or to contest validity of any ++such claims; this section has the sole purpose of protecting the ++integrity of the free software distribution system, which is ++implemented by public license practices. Many people have made ++generous contributions to the wide range of software distributed ++through that system in reliance on consistent application of that ++system; it is up to the author/donor to decide if he or she is willing ++to distribute software through any other system and a licensee cannot ++impose that choice. ++ ++This section is intended to make thoroughly clear what is believed to ++be a consequence of the rest of this License. ++ ++ 8. If the distribution and/or use of the Program is restricted in ++certain countries either by patents or by copyrighted interfaces, the ++original copyright holder who places the Program under this License ++may add an explicit geographical distribution limitation excluding ++those countries, so that distribution is permitted only in or among ++countries not thus excluded. In such case, this License incorporates ++the limitation as if written in the body of this License. ++ ++ 9. The Free Software Foundation may publish revised and/or new versions ++of the General Public License from time to time. Such new versions will ++be similar in spirit to the present version, but may differ in detail to ++address new problems or concerns. ++ ++Each version is given a distinguishing version number. If the Program ++specifies a version number of this License which applies to it and "any ++later version", you have the option of following the terms and conditions ++either of that version or of any later version published by the Free ++Software Foundation. If the Program does not specify a version number of ++this License, you may choose any version ever published by the Free Software ++Foundation. ++ ++ 10. If you wish to incorporate parts of the Program into other free ++programs whose distribution conditions are different, write to the author ++to ask for permission. For software which is copyrighted by the Free ++Software Foundation, write to the Free Software Foundation; we sometimes ++make exceptions for this. Our decision will be guided by the two goals ++of preserving the free status of all derivatives of our free software and ++of promoting the sharing and reuse of software generally. ++ ++ NO WARRANTY ++ ++ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY ++FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN ++OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES ++PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED ++OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS ++TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE ++PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, ++REPAIR OR CORRECTION. ++ ++ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR ++REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, ++INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING ++OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED ++TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY ++YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER ++PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGES. ++ ++ END OF TERMS AND CONDITIONS ++ ++ How to Apply These Terms to Your New Programs ++ ++ If you develop a new program, and you want it to be of the greatest ++possible use to the public, the best way to achieve this is to make it ++free software which everyone can redistribute and change under these terms. ++ ++ To do so, attach the following notices to the program. It is safest ++to attach them to the start of each source file to most effectively ++convey the exclusion of warranty; and each file should have at least ++the "copyright" line and a pointer to where the full notice is found. ++ ++ ++ Copyright (C) ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ ++Also add information on how to contact you by electronic and paper mail. ++ ++If the program is interactive, make it output a short notice like this ++when it starts in an interactive mode: ++ ++ Gnomovision version 69, Copyright (C) year name of author ++ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. ++ This is free software, and you are welcome to redistribute it ++ under certain conditions; type `show c' for details. ++ ++The hypothetical commands `show w' and `show c' should show the appropriate ++parts of the General Public License. Of course, the commands you use may ++be called something other than `show w' and `show c'; they could even be ++mouse-clicks or menu items--whatever suits your program. ++ ++You should also get your employer (if you work as a programmer) or your ++school, if any, to sign a "copyright disclaimer" for the program, if ++necessary. Here is a sample; alter the names: ++ ++ Yoyodyne, Inc., hereby disclaims all copyright interest in the program ++ `Gnomovision' (which makes passes at compilers) written by James Hacker. ++ ++ , 1 April 1989 ++ Ty Coon, President of Vice ++ ++This General Public License does not permit incorporating your program into ++proprietary programs. If your program is a subroutine library, you may ++consider it more useful to permit linking proprietary applications with the ++library. If this is what you want to do, use the GNU Lesser General ++Public License instead of this License. +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/Makefile b/components/engine/contrib/selinux-euleros/docker-engine-selinux/Makefile +new file mode 100644 +index 0000000000..16df33ef32 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/Makefile +@@ -0,0 +1,23 @@ ++TARGETS?=docker ++MODULES?=${TARGETS:=.pp.bz2} ++SHAREDIR?=/usr/share ++ ++all: ${TARGETS:=.pp.bz2} ++ ++%.pp.bz2: %.pp ++ @echo Compressing $^ -\> $@ ++ bzip2 -9 $^ ++ ++%.pp: %.te ++ make -f ${SHAREDIR}/selinux/devel/Makefile $@ ++ ++clean: ++ rm -f *~ *.tc *.pp *.pp.bz2 ++ rm -rf tmp *.tar.gz ++ ++man: install ++ sepolicy manpage --domain ${TARGETS}_t ++ ++install: ++ semodule -i ${TARGETS} ++ +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/README.md b/components/engine/contrib/selinux-euleros/docker-engine-selinux/README.md +new file mode 100644 +index 0000000000..7ea3117a89 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/README.md +@@ -0,0 +1 @@ ++SELinux policy for docker +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc +new file mode 100644 +index 0000000000..e9bb863da0 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc +@@ -0,0 +1,20 @@ ++/root/\.docker gen_context(system_u:object_r:docker_home_t,s0) ++ ++/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) ++/usr/bin/dockerd -- gen_context(system_u:object_r:docker_exec_t,s0) ++/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) ++ ++/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0) ++ ++/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) ++/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) ++/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) ++ ++/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) ++/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) ++/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0) ++ ++/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if +new file mode 100644 +index 0000000000..ca075c05c5 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if +@@ -0,0 +1,461 @@ ++ ++## The open-source application container engine. ++ ++######################################## ++## ++## Execute docker in the docker domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_domtrans',` ++ gen_require(` ++ type docker_t, docker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, docker_exec_t, docker_t) ++') ++ ++######################################## ++## ++## Execute docker in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_exec',` ++ gen_require(` ++ type docker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, docker_exec_t) ++') ++ ++######################################## ++## ++## Search docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_search_lib',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ allow $1 docker_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Execute docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_exec_lib',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ allow $1 docker_var_lib_t:dir search_dir_perms; ++ can_exec($1, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Read docker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_lib_files',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Read docker share files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_share_files',` ++ gen_require(` ++ type docker_share_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, docker_share_t, docker_share_t) ++') ++ ++######################################## ++## ++## Manage docker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_manage_lib_files',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++ manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_manage_lib_dirs',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Create objects in a docker var lib directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`docker_lib_filetrans',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Read docker PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_pid_files',` ++ gen_require(` ++ type docker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, docker_var_run_t, docker_var_run_t) ++') ++ ++######################################## ++## ++## Execute docker server in the docker domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_systemctl',` ++ gen_require(` ++ type docker_t; ++ type docker_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ init_reload_services($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 docker_unit_file_t:file read_file_perms; ++ allow $1 docker_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, docker_t) ++') ++ ++######################################## ++## ++## Read and write docker shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_rw_sem',` ++ gen_require(` ++ type docker_t; ++ ') ++ ++ allow $1 docker_t:sem rw_sem_perms; ++') ++ ++####################################### ++## ++## Read and write the docker pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_use_ptys',` ++ gen_require(` ++ type docker_devpts_t; ++ ') ++ ++ allow $1 docker_devpts_t:chr_file rw_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to create docker content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_filetrans_named_content',` ++ ++ gen_require(` ++ type docker_var_lib_t; ++ type docker_share_t; ++ type docker_log_t; ++ type docker_var_run_t; ++ type docker_home_t; ++ ') ++ ++ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") ++ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") ++ files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") ++ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") ++ userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") ++') ++ ++######################################## ++## ++## Connect to docker over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_stream_connect',` ++ gen_require(` ++ type docker_t, docker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) ++') ++ ++######################################## ++## ++## Connect to SPC containers over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_spc_stream_connect',` ++ gen_require(` ++ type spc_t, spc_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ files_write_all_pid_sockets($1) ++ allow $1 spc_t:unix_stream_socket connectto; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an docker environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_admin',` ++ gen_require(` ++ type docker_t; ++ type docker_var_lib_t, docker_var_run_t; ++ type docker_unit_file_t; ++ type docker_lock_t; ++ type docker_log_t; ++ type docker_config_t; ++ ') ++ ++ allow $1 docker_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, docker_t) ++ ++ admin_pattern($1, docker_config_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, docker_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, docker_var_run_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, docker_lock_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, docker_log_t) ++ ++ docker_systemctl($1) ++ admin_pattern($1, docker_unit_file_t) ++ allow $1 docker_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++interface(`domain_stub_named_filetrans_domain',` ++ gen_require(` ++ attribute named_filetrans_domain; ++ ') ++') ++ ++interface(`lvm_stub',` ++ gen_require(` ++ type lvm_t; ++ ') ++') ++interface(`staff_stub',` ++ gen_require(` ++ type staff_t; ++ ') ++') ++interface(`virt_stub_svirt_sandbox_domain',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ++ ') ++') ++interface(`virt_stub_svirt_sandbox_file',` ++ gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++') ++interface(`fs_dontaudit_remount_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ dontaudit $1 tmpfs_t:filesystem remount; ++') ++interface(`dev_dontaudit_list_all_dev_nodes',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ dontaudit $1 device_t:dir list_dir_perms; ++') ++interface(`kernel_unlabeled_entry_type',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ domain_entry_file($1, unlabeled_t) ++') ++interface(`kernel_unlabeled_domtrans',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ++ domain_transition_pattern($1, unlabeled_t, $2) ++ type_transition $1 unlabeled_t:process $2; ++') ++interface(`files_write_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file write_sock_file_perms; ++') ++interface(`dev_dontaudit_mounton_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ dontaudit $1 sysfs_t:dir mounton; ++') +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te +new file mode 100644 +index 0000000000..999742f302 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te +@@ -0,0 +1,414 @@ ++policy_module(docker, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

++## Allow sandbox containers manage fuse files ++##

++## ++gen_tunable(virt_sandbox_use_fusefs, false) ++ ++## ++##

++## Determine whether docker can ++## connect to all TCP ports. ++##

++## ++gen_tunable(docker_connect_any, false) ++ ++type docker_t; ++type docker_exec_t; ++init_daemon_domain(docker_t, docker_exec_t) ++domain_subj_id_change_exemption(docker_t) ++domain_role_change_exemption(docker_t) ++ ++type spc_t; ++domain_type(spc_t) ++role system_r types spc_t; ++ ++type spc_var_run_t; ++files_pid_file(spc_var_run_t) ++ ++type docker_var_lib_t; ++files_type(docker_var_lib_t) ++ ++type docker_home_t; ++userdom_user_home_content(docker_home_t) ++ ++type docker_config_t; ++files_config_file(docker_config_t) ++ ++type docker_lock_t; ++files_lock_file(docker_lock_t) ++ ++type docker_log_t; ++logging_log_file(docker_log_t) ++ ++type docker_tmp_t; ++files_tmp_file(docker_tmp_t) ++ ++type docker_tmpfs_t; ++files_tmpfs_file(docker_tmpfs_t) ++ ++type docker_var_run_t; ++files_pid_file(docker_var_run_t) ++ ++type docker_unit_file_t; ++systemd_unit_file(docker_unit_file_t) ++ ++type docker_devpts_t; ++term_pty(docker_devpts_t) ++ ++type docker_share_t; ++files_type(docker_share_t) ++ ++######################################## ++# ++# docker local policy ++# ++allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; ++allow docker_t self:tun_socket relabelto; ++allow docker_t self:process { getattr signal_perms setrlimit setfscreate }; ++allow docker_t self:fifo_file rw_fifo_file_perms; ++allow docker_t self:unix_stream_socket create_stream_socket_perms; ++allow docker_t self:tcp_socket create_stream_socket_perms; ++allow docker_t self:udp_socket create_socket_perms; ++allow docker_t self:capability2 block_suspend; ++ ++manage_files_pattern(docker_t, docker_home_t, docker_home_t) ++manage_dirs_pattern(docker_t, docker_home_t, docker_home_t) ++manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t) ++userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker") ++ ++manage_dirs_pattern(docker_t, docker_config_t, docker_config_t) ++manage_files_pattern(docker_t, docker_config_t, docker_config_t) ++files_etc_filetrans(docker_t, docker_config_t, dir, "docker") ++ ++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) ++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) ++ ++manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) ++manage_files_pattern(docker_t, docker_log_t, docker_log_t) ++manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) ++logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) ++allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto }; ++ ++manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++allow docker_t docker_tmpfs_t:dir relabelfrom; ++can_exec(docker_t, docker_tmpfs_t) ++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) ++allow docker_t docker_tmpfs_t:chr_file mounton; ++ ++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) ++manage_files_pattern(docker_t, docker_share_t, docker_share_t) ++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) ++allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; ++ ++can_exec(docker_t, docker_share_t) ++#docker_filetrans_named_content(docker_t) ++ ++manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; ++files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) ++ ++allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; ++term_create_pty(docker_t, docker_devpts_t) ++ ++kernel_read_system_state(docker_t) ++kernel_read_network_state(docker_t) ++kernel_read_all_sysctls(docker_t) ++kernel_rw_net_sysctls(docker_t) ++kernel_setsched(docker_t) ++kernel_read_all_proc(docker_t) ++ ++domain_use_interactive_fds(docker_t) ++domain_dontaudit_read_all_domains_state(docker_t) ++ ++corecmd_exec_bin(docker_t) ++corecmd_exec_shell(docker_t) ++ ++corenet_tcp_bind_generic_node(docker_t) ++corenet_tcp_sendrecv_generic_if(docker_t) ++corenet_tcp_sendrecv_generic_node(docker_t) ++corenet_tcp_sendrecv_generic_port(docker_t) ++corenet_tcp_bind_all_ports(docker_t) ++corenet_tcp_connect_http_port(docker_t) ++corenet_tcp_connect_commplex_main_port(docker_t) ++corenet_udp_sendrecv_generic_if(docker_t) ++corenet_udp_sendrecv_generic_node(docker_t) ++corenet_udp_sendrecv_all_ports(docker_t) ++corenet_udp_bind_generic_node(docker_t) ++corenet_udp_bind_all_ports(docker_t) ++ ++files_read_config_files(docker_t) ++files_dontaudit_getattr_all_dirs(docker_t) ++files_dontaudit_getattr_all_files(docker_t) ++ ++fs_read_cgroup_files(docker_t) ++fs_read_tmpfs_symlinks(docker_t) ++fs_search_all(docker_t) ++fs_getattr_all_fs(docker_t) ++ ++storage_raw_rw_fixed_disk(docker_t) ++ ++auth_use_nsswitch(docker_t) ++auth_dontaudit_getattr_shadow(docker_t) ++ ++init_read_state(docker_t) ++init_status(docker_t) ++ ++logging_send_audit_msgs(docker_t) ++logging_send_syslog_msg(docker_t) ++ ++miscfiles_read_localization(docker_t) ++ ++mount_domtrans(docker_t) ++ ++seutil_read_default_contexts(docker_t) ++seutil_read_config(docker_t) ++ ++sysnet_dns_name_resolve(docker_t) ++sysnet_exec_ifconfig(docker_t) ++ ++optional_policy(` ++ rpm_exec(docker_t) ++ rpm_read_db(docker_t) ++ rpm_exec(docker_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(docker_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(docker_t) ++') ++ ++optional_policy(` ++ openvswitch_stream_connect(docker_t) ++') ++ ++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; ++ ++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; ++ ++allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; ++allow docker_t self:netlink_audit_socket create_netlink_socket_perms; ++allow docker_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++allow docker_t docker_var_lib_t:dir mounton; ++allow docker_t docker_var_lib_t:chr_file mounton; ++can_exec(docker_t, docker_var_lib_t) ++ ++kernel_dontaudit_setsched(docker_t) ++kernel_get_sysvipc_info(docker_t) ++kernel_request_load_module(docker_t) ++kernel_mounton_messages(docker_t) ++kernel_mounton_all_proc(docker_t) ++kernel_mounton_all_sysctls(docker_t) ++kernel_unlabeled_entry_type(spc_t) ++kernel_unlabeled_domtrans(docker_t, spc_t) ++ ++dev_getattr_all(docker_t) ++dev_getattr_sysfs_fs(docker_t) ++dev_read_urand(docker_t) ++dev_read_lvm_control(docker_t) ++dev_rw_sysfs(docker_t) ++dev_rw_loop_control(docker_t) ++dev_rw_lvm_control(docker_t) ++ ++files_getattr_isid_type_dirs(docker_t) ++files_manage_isid_type_dirs(docker_t) ++files_manage_isid_type_files(docker_t) ++files_manage_isid_type_symlinks(docker_t) ++files_manage_isid_type_chr_files(docker_t) ++files_manage_isid_type_blk_files(docker_t) ++files_exec_isid_files(docker_t) ++files_mounton_isid(docker_t) ++files_mounton_non_security(docker_t) ++files_mounton_isid_type_chr_file(docker_t) ++ ++fs_mount_all_fs(docker_t) ++fs_unmount_all_fs(docker_t) ++fs_remount_all_fs(docker_t) ++files_mounton_isid(docker_t) ++fs_manage_cgroup_dirs(docker_t) ++fs_manage_cgroup_files(docker_t) ++fs_relabelfrom_xattr_fs(docker_t) ++fs_relabelfrom_tmpfs(docker_t) ++fs_read_tmpfs_symlinks(docker_t) ++fs_list_hugetlbfs(docker_t) ++ ++term_use_generic_ptys(docker_t) ++term_use_ptmx(docker_t) ++term_getattr_pty_fs(docker_t) ++term_relabel_pty_fs(docker_t) ++term_mounton_unallocated_ttys(docker_t) ++ ++modutils_domtrans_insmod(docker_t) ++ ++systemd_status_all_unit_files(docker_t) ++systemd_start_systemd_services(docker_t) ++ ++userdom_stream_connect(docker_t) ++userdom_search_user_home_content(docker_t) ++userdom_read_all_users_state(docker_t) ++userdom_relabel_user_home_files(docker_t) ++userdom_relabel_user_tmp_files(docker_t) ++userdom_relabel_user_tmp_dirs(docker_t) ++ ++optional_policy(` ++ gpm_getattr_gpmctl(docker_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(docker_t) ++ init_dbus_chat(docker_t) ++ init_start_transient_unit(docker_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(docker_t) ++ ') ++ ++ optional_policy(` ++ firewalld_dbus_chat(docker_t) ++ ') ++') ++ ++optional_policy(` ++ udev_read_db(docker_t) ++') ++ ++optional_policy(` ++ virt_read_config(docker_t) ++ virt_exec(docker_t) ++ virt_stream_connect(docker_t) ++ virt_stream_connect_sandbox(docker_t) ++ virt_exec_sandbox_files(docker_t) ++ virt_manage_sandbox_files(docker_t) ++ virt_relabel_sandbox_filesystem(docker_t) ++ virt_transition_svirt_sandbox(docker_t, system_r) ++ virt_mounton_sandbox_file(docker_t) ++# virt_attach_sandbox_tun_iface(docker_t) ++ allow docker_t svirt_sandbox_domain:tun_socket relabelfrom; ++') ++ ++tunable_policy(`docker_connect_any',` ++ corenet_tcp_connect_all_ports(docker_t) ++ corenet_sendrecv_all_packets(docker_t) ++ corenet_tcp_sendrecv_all_ports(docker_t) ++') ++ ++######################################## ++# ++# spc local policy ++# ++domain_entry_file(spc_t, docker_share_t) ++domain_entry_file(spc_t, docker_var_lib_t) ++role system_r types spc_t; ++ ++domain_entry_file(spc_t, docker_share_t) ++domain_entry_file(spc_t, docker_var_lib_t) ++domtrans_pattern(docker_t, docker_share_t, spc_t) ++domtrans_pattern(docker_t, docker_var_lib_t, spc_t) ++allow docker_t spc_t:process { setsched signal_perms }; ++ps_process_pattern(docker_t, spc_t) ++allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; ++ ++optional_policy(` ++ dbus_chat_system_bus(spc_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(spc_t) ++') ++ ++optional_policy(` ++ unconfined_domain(docker_t) ++') ++ ++optional_policy(` ++ virt_transition_svirt_sandbox(spc_t, system_r) ++') ++ ++######################################## ++# ++# docker upstream policy ++# ++ ++optional_policy(` ++# domain_stub_named_filetrans_domain() ++ gen_require(` ++ attribute named_filetrans_domain; ++ ') ++ ++ docker_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ lvm_stub() ++ docker_rw_sem(lvm_t) ++') ++ ++optional_policy(` ++ staff_stub() ++ docker_stream_connect(staff_t) ++ docker_exec(staff_t) ++') ++ ++optional_policy(` ++ virt_stub_svirt_sandbox_domain() ++ virt_stub_svirt_sandbox_file() ++ allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ docker_read_share_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) ++ docker_spc_stream_connect(svirt_sandbox_domain) ++ fs_list_tmpfs(svirt_sandbox_domain) ++ fs_rw_hugetlbfs_files(svirt_sandbox_domain) ++ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ++ ++ tunable_policy(`virt_sandbox_use_fusefs',` ++ fs_manage_fusefs_dirs(svirt_sandbox_domain) ++ fs_manage_fusefs_files(svirt_sandbox_domain) ++ fs_manage_fusefs_symlinks(svirt_sandbox_domain) ++ ') ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit svirt_sandbox_domain domain:key {search link}; ++') ++ ++optional_policy(` ++ gen_require(` ++ type pcp_pmcd_t; ++ ') ++ docker_manage_lib_files(pcp_pmcd_t) ++') +diff --git a/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec b/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec +new file mode 100644 +index 0000000000..a5c497d93a +--- /dev/null ++++ b/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec +@@ -0,0 +1,109 @@ ++# Some bits borrowed from the openstack-selinux package ++%global _version 18.09.0.3 ++%global _release 0.0.20190123.161547.git021da66 ++Name: docker-engine-selinux ++Version: %{_version} ++Release: %{_release}%{?dist} ++Summary: SELinux Policies for the open-source application container engine ++BuildArch: noarch ++Group: Tools/Docker ++ ++License: GPLv2 ++Source: %{name}.tar.gz ++ ++URL: https://dockerproject.org ++ ++# Version of SELinux we were using ++%if 0%{?fedora} == 20 ++%global selinux_policyver 3.12.1-197 ++%endif # fedora 20 ++%if 0%{?fedora} == 21 ++%global selinux_policyver 3.13.1-105 ++%endif # fedora 21 ++%if 0%{?fedora} >= 22 ++%global selinux_policyver 3.13.1-128 ++%endif # fedora 22 ++%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?oraclelinux} >= 7 ++%global selinux_policyver 3.13.1-23 ++%endif # centos,rhel,oraclelinux 7 ++ ++%global selinuxtype targeted ++%global moduletype services ++%global modulenames docker ++ ++Requires(post): selinux-policy-base >= %{selinux_policyver}, selinux-policy-targeted >= %{selinux_policyver}, policycoreutils, policycoreutils-python libselinux-utils ++BuildRequires: selinux-policy selinux-policy-devel ++ ++# conflicting packages ++Conflicts: docker-selinux ++ ++# Usage: _format var format ++# Expand 'modulenames' into various formats as needed ++# Format must contain '$x' somewhere to do anything useful ++%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; ++ ++# Relabel files ++%global relabel_files() \ ++ /sbin/restorecon -R %{_bindir}/docker %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_usr}/lib/systemd/system/docker.service /root/.docker &> /dev/null || : \ ++ ++%description ++SELinux policy modules for use with Docker ++ ++%prep ++%if 0%{?centos} <= 6 ++%setup -n %{name} ++%else ++%autosetup -n %{name} ++%endif ++ ++%build ++make SHARE="%{_datadir}" TARGETS="%{modulenames}" ++ ++%install ++ ++# Install SELinux interfaces ++%_format INTERFACES $x.if ++install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} ++install -p -m 644 $INTERFACES %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} ++ ++# Install policy modules ++%_format MODULES $x.pp.bz2 ++install -d %{buildroot}%{_datadir}/selinux/packages ++install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages ++ ++%post ++# ++# Install all modules in a single transaction ++# ++if [ $1 -eq 1 ]; then ++ %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 ++fi ++%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 ++%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES ++if %{_sbindir}/selinuxenabled ; then ++ %{_sbindir}/load_policy ++ %relabel_files ++ if [ $1 -eq 1 ]; then ++ restorecon -R %{_sharedstatedir}/docker ++ fi ++fi ++ ++%postun ++if [ $1 -eq 0 ]; then ++ %{_sbindir}/semodule -n -r %{modulenames} &> /dev/null || : ++ if %{_sbindir}/selinuxenabled ; then ++ %{_sbindir}/load_policy ++ %relabel_files ++ fi ++fi ++ ++%files ++%doc LICENSE ++%defattr(-,root,root,0755) ++%attr(0644,root,root) %{_datadir}/selinux/packages/*.pp.bz2 ++%attr(0644,root,root) %{_datadir}/selinux/devel/include/%{moduletype}/*.if ++ ++%changelog ++* Tue Dec 1 2015 Jessica Frazelle 1.9.1-1 ++- add licence to rpm ++- add selinux-policy and docker-engine-selinux rpm +-- +2.17.1 + diff --git a/patch/0106-docker-engine-selinux-support-selinux-enabl.patch b/patch/0106-docker-engine-selinux-support-selinux-enabl.patch new file mode 100644 index 0000000000000000000000000000000000000000..024ec17ada128db12872f504f41e78ffe18dd807 --- /dev/null +++ b/patch/0106-docker-engine-selinux-support-selinux-enabl.patch @@ -0,0 +1,2759 @@ +From 5c8b4955686c20428b69e5a697a5dc819ff87a43 Mon Sep 17 00:00:00 2001 +From: zhangsong34 +Date: Fri, 22 Feb 2019 17:58:59 +0800 +Subject: [PATCH 106/111] docker-engine-selinux: support + --selinux-enabled=true for daemon + +reason:support --selinux-enabled=true for daemon, fix semodule insert operation +failed. + +Change-Id: Ieaad90896c25aed63767141775f4679c07736430 +Signed-off-by: zhangsong34 +--- + .../docker-engine-selinux/container.fc | 83 ++ + .../docker-engine-selinux/container.if | 713 +++++++++++++ + .../docker-engine-selinux/container.te | 966 ++++++++++++++++++ + .../docker-engine-selinux/docker.fc | 20 - + .../docker-engine-selinux/docker.if | 461 --------- + .../docker-engine-selinux/docker.te | 414 -------- + .../docker-engine-selinux-euleros.spec | 15 +- + 10 files changed, 1777 insertions(+), 903 deletions(-) + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/container.fc + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/container.if + create mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/container.te + delete mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc + delete mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if + delete mode 100644 components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te + +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.fc b/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.fc +new file mode 100644 +index 0000000000..0d13c3d1fb +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.fc +@@ -0,0 +1,83 @@ ++/root/\.docker gen_context(system_u:object_r:container_home_t,s0) ++ ++/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/local/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) ++/usr/sbin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/local/sbin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/local/bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/sbin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) ++/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) ++ ++/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) ++/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) ++ ++/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) ++/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0) ++/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0) ++/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++ ++/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) ++/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++ ++/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/containers/atomic(/.*)? <> ++/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++ ++/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0) ++ ++/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) ++/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) ++/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_share_t,s0) ++ ++/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) ++/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) ++ ++/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) ++ ++/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) ++/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.if b/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.if +new file mode 100644 +index 0000000000..3853ca5bde +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.if +@@ -0,0 +1,713 @@ ++ ++## The open-source application container engine. ++ ++######################################## ++## ++## Execute container in the container domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`container_runtime_domtrans',` ++ gen_require(` ++ type container_runtime_t, container_runtime_exec_t; ++ type container_runtime_tmpfs_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) ++') ++ ++######################################## ++## ++## Execute container runtime in the congtainer runtime domain ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`container_runtime_run',` ++ gen_require(` ++ type container_runtime_t; ++ ') ++ ++ container_domtrans($1) ++ roleattribute $2 container_runtime_t; ++') ++ ++ ++######################################## ++## ++## Execute container in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`container_runtime_exec',` ++ gen_require(` ++ type container_runtime_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, container_runtime_exec_t) ++') ++ ++######################################## ++## ++## Read the process state of container runtime ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_read_state',` ++ gen_require(` ++ type container_runtime_t; ++ ') ++ ++ ps_process_pattern($1, container_runtime_t) ++') ++ ++######################################## ++## ++## Search container lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_search_lib',` ++ gen_require(` ++ type container_var_lib_t; ++ ') ++ ++ allow $1 container_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Execute container lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_exec_lib',` ++ gen_require(` ++ type container_var_lib_t; ++ ') ++ ++ allow $1 container_var_lib_t:dir search_dir_perms; ++ can_exec($1, container_var_lib_t) ++') ++ ++######################################## ++## ++## Read container lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_read_lib_files',` ++ gen_require(` ++ type container_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, container_var_lib_t, container_var_lib_t) ++') ++ ++######################################## ++## ++## Read container share files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_read_share_files',` ++ gen_require(` ++ type container_share_t; ++ ') ++ ++ files_search_var_lib($1) ++ list_dirs_pattern($1, container_share_t, container_share_t) ++ read_files_pattern($1, container_share_t, container_share_t) ++ read_lnk_files_pattern($1, container_share_t, container_share_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to execute container shared files ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_exec_share_files',` ++ gen_require(` ++ type container_share_t; ++ ') ++ ++ can_exec($1, container_share_t) ++') ++ ++######################################## ++## ++## Manage container lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_manage_lib_files',` ++ gen_require(` ++ type container_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, container_var_lib_t, container_var_lib_t) ++ manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t) ++') ++ ++######################################## ++## ++## Manage container files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_manage_files',` ++ gen_require(` ++ type container_files_t; ++ ') ++ ++ manage_files_pattern($1, container_files_t, container_files_t) ++ manage_lnk_files_pattern($1, container_files_t, container_files_t) ++') ++ ++######################################## ++## ++## Manage container directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_manage_dirs',` ++ gen_require(` ++ type container_files_t; ++ ') ++ ++ manage_dirs_pattern($1, container_files_t, container_files_t) ++') ++ ++######################################## ++## ++## Manage container lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_manage_lib_dirs',` ++ gen_require(` ++ type container_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t) ++') ++ ++######################################## ++## ++## Create objects in a container var lib directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`container_lib_filetrans',` ++ gen_require(` ++ type container_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, container_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Read container PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_read_pid_files',` ++ gen_require(` ++ type container_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, container_var_run_t, container_var_run_t) ++') ++ ++######################################## ++## ++## Execute container server in the container domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`container_systemctl',` ++ gen_require(` ++ type container_runtime_t; ++ type container_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ init_reload_services($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 container_unit_file_t:file read_file_perms; ++ allow $1 container_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, container_runtime_t) ++') ++ ++######################################## ++## ++## Read and write container shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_rw_sem',` ++ gen_require(` ++ type container_runtime_t; ++ ') ++ ++ allow $1 container_runtime_t:sem rw_sem_perms; ++') ++ ++####################################### ++## ++## Read and write the container pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_use_ptys',` ++ gen_require(` ++ type container_devpts_t; ++ ') ++ ++ allow $1 container_devpts_t:chr_file rw_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to create container content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_filetrans_named_content',` ++ ++ gen_require(` ++ type container_var_lib_t; ++ type container_share_t; ++ type container_log_t; ++ type container_var_run_t; ++ type container_home_t; ++ ') ++ ++ files_pid_filetrans($1, container_var_run_t, file, "container.pid") ++ files_pid_filetrans($1, container_var_run_t, file, "docker.pid") ++ files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock") ++ files_pid_filetrans($1, container_var_run_t, dir, "container-client") ++ files_pid_filetrans($1, container_var_run_t, dir, "docker") ++ files_pid_filetrans($1, container_var_run_t, dir, "containerd") ++ files_pid_filetrans($1, container_var_run_t, dir, "ocid") ++ files_pid_filetrans($1, container_var_run_t, dir, "containers") ++ logging_log_filetrans($1, container_log_t, dir, "lxc") ++ files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") ++ files_var_lib_filetrans($1, container_file_t, dir, "origin") ++ files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid") ++ files_var_lib_filetrans($1, container_var_lib_t, dir, "docker") ++ files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "config.env") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "hosts") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "hostname") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, file, "resolv.conf") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "sandboxes") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "init") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "overlay") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "overlay2") ++ filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "atomic") ++ userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") ++ ++') ++ ++######################################## ++## ++## Connect to container over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_stream_connect',` ++ gen_require(` ++ type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t) ++ stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t) ++ allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## ++## Connect to SPC containers over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_spc_stream_connect',` ++ gen_require(` ++ type spc_t, spc_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ files_write_all_pid_sockets($1) ++ allow $1 spc_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an container environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_admin',` ++ gen_require(` ++ type container_runtime_t; ++ type container_var_lib_t, container_var_run_t; ++ type container_unit_file_t; ++ type container_lock_t; ++ type container_log_t; ++ type container_config_t; ++ ') ++ ++ allow $1 container_runtime_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, container_runtime_t) ++ ++ admin_pattern($1, container_config_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, container_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, container_var_run_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, container_lock_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, container_log_t) ++ ++ container_systemctl($1) ++ admin_pattern($1, container_unit_file_t) ++ allow $1 container_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++######################################## ++## ++## Execute container_auth_exec_t in the container_auth domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`container_auth_domtrans',` ++ gen_require(` ++ type container_auth_t, container_auth_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, container_auth_exec_t, container_auth_t) ++') ++ ++###################################### ++## ++## Execute container_auth in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_auth_exec',` ++ gen_require(` ++ type container_auth_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, container_auth_exec_t) ++') ++ ++######################################## ++## ++## Connect to container_auth over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_auth_stream_connect',` ++ gen_require(` ++ type container_auth_t, container_plugin_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) ++') ++ ++######################################## ++## ++## container domain typebounds calling domain. ++## ++## ++## ++## Domain to be typebound. ++## ++## ++# ++interface(`container_runtime_typebounds',` ++ gen_require(` ++ type container_runtime_t; ++ ') ++ ++ allow container_runtime_t $1:process2 nnp_transition; ++') ++ ++######################################## ++## ++## Allow any container_runtime_exec_t to be an entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`container_runtime_entrypoint',` ++ gen_require(` ++ type container_runtime_exec_t; ++ ') ++ allow $1 container_runtime_exec_t:file entrypoint; ++') ++ ++interface(`docker_exec_lib',` ++ container_exec_lib($1) ++') ++ ++interface(`docker_read_share_files',` ++ container_read_share_files($1) ++') ++ ++interface(`docker_exec_share_files',` ++ container_exec_share_files($1) ++') ++ ++interface(`docker_manage_lib_files',` ++ container_manage_lib_files($1) ++') ++ ++ ++interface(`docker_manage_lib_dirs',` ++ container_manage_lib_dirs($1) ++') ++ ++interface(`docker_lib_filetrans',` ++ container_lib_filetrans($1, $2, $3, $4) ++') ++ ++interface(`docker_read_pid_files',` ++ container_read_pid_files($1) ++') ++ ++interface(`docker_systemctl',` ++ container_systemctl($1) ++') ++ ++interface(`docker_use_ptys',` ++ container_use_ptys($1) ++') ++ ++interface(`docker_stream_connect',` ++ container_stream_connect($1) ++') ++ ++interface(`docker_spc_stream_connect',` ++ container_spc_stream_connect($1) ++') ++ ++######################################## ++## ++## Read the process state of spc containers ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_spc_read_state',` ++ gen_require(` ++ type spc_t; ++ ') ++ ++ ps_process_pattern($1, spc_t) ++') ++ ++######################################## ++## ++## Creates types and rules for a basic ++## container process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`container_domain_template',` ++ gen_require(` ++ attribute container_domain; ++ type container_runtime_t; ++ type container_var_lib_t; ++ type container_share_t; ++ ') ++ ++ type $1_t, container_domain; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ mls_rangetrans_target($1_t) ++ mcs_constrained($1_t) ++ role system_r types $1_t; ++ allow $1_t { container_var_lib_t container_share_t }:file entrypoint; ++ ++ kernel_read_all_proc($1_t) ++') ++ ++######################################## ++## ++## Read and write a spc_t unnamed pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`container_spc_rw_pipes',` ++ gen_require(` ++ type spc_t; ++ ') ++ ++ allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms; ++') +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.te b/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.te +new file mode 100644 +index 0000000000..14bd4f38d6 +--- /dev/null ++++ b/components/engine/contrib/selinux-euleros/docker-engine-selinux/container.te +@@ -0,0 +1,966 @@ ++policy_module(container, 2.68.0) ++gen_require(` ++ class passwd rootok; ++ type container_file_t; ++') ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

++## Determine whether container can ++## connect to all TCP ports. ++##

++## ++gen_tunable(container_connect_any, false) ++ ++## ++##

++## Allow sandbox containers to manage cgroup (systemd) ++##

++## ++gen_tunable(container_manage_cgroup, false) ++ ++type container_runtime_t alias docker_t; ++type container_runtime_exec_t alias docker_exec_t; ++init_daemon_domain(container_runtime_t, container_runtime_exec_t) ++domain_subj_id_change_exemption(container_runtime_t) ++domain_role_change_exemption(container_runtime_t) ++can_exec(container_runtime_t,container_runtime_exec_t) ++attribute container_domain; ++attribute container_net_domain; ++allow container_runtime_t container_domain:process transition; ++allow container_runtime_t container_domain:process2 { nnp_transition nosuid_transition }; ++ ++type spc_t; ++domain_type(spc_t) ++role system_r types spc_t; ++ ++type container_auth_t alias docker_auth_t; ++type container_auth_exec_t alias docker_auth_exec_t; ++init_daemon_domain(container_auth_t, container_auth_exec_t) ++ ++type spc_var_run_t; ++files_pid_file(spc_var_run_t) ++ ++type container_var_lib_t alias docker_var_lib_t; ++files_type(container_var_lib_t) ++ ++type container_home_t alias docker_home_t; ++userdom_user_home_content(container_home_t) ++ ++type container_config_t alias docker_config_t; ++files_config_file(container_config_t) ++ ++type container_lock_t alias docker_lock_t; ++files_lock_file(container_lock_t) ++ ++type container_log_t alias docker_log_t; ++logging_log_file(container_log_t) ++ ++type container_runtime_tmp_t alias docker_tmp_t; ++files_tmp_file(container_runtime_tmp_t) ++ ++type container_runtime_tmpfs_t alias docker_tmpfs_t; ++files_tmpfs_file(container_runtime_tmpfs_t) ++ ++type container_var_run_t alias docker_var_run_t; ++files_pid_file(container_var_run_t) ++ ++type container_plugin_var_run_t alias docker_plugin_var_run_t; ++files_pid_file(container_plugin_var_run_t) ++ ++type container_unit_file_t alias docker_unit_file_t; ++systemd_unit_file(container_unit_file_t) ++ ++type container_devpts_t alias docker_devpts_t; ++term_pty(container_devpts_t) ++ ++type container_share_t alias docker_share_t; ++files_mountpoint(container_share_t) ++ ++type container_port_t alias docker_port_t; ++corenet_port(container_port_t) ++ ++#ifdef(`enable_mcs',` ++# init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh) ++#') ++ ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) ++') ++ ++######################################## ++# ++# container local policy ++# ++allow container_runtime_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; ++allow container_runtime_t self:tun_socket { create_socket_perms relabelto }; ++allow container_runtime_t self:process ~setcurrent; ++allow container_runtime_t self:passwd rootok; ++allow container_runtime_t self:fd use; ++allow container_runtime_t self:file mounton; ++ ++allow container_runtime_t self:fifo_file rw_fifo_file_perms; ++allow container_runtime_t self:fifo_file manage_file_perms; ++allow container_runtime_t self:msg all_msg_perms; ++allow container_runtime_t self:sem create_sem_perms; ++allow container_runtime_t self:shm create_shm_perms; ++allow container_runtime_t self:msgq create_msgq_perms; ++allow container_runtime_t self:unix_stream_socket create_stream_socket_perms; ++allow container_runtime_t self:tcp_socket create_stream_socket_perms; ++allow container_runtime_t self:udp_socket create_socket_perms; ++allow container_runtime_t self:capability2 block_suspend; ++allow container_runtime_t container_port_t:tcp_socket name_bind; ++allow container_runtime_t self:filesystem associate; ++allow container_runtime_t self:packet_socket create_socket_perms; ++allow container_runtime_t self:socket create_socket_perms; ++allow container_runtime_t self:rawip_socket create_stream_socket_perms; ++allow container_runtime_t self:netlink_netfilter_socket create_socket_perms; ++allow container_runtime_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow container_runtime_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow container_runtime_t self:netlink_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(container_runtime_t) ++corenet_udp_bind_generic_node(container_runtime_t) ++corenet_raw_bind_generic_node(container_runtime_t) ++corenet_tcp_sendrecv_all_ports(container_runtime_t) ++corenet_udp_sendrecv_all_ports(container_runtime_t) ++corenet_udp_bind_all_ports(container_runtime_t) ++corenet_tcp_bind_all_ports(container_runtime_t) ++corenet_tcp_connect_all_ports(container_runtime_t) ++ ++mls_file_read_to_clearance(container_runtime_t) ++mls_file_write_to_clearance(container_runtime_t) ++ ++container_auth_stream_connect(container_runtime_t) ++ ++manage_blk_files_pattern(container_runtime_t, container_file_t, container_file_t) ++manage_sock_files_pattern(container_runtime_t, container_file_t, container_file_t) ++allow container_runtime_t container_file_t:dir {relabelfrom relabelto execmod}; ++allow container_runtime_t container_file_t:chr_file mmap_file_perms; ++ ++manage_files_pattern(container_runtime_t, container_home_t, container_home_t) ++manage_dirs_pattern(container_runtime_t, container_home_t, container_home_t) ++manage_lnk_files_pattern(container_runtime_t, container_home_t, container_home_t) ++userdom_admin_home_dir_filetrans(container_runtime_t, container_home_t, dir, ".container") ++userdom_manage_user_home_content(container_runtime_t) ++ ++manage_dirs_pattern(container_runtime_t, container_config_t, container_config_t) ++manage_files_pattern(container_runtime_t, container_config_t, container_config_t) ++files_etc_filetrans(container_runtime_t, container_config_t, dir, "container") ++ ++manage_dirs_pattern(container_runtime_t, container_lock_t, container_lock_t) ++manage_files_pattern(container_runtime_t, container_lock_t, container_lock_t) ++files_lock_filetrans(container_runtime_t, container_lock_t, { dir file }, "lxc") ++ ++manage_dirs_pattern(container_runtime_t, container_log_t, container_log_t) ++manage_files_pattern(container_runtime_t, container_log_t, container_log_t) ++manage_lnk_files_pattern(container_runtime_t, container_log_t, container_log_t) ++logging_log_filetrans(container_runtime_t, container_log_t, { dir file lnk_file }) ++allow container_runtime_t container_log_t:dir_file_class_set { relabelfrom relabelto }; ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_log_t, file, "container-json.log") ++allow container_runtime_t { container_var_lib_t container_share_t }:file entrypoint; ++ ++manage_dirs_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t) ++manage_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t) ++manage_sock_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t) ++manage_lnk_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t) ++files_tmp_filetrans(container_runtime_t, container_runtime_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t) ++manage_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t) ++manage_lnk_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t) ++manage_fifo_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t) ++manage_chr_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t) ++manage_blk_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t) ++allow container_runtime_t container_runtime_tmpfs_t:dir relabelfrom; ++can_exec(container_runtime_t, container_runtime_tmpfs_t) ++fs_tmpfs_filetrans(container_runtime_t, container_runtime_tmpfs_t, { dir file }) ++allow container_runtime_t container_runtime_tmpfs_t:chr_file mounton; ++ ++manage_dirs_pattern(container_runtime_t, container_share_t, container_share_t) ++manage_chr_files_pattern(container_runtime_t, container_share_t, container_share_t) ++manage_blk_files_pattern(container_runtime_t, container_share_t, container_share_t) ++manage_files_pattern(container_runtime_t, container_share_t, container_share_t) ++manage_lnk_files_pattern(container_runtime_t, container_share_t, container_share_t) ++allow container_runtime_t container_share_t:dir_file_class_set { relabelfrom relabelto }; ++can_exec(container_runtime_t, container_share_t) ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "init") ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "overlay") ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "overlay2") ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, file, "config.env") ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, file, "hostname") ++filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, file, "hosts") ++ ++#container_filetrans_named_content(container_runtime_t) ++ ++manage_dirs_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t) ++manage_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t) ++manage_chr_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t) ++manage_blk_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t) ++manage_sock_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t) ++manage_lnk_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t) ++allow container_runtime_t container_var_lib_t:dir_file_class_set { relabelfrom relabelto }; ++files_var_lib_filetrans(container_runtime_t, container_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(container_runtime_t, container_var_run_t, container_var_run_t) ++manage_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t) ++manage_fifo_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t) ++manage_sock_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t) ++manage_lnk_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t) ++files_pid_filetrans(container_runtime_t, container_var_run_t, { dir file lnk_file sock_file }) ++ ++allow container_runtime_t container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; ++term_create_pty(container_runtime_t, container_devpts_t) ++term_use_all_ttys(container_runtime_t) ++term_use_all_inherited_terms(container_runtime_t) ++ ++kernel_read_system_state(container_runtime_t) ++kernel_read_network_state(container_runtime_t) ++kernel_read_all_sysctls(container_runtime_t) ++kernel_rw_net_sysctls(container_runtime_t) ++kernel_setsched(container_runtime_t) ++kernel_read_all_proc(container_runtime_t) ++kernel_rw_all_sysctls(container_runtime_t) ++ ++domain_use_interactive_fds(container_runtime_t) ++domain_dontaudit_read_all_domains_state(container_runtime_t) ++domain_sigchld_all_domains(container_runtime_t) ++domain_use_interactive_fds(container_runtime_t) ++domain_read_all_domains_state(container_runtime_t) ++domain_getattr_all_domains(container_runtime_t) ++ ++gen_require(` ++ attribute domain; ++') ++ ++allow container_runtime_t domain:fifo_file rw_fifo_file_perms; ++allow container_runtime_t domain:fd use; ++ ++corecmd_exec_bin(container_runtime_t) ++corecmd_exec_shell(container_runtime_t) ++corecmd_exec_all_executables(container_runtime_t) ++corecmd_bin_entry_type(container_runtime_t) ++corecmd_shell_entry_type(container_runtime_t) ++ ++corenet_tcp_bind_generic_node(container_runtime_t) ++corenet_tcp_sendrecv_generic_if(container_runtime_t) ++corenet_tcp_sendrecv_generic_node(container_runtime_t) ++corenet_tcp_sendrecv_generic_port(container_runtime_t) ++corenet_tcp_bind_all_ports(container_runtime_t) ++corenet_tcp_connect_http_port(container_runtime_t) ++corenet_tcp_connect_commplex_main_port(container_runtime_t) ++corenet_udp_sendrecv_generic_if(container_runtime_t) ++corenet_udp_sendrecv_generic_node(container_runtime_t) ++corenet_udp_sendrecv_all_ports(container_runtime_t) ++corenet_udp_bind_generic_node(container_runtime_t) ++corenet_udp_bind_all_ports(container_runtime_t) ++ ++files_read_kernel_modules(container_runtime_t) ++files_read_config_files(container_runtime_t) ++files_dontaudit_getattr_all_dirs(container_runtime_t) ++files_dontaudit_getattr_all_files(container_runtime_t) ++files_execmod_all_files(container_runtime_t) ++files_search_all(container_runtime_t) ++files_read_usr_symlinks(container_runtime_t) ++files_search_locks(container_runtime_t) ++files_dontaudit_unmount_all_mountpoints(container_runtime_t) ++ ++fs_read_cgroup_files(container_runtime_t) ++fs_read_tmpfs_symlinks(container_runtime_t) ++fs_search_all(container_runtime_t) ++fs_getattr_all_fs(container_runtime_t) ++fs_rw_onload_sockets(container_runtime_t) ++ ++storage_raw_rw_fixed_disk(container_runtime_t) ++ ++auth_use_nsswitch(container_runtime_t) ++auth_dontaudit_getattr_shadow(container_runtime_t) ++ ++init_read_state(container_runtime_t) ++init_status(container_runtime_t) ++#init_stop(container_runtime_t) ++#init_start(container_runtime_t) ++#init_manage_config_transient_files(container_runtime_t) ++gen_require(` ++ type init_t; ++') ++allow container_runtime_t init_t:service manage_service_perms; ++ ++ ++logging_send_audit_msgs(container_runtime_t) ++logging_send_syslog_msg(container_runtime_t) ++ ++miscfiles_read_localization(container_runtime_t) ++miscfiles_dontaudit_access_check_cert(container_runtime_t) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_t) ++miscfiles_read_fonts(container_runtime_t) ++miscfiles_read_hwdata(container_runtime_t) ++fs_relabel_cgroup_dirs(container_runtime_t) ++# fs_relabel_cgroup_files(container_runtime_t) ++allow container_runtime_t cgroup_t:file relabelfrom; ++ ++mount_domtrans(container_runtime_t) ++ ++seutil_read_default_contexts(container_runtime_t) ++seutil_read_config(container_runtime_t) ++ ++sysnet_dns_name_resolve(container_runtime_t) ++sysnet_exec_ifconfig(container_runtime_t) ++ ++optional_policy(` ++ ssh_use_ptys(container_runtime_t) ++') ++ ++optional_policy(` ++ rpm_exec(container_runtime_t) ++ rpm_read_db(container_runtime_t) ++ rpm_exec(container_runtime_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(container_runtime_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(container_runtime_t) ++') ++ ++optional_policy(` ++ openvswitch_stream_connect(container_runtime_t) ++') ++ ++# ++# lxc rules ++# ++ ++allow container_runtime_t self:capability ~{ sys_module }; ++allow container_runtime_t self:capability2 ~{ mac_override mac_admin }; ++allow container_runtime_t self:cap_userns ~{ sys_module }; ++allow container_runtime_t self:cap2_userns ~{ mac_override mac_admin }; ++ ++allow container_runtime_t self:process { getcap setcap setexec setpgid setsched signal_perms }; ++ ++allow container_runtime_t self:netlink_route_socket rw_netlink_socket_perms;; ++allow container_runtime_t self:netlink_xfrm_socket create_netlink_socket_perms; ++allow container_runtime_t self:netlink_audit_socket create_netlink_socket_perms; ++allow container_runtime_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow container_runtime_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++allow container_runtime_t container_var_lib_t:dir mounton; ++allow container_runtime_t container_var_lib_t:chr_file mounton; ++can_exec(container_runtime_t, container_var_lib_t) ++ ++kernel_dontaudit_setsched(container_runtime_t) ++kernel_get_sysvipc_info(container_runtime_t) ++kernel_request_load_module(container_runtime_t) ++kernel_mounton_messages(container_runtime_t) ++kernel_mounton_all_proc(container_runtime_t) ++kernel_mounton_all_sysctls(container_runtime_t) ++kernel_list_all_proc(container_runtime_t) ++kernel_read_all_sysctls(container_runtime_t) ++kernel_rw_net_sysctls(container_runtime_t) ++kernel_rw_unix_sysctls(container_runtime_t) ++kernel_dontaudit_search_kernel_sysctl(container_runtime_t) ++kernel_dontaudit_access_check_proc(container_runtime_t) ++kernel_dontaudit_setattr_proc_files(container_runtime_t) ++kernel_dontaudit_setattr_proc_dirs(container_runtime_t) ++#kernel_dontaudit_write_usermodehelper_state(container_runtime_t) ++gen_require(` ++ type usermodehelper_t; ++') ++dontaudit container_runtime_t usermodehelper_t:file write; ++ ++dev_getattr_all(container_runtime_t) ++dev_getattr_sysfs_fs(container_runtime_t) ++dev_read_rand(container_runtime_t) ++dev_read_urand(container_runtime_t) ++dev_read_lvm_control(container_runtime_t) ++dev_rw_sysfs(container_runtime_t) ++dev_rw_loop_control(container_runtime_t) ++dev_rw_lvm_control(container_runtime_t) ++dev_read_mtrr(container_runtime_t) ++ ++files_getattr_isid_type_dirs(container_runtime_t) ++files_manage_isid_type_dirs(container_runtime_t) ++files_manage_isid_type_files(container_runtime_t) ++files_manage_isid_type_symlinks(container_runtime_t) ++files_manage_isid_type_chr_files(container_runtime_t) ++files_manage_isid_type_blk_files(container_runtime_t) ++files_exec_isid_files(container_runtime_t) ++files_mounton_isid(container_runtime_t) ++files_mounton_non_security(container_runtime_t) ++files_mounton_isid_type_chr_file(container_runtime_t) ++ ++fs_mount_all_fs(container_runtime_t) ++fs_unmount_all_fs(container_runtime_t) ++fs_remount_all_fs(container_runtime_t) ++files_mounton_isid(container_runtime_t) ++fs_manage_cgroup_dirs(container_runtime_t) ++fs_manage_cgroup_files(container_runtime_t) ++#fs_rw_nsfs_files(container_runtime_t) ++gen_require(` ++ type nsfs_t; ++') ++rw_files_pattern(container_runtime_t, nsfs_t, nsfs_t) ++ ++fs_relabelfrom_xattr_fs(container_runtime_t) ++fs_relabelfrom_tmpfs(container_runtime_t) ++fs_read_tmpfs_symlinks(container_runtime_t) ++fs_list_hugetlbfs(container_runtime_t) ++fs_getattr_all_fs(container_runtime_t) ++fs_list_inotifyfs(container_runtime_t) ++fs_rw_inherited_tmpfs_files(container_runtime_t) ++fs_read_hugetlbfs_files(container_runtime_t) ++fs_read_tmpfs_symlinks(container_runtime_t) ++fs_search_tmpfs(container_runtime_t) ++fs_rw_hugetlbfs_files(container_runtime_t) ++ ++ ++term_use_generic_ptys(container_runtime_t) ++term_use_ptmx(container_runtime_t) ++term_getattr_pty_fs(container_runtime_t) ++term_relabel_pty_fs(container_runtime_t) ++term_mounton_unallocated_ttys(container_runtime_t) ++ ++modutils_domtrans_insmod(container_runtime_t) ++ ++systemd_status_all_unit_files(container_runtime_t) ++systemd_start_systemd_services(container_runtime_t) ++systemd_dbus_chat_logind(container_runtime_t) ++ ++userdom_stream_connect(container_runtime_t) ++userdom_search_user_home_content(container_runtime_t) ++userdom_read_all_users_state(container_runtime_t) ++userdom_relabel_user_home_files(container_runtime_t) ++userdom_relabel_user_tmp_files(container_runtime_t) ++userdom_relabel_user_tmp_dirs(container_runtime_t) ++userdom_use_inherited_user_terminals(container_runtime_t) ++userdom_use_user_ptys(container_runtime_t) ++ ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(container_runtime_t) ++ fs_manage_nfs_files(container_runtime_t) ++ fs_manage_nfs_named_sockets(container_runtime_t) ++ fs_manage_nfs_symlinks(container_runtime_t) ++ fs_mount_nfs(container_runtime_t) ++ fs_unmount_nfs(container_runtime_t) ++ fs_exec_nfs_files(container_runtime_t) ++ kernel_rw_fs_sysctls(container_runtime_t) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_cifs_files(container_runtime_t) ++ fs_manage_cifs_dirs(container_runtime_t) ++ fs_manage_cifs_named_sockets(container_runtime_t) ++ fs_manage_cifs_symlinks(container_runtime_t) ++ fs_exec_cifs_files(container_runtime_t) ++') ++ ++tunable_policy(`virt_sandbox_use_fusefs',` ++ fs_manage_fusefs_dirs(container_runtime_t) ++ fs_manage_fusefs_files(container_runtime_t) ++ fs_manage_fusefs_symlinks(container_runtime_t) ++ fs_mount_fusefs(container_runtime_t) ++ fs_unmount_fusefs(container_runtime_t) ++ fs_exec_fusefs_files(container_runtime_t) ++') ++ ++optional_policy(` ++ virt_stub_svirt_sandbox_domain() ++ container_read_share_files(svirt_sandbox_domain) ++ container_exec_share_files(svirt_sandbox_domain) ++ allow svirt_sandbox_domain container_share_t:file execmod; ++ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) ++ container_use_ptys(svirt_sandbox_domain) ++ container_spc_stream_connect(svirt_sandbox_domain) ++ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ++ allow svirt_sandbox_domain container_file_t:dir_file_class_set { relabelfrom relabelto }; ++') ++ ++optional_policy(` ++ apache_exec_modules(container_runtime_t) ++ apache_read_sys_content(container_runtime_t) ++') ++ ++optional_policy(` ++ gpm_getattr_gpmctl(container_runtime_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(container_runtime_t) ++ init_dbus_chat(container_runtime_t) ++ init_start_transient_unit(container_runtime_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(container_runtime_t) ++ systemd_dbus_chat_machined(container_runtime_t) ++ ') ++ ++ optional_policy(` ++ dnsmasq_dbus_chat(container_runtime_t) ++ ') ++ ++ optional_policy(` ++ firewalld_dbus_chat(container_runtime_t) ++ ') ++') ++ ++optional_policy(` ++ lvm_domtrans(container_runtime_t) ++') ++ ++optional_policy(` ++ udev_read_db(container_runtime_t) ++') ++ ++optional_policy(` ++ unconfined_domain(container_runtime_t) ++') ++ ++optional_policy(` ++ virt_read_config(container_runtime_t) ++ virt_exec(container_runtime_t) ++ virt_stream_connect(container_runtime_t) ++ virt_stream_connect_sandbox(container_runtime_t) ++ virt_exec_sandbox_files(container_runtime_t) ++ virt_manage_sandbox_files(container_runtime_t) ++ virt_relabel_sandbox_filesystem(container_runtime_t) ++ # for lxc ++ virt_transition_svirt_sandbox(container_runtime_t, system_r) ++ virt_transition_svirt(container_runtime_t, system_r) ++ allow svirt_sandbox_domain container_runtime_t:fd use; ++ virt_mounton_sandbox_file(container_runtime_t) ++# virt_attach_sandbox_tun_iface(container_runtime_t) ++ allow container_runtime_t svirt_sandbox_domain:tun_socket relabelfrom; ++ virt_sandbox_entrypoint(container_runtime_t) ++ virt_stub_lxc() ++ allow container_runtime_t virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto }; ++ ++') ++ ++tunable_policy(`container_connect_any',` ++ corenet_tcp_connect_all_ports(container_runtime_t) ++ corenet_sendrecv_all_packets(container_runtime_t) ++ corenet_tcp_sendrecv_all_ports(container_runtime_t) ++') ++ ++######################################## ++# ++# spc local policy ++# ++allow spc_t { container_var_lib_t container_share_t }:file entrypoint; ++role system_r types spc_t; ++ ++domtrans_pattern(container_runtime_t, container_share_t, spc_t) ++domtrans_pattern(container_runtime_t, container_var_lib_t, spc_t) ++allow container_runtime_t spc_t:process2 nnp_transition; ++allow spc_t container_runtime_t:fifo_file manage_fifo_file_perms; ++allow spc_t { container_share_t container_file_t }:system module_load; ++ ++allow container_runtime_t spc_t:process { setsched signal_perms }; ++ps_process_pattern(container_runtime_t, spc_t) ++allow container_runtime_t spc_t:socket_class_set { relabelto relabelfrom }; ++ ++init_dbus_chat(spc_t) ++ ++optional_policy(` ++ systemd_dbus_chat_machined(spc_t) ++ systemd_dbus_chat_logind(spc_t) ++') ++ ++optional_policy(` ++ dbus_chat_system_bus(spc_t) ++ dbus_chat_session_bus(spc_t) ++ dnsmasq_dbus_chat(spc_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(spc_t) ++ domain_ptrace_all_domains(spc_t) ++') ++ ++optional_policy(` ++ virt_stub_svirt_sandbox_file() ++ virt_transition_svirt_sandbox(spc_t, system_r) ++ virt_sandbox_entrypoint(spc_t) ++# virt_sandbox_domtrans(container_runtime_t, spc_t) ++ domtrans_pattern(container_runtime_t, container_file_t, spc_t) ++ virt_transition_svirt(spc_t, system_r) ++ virt_sandbox_entrypoint(container_file_t) ++ virt_sandbox_entrypoint(container_share_t) ++ ++ gen_require(` ++ attribute virt_domain; ++ ') ++ container_spc_read_state(virt_domain) ++ container_spc_rw_pipes(virt_domain) ++') ++ ++######################################## ++# ++# container_auth local policy ++# ++allow container_auth_t self:fifo_file rw_fifo_file_perms; ++allow container_auth_t self:unix_stream_socket create_stream_socket_perms; ++dontaudit container_auth_t self:capability net_admin; ++ ++container_stream_connect(container_auth_t) ++ ++manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) ++manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) ++manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) ++manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) ++files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file }) ++ ++stream_connect_pattern(container_runtime_t, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) ++list_dirs_pattern(container_runtime_t, container_plugin_var_run_t, container_plugin_var_run_t) ++ ++domain_use_interactive_fds(container_auth_t) ++ ++kernel_read_net_sysctls(container_auth_t) ++ ++auth_use_nsswitch(container_auth_t) ++ ++files_read_etc_files(container_auth_t) ++ ++miscfiles_read_localization(container_auth_t) ++ ++sysnet_dns_name_resolve(container_auth_t) ++ ++######################################## ++# ++# container_t local policy ++# ++# Currently this is called in virt.te ++# virt_sandbox_domain_template(container) ++# typealias container_t alias svirt_lxc_net_t; ++gen_require(` ++ type container_t; ++') ++typeattribute container_t container_domain, container_net_domain; ++allow container_runtime_t container_domain:fifo_file rw_fifo_file_perms; ++allow container_domain container_runtime_t:fifo_file { rw_fifo_file_perms }; ++allow container_domain container_runtime_t:fd use; ++allow container_runtime_t container_domain:fd use; ++allow container_domain self:socket_class_set create_socket_perms; ++ ++dontaudit container_domain self:capability fsetid; ++allow container_domain self:association sendto; ++allow container_domain self:dir list_dir_perms; ++dontaudit container_domain self:dir write; ++allow container_domain self:file rw_file_perms; ++allow container_domain self:lnk_file read_file_perms; ++allow container_domain self:fifo_file create_fifo_file_perms; ++allow container_domain self:filesystem associate; ++allow container_domain self:key manage_key_perms; ++allow container_domain self:netlink_route_socket r_netlink_socket_perms; ++allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; ++allow container_domain self:netlink_xfrm_socket create_socket_perms; ++allow container_domain self:packet_socket create_socket_perms; ++allow container_domain self:passwd rootok; ++allow container_domain self:peer recv; ++allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop }; ++allow container_domain self:sem create_sem_perms; ++allow container_domain self:shm create_shm_perms; ++allow container_domain self:socket create_socket_perms; ++allow container_domain self:tcp_socket create_socket_perms; ++allow container_domain self:tun_socket create_socket_perms; ++allow container_domain self:udp_socket create_socket_perms; ++allow container_domain self:unix_dgram_socket create_socket_perms; ++allow container_domain self:unix_stream_socket create_stream_socket_perms; ++dontaudit container_domain self:capability2 block_suspend ; ++allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; ++ ++manage_files_pattern(container_domain, container_file_t, container_file_t) ++exec_files_pattern(container_domain, container_file_t, container_file_t) ++manage_lnk_files_pattern(container_domain, container_file_t, container_file_t) ++manage_dirs_pattern(container_domain, container_file_t, container_file_t) ++manage_chr_files_pattern(container_domain, container_file_t, container_file_t) ++allow container_domain container_file_t:chr_file mmap_file_perms; ++manage_blk_files_pattern(container_domain, container_file_t, container_file_t) ++allow container_domain container_file_t:filesystem { mount remount unmount }; ++fs_tmpfs_filetrans(container_domain, container_file_t, { dir file }) ++allow container_domain container_file_t:dir_file_class_set { relabelfrom relabelto }; ++container_read_share_files(container_domain) ++container_exec_share_files(container_domain) ++container_use_ptys(container_domain) ++container_spc_stream_connect(container_domain) ++container_stream_connect(container_domain) ++fs_dontaudit_remount_tmpfs(container_domain) ++ ++dev_dontaudit_mounton_sysfs(container_domain) ++allow container_domain container_file_t:dir_file_class_set { relabelfrom relabelto }; ++dev_dontaudit_mounton_sysfs(container_domain) ++ ++dontaudit container_domain container_runtime_tmpfs_t:dir read; ++dev_getattr_mtrr_dev(container_domain) ++dev_list_sysfs(container_domain) ++ ++allow svirt_sandbox_domain self:key manage_key_perms; ++dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; ++ ++allow container_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; ++allow container_domain self:fifo_file manage_file_perms; ++allow container_domain self:msg all_msg_perms; ++allow container_domain self:sem create_sem_perms; ++allow container_domain self:shm create_shm_perms; ++allow container_domain self:msgq create_msgq_perms; ++allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; ++allow container_domain self:passwd rootok; ++allow container_domain self:filesystem associate; ++allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ ++kernel_getattr_proc(container_domain) ++kernel_list_all_proc(container_domain) ++kernel_read_all_sysctls(container_domain) ++kernel_read_network_state(container_domain) ++kernel_rw_net_sysctls(container_domain) ++kernel_rw_unix_sysctls(container_domain) ++kernel_dontaudit_search_kernel_sysctl(container_domain) ++kernel_dontaudit_access_check_proc(container_domain) ++kernel_dontaudit_setattr_proc_files(container_domain) ++kernel_dontaudit_setattr_proc_dirs(container_domain) ++#kernel_dontaudit_write_usermodehelper_state(container_domain) ++dontaudit container_domain usermodehelper_t:file write; ++ ++kernel_read_irq_sysctls(container_domain) ++kernel_get_sysvipc_info(container_domain) ++ ++fs_getattr_all_fs(container_domain) ++fs_list_inotifyfs(container_domain) ++fs_rw_inherited_tmpfs_files(container_domain) ++fs_read_hugetlbfs_files(container_domain) ++fs_read_tmpfs_symlinks(container_domain) ++fs_search_tmpfs(container_domain) ++fs_rw_hugetlbfs_files(container_domain) ++fs_dontaudit_getattr_all_dirs(container_domain) ++fs_dontaudit_getattr_all_files(container_domain) ++ ++term_use_all_inherited_terms(container_domain) ++ ++userdom_use_user_ptys(container_domain) ++ ++#domain_dontaudit_link_all_domains_keyrings(container_domain) ++#domain_dontaudit_search_all_domains_keyrings(container_domain) ++ ++virt_stub_svirt_sandbox_file() ++#virt_sandbox_net_domain(container_t) ++gen_require(` ++ attribute sandbox_net_domain; ++') ++virt_sandbox_domain(container_t) ++typeattribute container_t sandbox_net_domain; ++ ++logging_send_syslog_msg(container_t) ++ ++fs_noxattr_type(container_file_t) ++# fs_associate_cgroupfs(container_file_t) ++gen_require(` ++ type cgroup_t; ++') ++ ++dev_read_sysfs(container_domain) ++dev_read_mtrr(container_domain) ++dev_read_rand(container_t) ++dev_read_urand(container_t) ++ ++files_read_kernel_modules(container_t) ++ ++allow container_file_t cgroup_t:filesystem associate; ++term_pty(container_file_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow container_t self:capability sys_admin; ++ allow container_t self:cap_userns sys_admin; ++') ++ ++allow container_domain self:cap_userns sys_admin; ++allow container_domain self:process { getsession execstack execmem }; ++ ++virt_default_capabilities(container_t) ++kernel_rw_rpc_sysctls(container_domain) ++kernel_rw_net_sysctls(container_domain) ++kernel_read_messages(container_t) ++kernel_read_network_state(container_domain) ++kernel_dontaudit_write_proc_files(container_domain) ++ ++# Container Net Domain ++corenet_tcp_bind_generic_node(container_net_domain) ++corenet_udp_bind_generic_node(container_net_domain) ++corenet_raw_bind_generic_node(container_net_domain) ++corenet_tcp_sendrecv_all_ports(container_net_domain) ++corenet_udp_sendrecv_all_ports(container_net_domain) ++corenet_udp_bind_all_ports(container_net_domain) ++corenet_tcp_bind_all_ports(container_net_domain) ++corenet_tcp_connect_all_ports(container_net_domain) ++ ++allow container_net_domain self:udp_socket create_socket_perms; ++allow container_net_domain self:tcp_socket create_stream_socket_perms; ++allow container_net_domain self:tun_socket create_socket_perms; ++allow container_net_domain self:netlink_route_socket create_netlink_socket_perms; ++allow container_net_domain self:packet_socket create_socket_perms; ++allow container_net_domain self:socket create_socket_perms; ++allow container_net_domain self:rawip_socket create_stream_socket_perms; ++allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms; ++allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms; ++ ++kernel_unlabeled_domtrans(container_runtime_t, spc_t) ++kernel_unlabeled_entry_type(spc_t) ++#kernel_dontaudit_write_usermodehelper_state(container_t) ++gen_require(` ++ type usermodehelper_t; ++') ++dontaudit container_t usermodehelper_t:file write; ++ ++fs_read_cgroup_files(container_t) ++fs_list_cgroup_dirs(container_t) ++ ++sysnet_read_config(container_t) ++ ++corenet_tcp_bind_generic_node(container_t) ++corenet_udp_bind_generic_node(container_t) ++corenet_raw_bind_generic_node(container_t) ++corenet_tcp_sendrecv_all_ports(container_t) ++corenet_udp_sendrecv_all_ports(container_t) ++corenet_udp_bind_all_ports(container_t) ++corenet_tcp_bind_all_ports(container_t) ++corenet_tcp_connect_all_ports(container_t) ++ ++allow container_t self:udp_socket create_socket_perms; ++allow container_t self:tcp_socket create_stream_socket_perms; ++allow container_t self:tun_socket create_socket_perms; ++allow container_t self:netlink_route_socket create_netlink_socket_perms; ++allow container_t self:packet_socket create_socket_perms; ++allow container_t self:socket create_socket_perms; ++allow container_t self:rawip_socket create_stream_socket_perms; ++allow container_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow container_t self:netlink_xfrm_socket create_netlink_socket_perms; ++allow container_t self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; ++ ++optional_policy(` ++ sssd_stream_connect(container_t) ++') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(container_t) ++') ++ ++tunable_policy(`container_manage_cgroup',` ++ fs_manage_cgroup_dirs(container_t) ++ fs_manage_cgroup_files(container_t) ++') ++ ++tunable_policy(`virt_sandbox_use_fusefs',` ++ fs_manage_fusefs_dirs(container_t) ++ fs_manage_fusefs_files(container_t) ++ fs_manage_fusefs_symlinks(container_t) ++ fs_mount_fusefs(container_t) ++ fs_unmount_fusefs(container_t) ++ fs_exec_fusefs_files(container_t) ++') ++ ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow container_t self:netlink_socket create_socket_perms; ++ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow container_t self:netlink_kobject_uevent_socket create_socket_perms; ++', ` ++ logging_dontaudit_send_audit_msgs(container_t) ++') ++ ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(container_t) ++') ++ ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow container_t self:capability ~{ sys_module }; ++ allow container_t self:capability2 ~{ mac_override mac_admin }; ++ allow container_t self:cap_userns ~{ sys_module }; ++ allow container_t self:cap2_userns ~{ mac_override mac_admin }; ++') ++ ++tunable_policy(`virt_sandbox_use_mknod',` ++ allow container_t self:capability mknod; ++ allow container_t self:cap_userns mknod; ++') ++ ++gen_require(` ++ type iptables_t; ++') ++container_read_pid_files(iptables_t) ++container_read_state(iptables_t) ++ ++optional_policy(` ++ gen_require(` ++ type unconfined_service_t; ++ ') ++ ++ virt_transition_svirt_sandbox(unconfined_service_t, system_r) ++ container_filetrans_named_content(unconfined_service_t) ++ container_runtime_domtrans(unconfined_service_t) ++') ++ ++optional_policy(` ++ gen_require(` ++ attribute unconfined_domain_type; ++ ') ++ ++ container_filetrans_named_content(unconfined_domain_type) ++ allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition }; ++') ++ ++# Container build ++container_domain_template(container_build) ++dev_mount_sysfs_fs(container_build_t) ++dev_mounton_sysfs(container_build_t) ++ ++fs_mount_tmpfs(container_build_t) ++fs_remount_cgroup(container_build_t) ++ ++kernel_mount_proc(container_build_t) ++kernel_mount_proc(container_build_t) ++kernel_mounton_proc(container_build_t) ++kernel_mounton_proc(container_build_t) ++ ++term_use_generic_ptys(container_build_t) ++term_setattr_generic_ptys(container_build_t) ++term_mount_pty_fs(container_build_t) ++ ++allow container_build_t self:capability ~{ sys_module }; ++allow container_build_t self:capability2 ~{ mac_override mac_admin }; ++allow container_build_t self:cap_userns ~{ sys_module }; ++allow container_build_t self:cap2_userns ~{ mac_override mac_admin }; ++allow container_build_t self:capability mknod; ++allow container_build_t self:cap_userns mknod; ++ ++optional_policy(` ++ gen_require(` ++ type proc_t, proc_kcore_t; ++ type sysctl_t, sysctl_irq_t; ++ ') ++ ++ allow container_build_t proc_t:filesystem { remount }; ++ allow container_build_t proc_kcore_t:file mounton; ++ allow container_build_t sysctl_irq_t:dir mounton; ++ allow container_build_t sysctl_t:dir mounton; ++ allow container_build_t sysctl_t:file mounton; ++') ++ ++# Container Logreader ++container_domain_template(container_logreader) ++typeattribute container_logreader_t container_net_domain; ++logging_read_all_logs(container_logreader_t) ++logging_read_audit_log(container_logreader_t) ++logging_list_logs(container_logreader_t) ++ ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow container_logreader_t self:capability ~{ sys_module }; ++ allow container_logreader_t self:capability2 ~{ mac_override mac_admin }; ++ allow container_logreader_t self:cap_userns ~{ sys_module }; ++ allow container_logreader_t self:cap2_userns ~{ mac_override mac_admin }; ++') +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc +deleted file mode 100644 +index e9bb863da0..0000000000 +--- a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.fc ++++ /dev/null +@@ -1,20 +0,0 @@ +-/root/\.docker gen_context(system_u:object_r:docker_home_t,s0) +- +-/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) +-/usr/bin/dockerd -- gen_context(system_u:object_r:docker_exec_t,s0) +-/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) +- +-/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0) +- +-/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) +-/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) +-/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) +- +-/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) +-/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) +-/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0) +- +-/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0) +-/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0) +-/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0) +-/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if +deleted file mode 100644 +index ca075c05c5..0000000000 +--- a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.if ++++ /dev/null +@@ -1,461 +0,0 @@ +- +-## The open-source application container engine. +- +-######################################## +-## +-## Execute docker in the docker domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`docker_domtrans',` +- gen_require(` +- type docker_t, docker_exec_t; +- ') +- +- corecmd_search_bin($1) +- domtrans_pattern($1, docker_exec_t, docker_t) +-') +- +-######################################## +-## +-## Execute docker in the caller domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`docker_exec',` +- gen_require(` +- type docker_exec_t; +- ') +- +- corecmd_search_bin($1) +- can_exec($1, docker_exec_t) +-') +- +-######################################## +-## +-## Search docker lib directories. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_search_lib',` +- gen_require(` +- type docker_var_lib_t; +- ') +- +- allow $1 docker_var_lib_t:dir search_dir_perms; +- files_search_var_lib($1) +-') +- +-######################################## +-## +-## Execute docker lib directories. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_exec_lib',` +- gen_require(` +- type docker_var_lib_t; +- ') +- +- allow $1 docker_var_lib_t:dir search_dir_perms; +- can_exec($1, docker_var_lib_t) +-') +- +-######################################## +-## +-## Read docker lib files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_read_lib_files',` +- gen_require(` +- type docker_var_lib_t; +- ') +- +- files_search_var_lib($1) +- read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) +-') +- +-######################################## +-## +-## Read docker share files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_read_share_files',` +- gen_require(` +- type docker_share_t; +- ') +- +- files_search_var_lib($1) +- read_files_pattern($1, docker_share_t, docker_share_t) +-') +- +-######################################## +-## +-## Manage docker lib files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_manage_lib_files',` +- gen_require(` +- type docker_var_lib_t; +- ') +- +- files_search_var_lib($1) +- manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) +- manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) +-') +- +-######################################## +-## +-## Manage docker lib directories. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_manage_lib_dirs',` +- gen_require(` +- type docker_var_lib_t; +- ') +- +- files_search_var_lib($1) +- manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) +-') +- +-######################################## +-## +-## Create objects in a docker var lib directory +-## with an automatic type transition to +-## a specified private type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## The type of the object to create. +-## +-## +-## +-## +-## The class of the object to be created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`docker_lib_filetrans',` +- gen_require(` +- type docker_var_lib_t; +- ') +- +- filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) +-') +- +-######################################## +-## +-## Read docker PID files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_read_pid_files',` +- gen_require(` +- type docker_var_run_t; +- ') +- +- files_search_pids($1) +- read_files_pattern($1, docker_var_run_t, docker_var_run_t) +-') +- +-######################################## +-## +-## Execute docker server in the docker domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`docker_systemctl',` +- gen_require(` +- type docker_t; +- type docker_unit_file_t; +- ') +- +- systemd_exec_systemctl($1) +- init_reload_services($1) +- systemd_read_fifo_file_passwd_run($1) +- allow $1 docker_unit_file_t:file read_file_perms; +- allow $1 docker_unit_file_t:service manage_service_perms; +- +- ps_process_pattern($1, docker_t) +-') +- +-######################################## +-## +-## Read and write docker shared memory. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_rw_sem',` +- gen_require(` +- type docker_t; +- ') +- +- allow $1 docker_t:sem rw_sem_perms; +-') +- +-####################################### +-## +-## Read and write the docker pty type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_use_ptys',` +- gen_require(` +- type docker_devpts_t; +- ') +- +- allow $1 docker_devpts_t:chr_file rw_term_perms; +-') +- +-####################################### +-## +-## Allow domain to create docker content +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_filetrans_named_content',` +- +- gen_require(` +- type docker_var_lib_t; +- type docker_share_t; +- type docker_log_t; +- type docker_var_run_t; +- type docker_home_t; +- ') +- +- files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") +- files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") +- files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") +- files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") +- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") +- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") +- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") +- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") +- filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") +- userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") +-') +- +-######################################## +-## +-## Connect to docker over a unix stream socket. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_stream_connect',` +- gen_require(` +- type docker_t, docker_var_run_t; +- ') +- +- files_search_pids($1) +- stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) +-') +- +-######################################## +-## +-## Connect to SPC containers over a unix stream socket. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_spc_stream_connect',` +- gen_require(` +- type spc_t, spc_var_run_t; +- ') +- +- files_search_pids($1) +- files_write_all_pid_sockets($1) +- allow $1 spc_t:unix_stream_socket connectto; +-') +- +- +-######################################## +-## +-## All of the rules required to administrate +-## an docker environment +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`docker_admin',` +- gen_require(` +- type docker_t; +- type docker_var_lib_t, docker_var_run_t; +- type docker_unit_file_t; +- type docker_lock_t; +- type docker_log_t; +- type docker_config_t; +- ') +- +- allow $1 docker_t:process { ptrace signal_perms }; +- ps_process_pattern($1, docker_t) +- +- admin_pattern($1, docker_config_t) +- +- files_search_var_lib($1) +- admin_pattern($1, docker_var_lib_t) +- +- files_search_pids($1) +- admin_pattern($1, docker_var_run_t) +- +- files_search_locks($1) +- admin_pattern($1, docker_lock_t) +- +- logging_search_logs($1) +- admin_pattern($1, docker_log_t) +- +- docker_systemctl($1) +- admin_pattern($1, docker_unit_file_t) +- allow $1 docker_unit_file_t:service all_service_perms; +- +- optional_policy(` +- systemd_passwd_agent_exec($1) +- systemd_read_fifo_file_passwd_run($1) +- ') +-') +- +-interface(`domain_stub_named_filetrans_domain',` +- gen_require(` +- attribute named_filetrans_domain; +- ') +-') +- +-interface(`lvm_stub',` +- gen_require(` +- type lvm_t; +- ') +-') +-interface(`staff_stub',` +- gen_require(` +- type staff_t; +- ') +-') +-interface(`virt_stub_svirt_sandbox_domain',` +- gen_require(` +- attribute svirt_sandbox_domain; +- ') +-') +-interface(`virt_stub_svirt_sandbox_file',` +- gen_require(` +- type svirt_sandbox_file_t; +- ') +-') +-interface(`fs_dontaudit_remount_tmpfs',` +- gen_require(` +- type tmpfs_t; +- ') +- +- dontaudit $1 tmpfs_t:filesystem remount; +-') +-interface(`dev_dontaudit_list_all_dev_nodes',` +- gen_require(` +- type device_t; +- ') +- +- dontaudit $1 device_t:dir list_dir_perms; +-') +-interface(`kernel_unlabeled_entry_type',` +- gen_require(` +- type unlabeled_t; +- ') +- +- domain_entry_file($1, unlabeled_t) +-') +-interface(`kernel_unlabeled_domtrans',` +- gen_require(` +- type unlabeled_t; +- ') +- +- read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) +- domain_transition_pattern($1, unlabeled_t, $2) +- type_transition $1 unlabeled_t:process $2; +-') +-interface(`files_write_all_pid_sockets',` +- gen_require(` +- attribute pidfile; +- ') +- +- allow $1 pidfile:sock_file write_sock_file_perms; +-') +-interface(`dev_dontaudit_mounton_sysfs',` +- gen_require(` +- type sysfs_t; +- ') +- +- dontaudit $1 sysfs_t:dir mounton; +-') +diff --git a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te b/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te +deleted file mode 100644 +index 999742f302..0000000000 +--- a/components/engine/contrib/selinux-euleros/docker-engine-selinux/docker.te ++++ /dev/null +@@ -1,414 +0,0 @@ +-policy_module(docker, 1.0.0) +- +-######################################## +-# +-# Declarations +-# +- +-## +-##

+-## Allow sandbox containers manage fuse files +-##

+-## +-gen_tunable(virt_sandbox_use_fusefs, false) +- +-## +-##

+-## Determine whether docker can +-## connect to all TCP ports. +-##

+-## +-gen_tunable(docker_connect_any, false) +- +-type docker_t; +-type docker_exec_t; +-init_daemon_domain(docker_t, docker_exec_t) +-domain_subj_id_change_exemption(docker_t) +-domain_role_change_exemption(docker_t) +- +-type spc_t; +-domain_type(spc_t) +-role system_r types spc_t; +- +-type spc_var_run_t; +-files_pid_file(spc_var_run_t) +- +-type docker_var_lib_t; +-files_type(docker_var_lib_t) +- +-type docker_home_t; +-userdom_user_home_content(docker_home_t) +- +-type docker_config_t; +-files_config_file(docker_config_t) +- +-type docker_lock_t; +-files_lock_file(docker_lock_t) +- +-type docker_log_t; +-logging_log_file(docker_log_t) +- +-type docker_tmp_t; +-files_tmp_file(docker_tmp_t) +- +-type docker_tmpfs_t; +-files_tmpfs_file(docker_tmpfs_t) +- +-type docker_var_run_t; +-files_pid_file(docker_var_run_t) +- +-type docker_unit_file_t; +-systemd_unit_file(docker_unit_file_t) +- +-type docker_devpts_t; +-term_pty(docker_devpts_t) +- +-type docker_share_t; +-files_type(docker_share_t) +- +-######################################## +-# +-# docker local policy +-# +-allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; +-allow docker_t self:tun_socket relabelto; +-allow docker_t self:process { getattr signal_perms setrlimit setfscreate }; +-allow docker_t self:fifo_file rw_fifo_file_perms; +-allow docker_t self:unix_stream_socket create_stream_socket_perms; +-allow docker_t self:tcp_socket create_stream_socket_perms; +-allow docker_t self:udp_socket create_socket_perms; +-allow docker_t self:capability2 block_suspend; +- +-manage_files_pattern(docker_t, docker_home_t, docker_home_t) +-manage_dirs_pattern(docker_t, docker_home_t, docker_home_t) +-manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t) +-userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker") +- +-manage_dirs_pattern(docker_t, docker_config_t, docker_config_t) +-manage_files_pattern(docker_t, docker_config_t, docker_config_t) +-files_etc_filetrans(docker_t, docker_config_t, dir, "docker") +- +-manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) +-manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) +- +-manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) +-manage_files_pattern(docker_t, docker_log_t, docker_log_t) +-manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) +-logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) +-allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto }; +- +-manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) +-manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) +-manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) +-files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) +- +-manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +-manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +-manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +-manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +-manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +-manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +-allow docker_t docker_tmpfs_t:dir relabelfrom; +-can_exec(docker_t, docker_tmpfs_t) +-fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) +-allow docker_t docker_tmpfs_t:chr_file mounton; +- +-manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) +-manage_files_pattern(docker_t, docker_share_t, docker_share_t) +-manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) +-allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; +- +-can_exec(docker_t, docker_share_t) +-#docker_filetrans_named_content(docker_t) +- +-manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +-manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +-manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +-manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +-manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +-allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; +-files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) +- +-manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) +-manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) +-manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) +-manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) +-files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) +- +-allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; +-term_create_pty(docker_t, docker_devpts_t) +- +-kernel_read_system_state(docker_t) +-kernel_read_network_state(docker_t) +-kernel_read_all_sysctls(docker_t) +-kernel_rw_net_sysctls(docker_t) +-kernel_setsched(docker_t) +-kernel_read_all_proc(docker_t) +- +-domain_use_interactive_fds(docker_t) +-domain_dontaudit_read_all_domains_state(docker_t) +- +-corecmd_exec_bin(docker_t) +-corecmd_exec_shell(docker_t) +- +-corenet_tcp_bind_generic_node(docker_t) +-corenet_tcp_sendrecv_generic_if(docker_t) +-corenet_tcp_sendrecv_generic_node(docker_t) +-corenet_tcp_sendrecv_generic_port(docker_t) +-corenet_tcp_bind_all_ports(docker_t) +-corenet_tcp_connect_http_port(docker_t) +-corenet_tcp_connect_commplex_main_port(docker_t) +-corenet_udp_sendrecv_generic_if(docker_t) +-corenet_udp_sendrecv_generic_node(docker_t) +-corenet_udp_sendrecv_all_ports(docker_t) +-corenet_udp_bind_generic_node(docker_t) +-corenet_udp_bind_all_ports(docker_t) +- +-files_read_config_files(docker_t) +-files_dontaudit_getattr_all_dirs(docker_t) +-files_dontaudit_getattr_all_files(docker_t) +- +-fs_read_cgroup_files(docker_t) +-fs_read_tmpfs_symlinks(docker_t) +-fs_search_all(docker_t) +-fs_getattr_all_fs(docker_t) +- +-storage_raw_rw_fixed_disk(docker_t) +- +-auth_use_nsswitch(docker_t) +-auth_dontaudit_getattr_shadow(docker_t) +- +-init_read_state(docker_t) +-init_status(docker_t) +- +-logging_send_audit_msgs(docker_t) +-logging_send_syslog_msg(docker_t) +- +-miscfiles_read_localization(docker_t) +- +-mount_domtrans(docker_t) +- +-seutil_read_default_contexts(docker_t) +-seutil_read_config(docker_t) +- +-sysnet_dns_name_resolve(docker_t) +-sysnet_exec_ifconfig(docker_t) +- +-optional_policy(` +- rpm_exec(docker_t) +- rpm_read_db(docker_t) +- rpm_exec(docker_t) +-') +- +-optional_policy(` +- fstools_domtrans(docker_t) +-') +- +-optional_policy(` +- iptables_domtrans(docker_t) +-') +- +-optional_policy(` +- openvswitch_stream_connect(docker_t) +-') +- +-allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; +- +-allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; +- +-allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; +-allow docker_t self:netlink_audit_socket create_netlink_socket_perms; +-allow docker_t self:unix_dgram_socket { create_socket_perms sendto }; +-allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; +- +-allow docker_t docker_var_lib_t:dir mounton; +-allow docker_t docker_var_lib_t:chr_file mounton; +-can_exec(docker_t, docker_var_lib_t) +- +-kernel_dontaudit_setsched(docker_t) +-kernel_get_sysvipc_info(docker_t) +-kernel_request_load_module(docker_t) +-kernel_mounton_messages(docker_t) +-kernel_mounton_all_proc(docker_t) +-kernel_mounton_all_sysctls(docker_t) +-kernel_unlabeled_entry_type(spc_t) +-kernel_unlabeled_domtrans(docker_t, spc_t) +- +-dev_getattr_all(docker_t) +-dev_getattr_sysfs_fs(docker_t) +-dev_read_urand(docker_t) +-dev_read_lvm_control(docker_t) +-dev_rw_sysfs(docker_t) +-dev_rw_loop_control(docker_t) +-dev_rw_lvm_control(docker_t) +- +-files_getattr_isid_type_dirs(docker_t) +-files_manage_isid_type_dirs(docker_t) +-files_manage_isid_type_files(docker_t) +-files_manage_isid_type_symlinks(docker_t) +-files_manage_isid_type_chr_files(docker_t) +-files_manage_isid_type_blk_files(docker_t) +-files_exec_isid_files(docker_t) +-files_mounton_isid(docker_t) +-files_mounton_non_security(docker_t) +-files_mounton_isid_type_chr_file(docker_t) +- +-fs_mount_all_fs(docker_t) +-fs_unmount_all_fs(docker_t) +-fs_remount_all_fs(docker_t) +-files_mounton_isid(docker_t) +-fs_manage_cgroup_dirs(docker_t) +-fs_manage_cgroup_files(docker_t) +-fs_relabelfrom_xattr_fs(docker_t) +-fs_relabelfrom_tmpfs(docker_t) +-fs_read_tmpfs_symlinks(docker_t) +-fs_list_hugetlbfs(docker_t) +- +-term_use_generic_ptys(docker_t) +-term_use_ptmx(docker_t) +-term_getattr_pty_fs(docker_t) +-term_relabel_pty_fs(docker_t) +-term_mounton_unallocated_ttys(docker_t) +- +-modutils_domtrans_insmod(docker_t) +- +-systemd_status_all_unit_files(docker_t) +-systemd_start_systemd_services(docker_t) +- +-userdom_stream_connect(docker_t) +-userdom_search_user_home_content(docker_t) +-userdom_read_all_users_state(docker_t) +-userdom_relabel_user_home_files(docker_t) +-userdom_relabel_user_tmp_files(docker_t) +-userdom_relabel_user_tmp_dirs(docker_t) +- +-optional_policy(` +- gpm_getattr_gpmctl(docker_t) +-') +- +-optional_policy(` +- dbus_system_bus_client(docker_t) +- init_dbus_chat(docker_t) +- init_start_transient_unit(docker_t) +- +- optional_policy(` +- systemd_dbus_chat_logind(docker_t) +- ') +- +- optional_policy(` +- firewalld_dbus_chat(docker_t) +- ') +-') +- +-optional_policy(` +- udev_read_db(docker_t) +-') +- +-optional_policy(` +- virt_read_config(docker_t) +- virt_exec(docker_t) +- virt_stream_connect(docker_t) +- virt_stream_connect_sandbox(docker_t) +- virt_exec_sandbox_files(docker_t) +- virt_manage_sandbox_files(docker_t) +- virt_relabel_sandbox_filesystem(docker_t) +- virt_transition_svirt_sandbox(docker_t, system_r) +- virt_mounton_sandbox_file(docker_t) +-# virt_attach_sandbox_tun_iface(docker_t) +- allow docker_t svirt_sandbox_domain:tun_socket relabelfrom; +-') +- +-tunable_policy(`docker_connect_any',` +- corenet_tcp_connect_all_ports(docker_t) +- corenet_sendrecv_all_packets(docker_t) +- corenet_tcp_sendrecv_all_ports(docker_t) +-') +- +-######################################## +-# +-# spc local policy +-# +-domain_entry_file(spc_t, docker_share_t) +-domain_entry_file(spc_t, docker_var_lib_t) +-role system_r types spc_t; +- +-domain_entry_file(spc_t, docker_share_t) +-domain_entry_file(spc_t, docker_var_lib_t) +-domtrans_pattern(docker_t, docker_share_t, spc_t) +-domtrans_pattern(docker_t, docker_var_lib_t, spc_t) +-allow docker_t spc_t:process { setsched signal_perms }; +-ps_process_pattern(docker_t, spc_t) +-allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; +- +-optional_policy(` +- dbus_chat_system_bus(spc_t) +-') +- +-optional_policy(` +- unconfined_domain_noaudit(spc_t) +-') +- +-optional_policy(` +- unconfined_domain(docker_t) +-') +- +-optional_policy(` +- virt_transition_svirt_sandbox(spc_t, system_r) +-') +- +-######################################## +-# +-# docker upstream policy +-# +- +-optional_policy(` +-# domain_stub_named_filetrans_domain() +- gen_require(` +- attribute named_filetrans_domain; +- ') +- +- docker_filetrans_named_content(named_filetrans_domain) +-') +- +-optional_policy(` +- lvm_stub() +- docker_rw_sem(lvm_t) +-') +- +-optional_policy(` +- staff_stub() +- docker_stream_connect(staff_t) +- docker_exec(staff_t) +-') +- +-optional_policy(` +- virt_stub_svirt_sandbox_domain() +- virt_stub_svirt_sandbox_file() +- allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; +- docker_read_share_files(svirt_sandbox_domain) +- docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) +- docker_use_ptys(svirt_sandbox_domain) +- docker_spc_stream_connect(svirt_sandbox_domain) +- fs_list_tmpfs(svirt_sandbox_domain) +- fs_rw_hugetlbfs_files(svirt_sandbox_domain) +- fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) +- dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) +- +- tunable_policy(`virt_sandbox_use_fusefs',` +- fs_manage_fusefs_dirs(svirt_sandbox_domain) +- fs_manage_fusefs_files(svirt_sandbox_domain) +- fs_manage_fusefs_symlinks(svirt_sandbox_domain) +- ') +- gen_require(` +- attribute domain; +- ') +- +- dontaudit svirt_sandbox_domain domain:key {search link}; +-') +- +-optional_policy(` +- gen_require(` +- type pcp_pmcd_t; +- ') +- docker_manage_lib_files(pcp_pmcd_t) +-') +diff --git a/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec b/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec +index 0d5189514c..335f123c8b 100644 +--- a/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec ++++ b/components/engine/hack/make/.build-rpm/docker-engine-selinux-euleros.spec +@@ -29,7 +29,7 @@ URL: https://dockerproject.org + + %global selinuxtype targeted + %global moduletype services +-%global modulenames docker ++%global modulenames container + + Requires(post): selinux-policy-base >= %{selinux_policyver}, selinux-policy-targeted >= %{selinux_policyver}, policycoreutils, policycoreutils-python libselinux-utils + BuildRequires: selinux-policy selinux-policy-devel +@@ -79,7 +79,10 @@ if [ $1 -eq 1 ]; then + %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 + fi + %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +-%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES ++%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null ++%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null ++%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null ++%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + %relabel_files +@@ -97,6 +100,10 @@ if [ $1 -eq 0 ]; then + fi + fi + ++. %{_sysconfdir}/selinux/config ++sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/c ++ustomizable_types ++ + %files + %doc LICENSE + %defattr(-,root,root,0755) +-- +2.17.1 + diff --git a/patch/0153-docker-clean-code.patch b/patch/0153-docker-clean-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..385ac4514e6f06370ff7535dff1949a950550664 --- /dev/null +++ b/patch/0153-docker-clean-code.patch @@ -0,0 +1,204 @@ +From 276da96d2e1019a36e4f7eeeb2f6cc9fd2963c97 Mon Sep 17 00:00:00 2001 +From: lixiang +Date: Thu, 19 Dec 2019 20:36:29 +0800 +Subject: [PATCH] docker: clean code + +reason: clean code + +Change-Id: Iab01231af397f78813d4a8452b6021690997dd40 +Signed-off-by: lixiang +--- + components/engine/api/server/router/container/inspect.go | 4 +++- + components/engine/cmd/dockerd/daemon.go | 8 +++++--- + .../engine/cmd/dockerd/hack/malformed_host_override.go | 2 +- + components/engine/container/container.go | 2 +- + components/engine/daemon/graphdriver/overlay2/overlay.go | 9 +++++---- + components/engine/image/tarexport/save.go | 3 ++- + components/engine/pkg/ioutils/fswriters.go | 16 +--------------- + .../github.com/docker/libnetwork/osl/namespace_linux.go | 2 +- + .../engine/vendor/github.com/sirupsen/logrus/exported.go | 5 +++++ + 9 files changed, 24 insertions(+), 27 deletions(-) + +diff --git a/components/engine/api/server/router/container/inspect.go b/components/engine/api/server/router/container/inspect.go +index cb6eb50..7c9e5f2 100644 +--- a/components/engine/api/server/router/container/inspect.go ++++ b/components/engine/api/server/router/container/inspect.go +@@ -5,6 +5,7 @@ import ( + "net/http" + "strconv" + ++ "github.com/sirupsen/logrus" + "github.com/docker/docker/api/server/httputils" + ) + +@@ -13,7 +14,8 @@ func (s *containerRouter) getContainersByName(ctx context.Context, w http.Respon + displaySize := httputils.BoolValue(r, "size") + + version := httputils.VersionFromContext(ctx) +- timeout, _ := strconv.Atoi(r.Form.Get("t")) ++ timeout, sErr := strconv.Atoi(r.Form.Get("t")) ++ logrus.Devour(sErr) + json, err := s.backend.ContainerInspect(vars["name"], displaySize, version, timeout) + if err != nil { + return err +diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go +index 336078f..0b3fa0e 100644 +--- a/components/engine/cmd/dockerd/daemon.go ++++ b/components/engine/cmd/dockerd/daemon.go +@@ -93,9 +93,11 @@ func cleanupLocalDBs(run, root string) { + logrus.Errorf("stat dblock failed %v", err) + return + } +- ioutil.WriteFile(dbLockPath, []byte{}, 0600) +- files, _ := ioutil.ReadDir(filepath.Join(run, "containerd")) +- olds, _ := ioutil.ReadDir(filepath.Join(run, "libcontainerd")) ++ logrus.Devour(ioutil.WriteFile(dbLockPath, []byte{}, 0600)) ++ files, err := ioutil.ReadDir(filepath.Join(run, "containerd")) ++ logrus.Devour(err) ++ olds, err := ioutil.ReadDir(filepath.Join(run, "libcontainerd")) ++ logrus.Devour(err) + files = append(files, olds...) + for _, f := range files { + if len(f.Name()) == 64 { // running container exist +diff --git a/components/engine/cmd/dockerd/hack/malformed_host_override.go b/components/engine/cmd/dockerd/hack/malformed_host_override.go +index 7852f62..6a8ab82 100644 +--- a/components/engine/cmd/dockerd/hack/malformed_host_override.go ++++ b/components/engine/cmd/dockerd/hack/malformed_host_override.go +@@ -132,7 +132,7 @@ func (l *MalformedHostHeaderOverrideConn) Read(b []byte) (n int, err error) { + break + } + if i % 10 == 0 { // set interval = 1s +- l.Conn.SetReadDeadline(aLongTimeAgo) ++ logrus.Devour(l.Conn.SetReadDeadline(aLongTimeAgo)) + logrus.Debugf("fix hijack by set read deadline force") + } + } +diff --git a/components/engine/container/container.go b/components/engine/container/container.go +index d9d97f4..53d41bd 100644 +--- a/components/engine/container/container.go ++++ b/components/engine/container/container.go +@@ -783,7 +783,7 @@ func (c *Container) DropAccelAndCheckpointTo(store ViewDB) { + } + + if shouldco { +- c.CheckpointTo(store) ++ logrus.Devour(c.CheckpointTo(store)) + } + } + +diff --git a/components/engine/daemon/graphdriver/overlay2/overlay.go b/components/engine/daemon/graphdriver/overlay2/overlay.go +index 8f07d59..7fac2c3 100644 +--- a/components/engine/daemon/graphdriver/overlay2/overlay.go ++++ b/components/engine/daemon/graphdriver/overlay2/overlay.go +@@ -250,14 +250,16 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + } + + func (d *Driver) cleanupLinkDir() { +- filepath.Walk(path.Join(d.home, linkDir), func(path string, f os.FileInfo, err error) error { ++ err := filepath.Walk(path.Join(d.home, linkDir), func(path string, f os.FileInfo, err error) error { + if _, serr := filepath.EvalSymlinks(path); serr != nil { + logrus.Warnf("[overlay2]: remove invalid symlink: %s", path) +- os.RemoveAll(path) ++ logrus.Devour(os.RemoveAll(path)) + } + // always return nil, to walk all the symlink + return nil + }) ++ logrus.Devour(err) ++ + + return + } +@@ -785,8 +787,7 @@ func (d *Driver) Exists(id string) bool { + // check symlink + _, rerr = os.Stat(path.Join(d.home, linkDir, string(lstr))) + if rerr != nil { +- os.RemoveAll(path.Join(d.home, linkDir, string(lstr))) +- ++ logrus.Devour(os.RemoveAll(path.Join(d.home, linkDir, string(lstr)))) + logrus.Infof("[overlay2]: symlink (%s) is missing, create a new one", lstr) + if rerr = os.Symlink(path.Join("..", id, "diff"), path.Join(d.home, linkDir, string(lstr))); rerr != nil { + return false +diff --git a/components/engine/image/tarexport/save.go b/components/engine/image/tarexport/save.go +index 0683f17..f83a26e 100644 +--- a/components/engine/image/tarexport/save.go ++++ b/components/engine/image/tarexport/save.go +@@ -21,6 +21,7 @@ import ( + "github.com/docker/docker/pkg/system" + "github.com/opencontainers/go-digest" + "github.com/pkg/errors" ++ "github.com/sirupsen/logrus" + ) + + type imageDescriptor struct { +@@ -415,7 +416,7 @@ func (s *saveSession) saveLayer(id layer.ChainID, legacyImg image.V1Image, creat + if s.compress { + reader, compressionDone = dd.Compress(arch) + defer func(closer io.Closer) { +- closer.Close() ++ logrus.Devour(closer.Close()) + <-compressionDone + }(reader) + } +diff --git a/components/engine/pkg/ioutils/fswriters.go b/components/engine/pkg/ioutils/fswriters.go +index 093f11a..5d68dee 100644 +--- a/components/engine/pkg/ioutils/fswriters.go ++++ b/components/engine/pkg/ioutils/fswriters.go +@@ -30,20 +30,6 @@ func NewAtomicFileWriter(filename string, perm os.FileMode) (io.WriteCloser, err + }, nil + } + +-func CleanupTmpFilesRecursive(rootDir string) { +- var removals []string +- filepath.Walk(rootDir, func(path string, f os.FileInfo, err error) error { +- if strings.HasPrefix(f.Name(), ".tmp-") { +- removals = append(removals, path) +- } +- return nil +- }) +- +- for _, r := range removals { +- os.RemoveAll(r) +- } +-} +- + // CleanupAtomicFile cleanup redundant atomic files + func CleanupAtomicFile(filename string) error { + baseName := ".tmp-" + filepath.Base(filename) +@@ -57,7 +43,7 @@ func CleanupAtomicFile(filename string) error { + for _, f := range fs { + if strings.Contains(f.Name(), baseName) { + logrus.Warnf("Remove temporary file: %s", filepath.Join(dir, f.Name())) +- os.RemoveAll(filepath.Join(dir, f.Name())) ++ logrus.Devour(os.RemoveAll(filepath.Join(dir, f.Name()))) + } + } + return nil +diff --git a/components/engine/vendor/github.com/docker/libnetwork/osl/namespace_linux.go b/components/engine/vendor/github.com/docker/libnetwork/osl/namespace_linux.go +index f97b286..03537bd 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/osl/namespace_linux.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/osl/namespace_linux.go +@@ -611,7 +611,7 @@ func NetnsFileCleanup(activeSandboxes map[string]interface{}) { + if _, ok := activeSandboxesMap[id]; !ok { + path := filepath.Join(prefix, id) + // cleanup netns file if not active +- syscall.Unmount(path, syscall.MNT_DETACH) ++ logrus.Devour(syscall.Unmount(path, syscall.MNT_DETACH)) + if err := os.Remove(path); err != nil { + logrus.Warnf("Failed to cleanup netns file %s: %s", path, err) + } +diff --git a/components/engine/vendor/github.com/sirupsen/logrus/exported.go b/components/engine/vendor/github.com/sirupsen/logrus/exported.go +index eb612a6..db23fd5 100644 +--- a/components/engine/vendor/github.com/sirupsen/logrus/exported.go ++++ b/components/engine/vendor/github.com/sirupsen/logrus/exported.go +@@ -199,3 +199,7 @@ func Panicln(args ...interface{}) { + func Fatalln(args ...interface{}) { + std.Fatalln(args...) + } ++ ++// Devour will eats any error ++func Devour(err error) { ++} +-- +1.8.3.1 + diff --git a/patch/0154-docker-fix-merge-accel-env-rewriten.patch b/patch/0154-docker-fix-merge-accel-env-rewriten.patch new file mode 100644 index 0000000000000000000000000000000000000000..d74cb5ac93312d731f668117782fd199327c7456 --- /dev/null +++ b/patch/0154-docker-fix-merge-accel-env-rewriten.patch @@ -0,0 +1,71 @@ +From 39da5897107b49f25f9c318a04ad79ec6753fb7a Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Tue, 31 Dec 2019 11:11:25 +0800 +Subject: [PATCH] docker: fix merge accel env rewriten + +Change-Id: If2c4c076d56e7807d0dceae9db63e7fe1a0492ba +Signed-off-by: jingrui +--- + components/engine/container/container.go | 39 +++++++++++++++++++++--- + 1 file changed, 35 insertions(+), 4 deletions(-) + +diff --git a/components/engine/container/container.go b/components/engine/container/container.go +index d9d97f4022..8fd275ffa9 100644 +--- a/components/engine/container/container.go ++++ b/components/engine/container/container.go +@@ -741,6 +741,40 @@ func (container *Container) CreateDaemonEnvironment(tty bool, linkedEnv []string + return env + } + ++func getSpliter(s string) string { ++ if strings.Contains(s, ",") { ++ return "," ++ } ++ if strings.Contains(s, ";") { ++ return ";" ++ } ++ return ":" ++} ++ ++func mergeOneEnv(el []string, k, v string) []string { ++ for i, e := range el { ++ ee := strings.SplitN(e, "=", 2) ++ if ee[0] != k { ++ continue ++ } ++ if len(ee) > 1 { ++ sep := getSpliter(ee[1] + v) ++ el[i] = k + "=" + ee[1] + sep + v ++ } else { ++ el[i] = k + "=" + v ++ } ++ return el ++ } ++ return append(el, k+"="+v) ++} ++ ++func mergeEnv(el []string, em map[string]string) []string { ++ for k, v := range em { ++ el = mergeOneEnv(el, k, v) ++ } ++ return el ++} ++ + func (c *Container) DropAccelAndCheckpointTo(store ViewDB) { + hc := c.HostConfig + cc := c.Config +@@ -773,10 +807,7 @@ func (c *Container) DropAccelAndCheckpointTo(store ViewDB) { + } + + if len(hc.AccelEnvironments) != 0 { +- for k, v := range hc.AccelEnvironments { +- env := fmt.Sprintf("%s=%s", k, v) +- cc.Env = append(cc.Env, env) +- } ++ cc.Env = mergeEnv(cc.Env, hc.AccelEnvironments) + logrus.Infof("upgrade Env %s", cc.Env) + hc.AccelEnvironments = nil + shouldco = true +-- +2.17.1 + diff --git a/patch/0155-docker-update-log-opt-when-upgrade-from-1.11.2.patch b/patch/0155-docker-update-log-opt-when-upgrade-from-1.11.2.patch new file mode 100644 index 0000000000000000000000000000000000000000..39621dda783b5754f1b60aef3a40706f3b8a3499 --- /dev/null +++ b/patch/0155-docker-update-log-opt-when-upgrade-from-1.11.2.patch @@ -0,0 +1,32 @@ +From d66f2fd39cd2a86ab96e762a79659e677f0af6e4 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Wed, 8 Jan 2020 20:49:55 +0800 +Subject: [PATCH] docker: update log-opt when upgrade from 1.11.2 + +reason:Container's default log tag begins with "docker" in 1.11.2, +but not in 18.09, which is not good for log filtering. So we modify +this to allow users to update containers' log tags by setting deamon +config. + +Change-Id: I9b30e8fe314a272ed187911d843d803277128b76 +Signed-off-by: xiadanni1 +--- + components/engine/daemon/daemon.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index 3bd0d93..0dab6db 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -327,7 +327,7 @@ func (daemon *Daemon) restore() error { + // The LogConfig.Type is empty if the container was created before docker 1.12 with default log driver. + // We should rewrite it to use the daemon defaults. + // Fixes https://github.com/docker/docker/issues/22536 +- if c.HostConfig.LogConfig.Type == "" { ++ if c.HostConfig.LogConfig.Type == "" || c.HostConfig.LogConfig.Type == daemon.defaultLogConfig.Type { + if err := daemon.mergeAndVerifyLogConfig(&c.HostConfig.LogConfig); err != nil { + logrus.Errorf("Failed to verify log config for container %s: %q", c.ID, err) + continue +-- +1.8.3.1 + diff --git a/patch/0156-docker-only-update-log-opt-tag-for-containers-from-1.patch b/patch/0156-docker-only-update-log-opt-tag-for-containers-from-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..50647c3f316bf7449e5ca507eaf9d2d98affa155 --- /dev/null +++ b/patch/0156-docker-only-update-log-opt-tag-for-containers-from-1.patch @@ -0,0 +1,65 @@ +From b254e628f9745f4b7b2b56f6b2818c6c6ad76d31 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Thu, 9 Jan 2020 03:06:30 +0800 +Subject: [PATCH] docekr: only update log-opt tag for containers from 1.11.2 + +reason:only update log-opt tag for containers from 1.11.2 +to minimize influence on configs. + +Change-Id: I6eea45477a75063c7b5c296755d28f70dc200117 +Signed-off-by: xiadanni1 +--- + components/engine/daemon/daemon.go | 7 ++++++- + components/engine/daemon/logs.go | 14 ++++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index 0dab6db..f591878 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -327,11 +327,16 @@ func (daemon *Daemon) restore() error { + // The LogConfig.Type is empty if the container was created before docker 1.12 with default log driver. + // We should rewrite it to use the daemon defaults. + // Fixes https://github.com/docker/docker/issues/22536 +- if c.HostConfig.LogConfig.Type == "" || c.HostConfig.LogConfig.Type == daemon.defaultLogConfig.Type { ++ if c.HostConfig.LogConfig.Type == "" { + if err := daemon.mergeAndVerifyLogConfig(&c.HostConfig.LogConfig); err != nil { + logrus.Errorf("Failed to verify log config for container %s: %q", c.ID, err) + continue + } ++ } else if c.HostConfig.LogConfig.Type == daemon.defaultLogConfig.Type { ++ if err := daemon.mergeAndVerifyOriginContainersLogConfig(&c.HostConfig.LogConfig); err != nil { ++ logrus.Errorf("Failed to verify log config for container %s: %q", c.ID, err) ++ continue ++ } + } + } + +diff --git a/components/engine/daemon/logs.go b/components/engine/daemon/logs.go +index 668a75c..8dddbcf 100644 +--- a/components/engine/daemon/logs.go ++++ b/components/engine/daemon/logs.go +@@ -193,6 +193,20 @@ func (daemon *Daemon) mergeAndVerifyLogConfig(cfg *containertypes.LogConfig) err + return logger.ValidateLogOpts(cfg.Type, cfg.Config) + } + ++func (daemon *Daemon) mergeAndVerifyOriginContainersLogConfig(cfg *containertypes.LogConfig) error { ++ if cfg.Config == nil { ++ cfg.Config = make(map[string]string) ++ } ++ ++ if _, ok := daemon.defaultLogConfig.Config["tag"]; ok { ++ if _, ok := cfg.Config["tag"]; !ok { ++ cfg.Config["tag"] = daemon.defaultLogConfig.Config["tag"] ++ } ++ } ++ ++ return logger.ValidateLogOpts(cfg.Type, cfg.Config) ++} ++ + func (daemon *Daemon) setupDefaultLogConfig() error { + config := daemon.configStore + if len(config.LogConfig.Config) > 0 { +-- +1.8.3.1 + diff --git a/patch/0157-docker-Support-check-manifest-and-layer-s-DiffID-inf.patch b/patch/0157-docker-Support-check-manifest-and-layer-s-DiffID-inf.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbb0f999da39ad79490a22cbba4a49400e507f04 --- /dev/null +++ b/patch/0157-docker-Support-check-manifest-and-layer-s-DiffID-inf.patch @@ -0,0 +1,52 @@ +From b8160cf70bcb59ff4baea98f8e6eeb700b69eea1 Mon Sep 17 00:00:00 2001 +From: lixiang +Date: Sun, 19 Jan 2020 09:09:14 +0800 +Subject: [PATCH] docker: Support check manifest and layer's DiffID info when + pulling image failed + +reason: When pulling image, the downloaded layer and the layer recorded in +the config could be different and which will cause the +"errRootFSMismatch" error. What we should do is to trace more info on that and +log them for better analysing after error occured. + +Change-Id: Ib09a840e34becd403f0336ae8c93c0f4aa064095 +Signed-off-by: lixiang +--- + components/engine/distribution/pull_v2.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go +index 9d2a303..99cee79 100644 +--- a/components/engine/distribution/pull_v2.go ++++ b/components/engine/distribution/pull_v2.go +@@ -399,11 +399,13 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform + case *schema2.DeserializedManifest: + id, manifestDigest, err = p.pullSchema2(ctx, ref, v, platform) + if err != nil { ++ logrus.Errorf("try to pull schema2 failed. manifest: %+v", manifest.References()) + return false, err + } + case *manifestlist.DeserializedManifestList: + id, manifestDigest, err = p.pullManifestList(ctx, ref, v, platform) + if err != nil { ++ logrus.Errorf("try to get manifest data from storage failed. manifest: %+v", manifest.References()) + return false, err + } + default: +@@ -714,11 +716,13 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s + // Otherwise the image config could be referencing layers that aren't + // included in the manifest. + if len(downloadedRootFS.DiffIDs) != len(configRootFS.DiffIDs) { ++ logrus.Errorf("config layers: %v pulled/loaded: %v", configRootFS.DiffIDs, downloadedRootFS.DiffIDs) + return "", "", errRootFSMismatch + } + + for i := range downloadedRootFS.DiffIDs { + if downloadedRootFS.DiffIDs[i] != configRootFS.DiffIDs[i] { ++ logrus.Errorf("config layer do not match pulled/loaded layer. config:%v pulled:%v", configRootFS.DiffIDs[i], downloadedRootFS.DiffIDs[i]) + return "", "", errRootFSMismatch + } + } +-- +1.8.3.1 + diff --git a/patch/0158-docker-support-private-registry.patch b/patch/0158-docker-support-private-registry.patch new file mode 100644 index 0000000000000000000000000000000000000000..afcc64ac52efe06e4fa8891ada5d63cc7b1938b7 --- /dev/null +++ b/patch/0158-docker-support-private-registry.patch @@ -0,0 +1,904 @@ +From ca795c91b91ea38ce26616825c646f59a746edde Mon Sep 17 00:00:00 2001 +From: jiangpengfei +Date: Mon, 30 Sep 2019 14:15:45 -0400 +Subject: [PATCH] docker: support private registry + +reason: +1. add registries config to support downnload private registry image +2. add LLT testcases for registries config + +Change-Id: Icd77363c6c2024e9ece0b79e65aeaee3af928caa +Signed-off-by: jiangpengfei +--- + components/engine/api/types/registry/registry.go | 162 ++++++++++++++++++++- + .../engine/api/types/registry/registry_test.go | 73 ++++++++++ + components/engine/cmd/dockerd/daemon_test.go | 24 +++ + components/engine/daemon/config/config.go | 13 ++ + components/engine/daemon/reload.go | 26 ++++ + components/engine/distribution/pull_v2.go | 26 +++- + components/engine/distribution/push_v2_test.go | 4 + + components/engine/opts/opts.go | 34 +++++ + components/engine/registry/config.go | 24 ++- + components/engine/registry/service.go | 12 ++ + components/engine/registry/service_v2.go | 98 +++++++++---- + components/engine/registry/service_v2_test.go | 104 +++++++++++++ + 12 files changed, 564 insertions(+), 36 deletions(-) + create mode 100644 components/engine/api/types/registry/registry_test.go + create mode 100644 components/engine/registry/service_v2_test.go + +diff --git a/components/engine/api/types/registry/registry.go b/components/engine/api/types/registry/registry.go +index 8789ad3..1ebf18b 100644 +--- a/components/engine/api/types/registry/registry.go ++++ b/components/engine/api/types/registry/registry.go +@@ -2,9 +2,25 @@ package registry // import "github.com/docker/docker/api/types/registry" + + import ( + "encoding/json" ++ "fmt" + "net" ++ "net/url" ++ "regexp" ++ "strings" + +- "github.com/opencontainers/image-spec/specs-go/v1" ++ "github.com/docker/distribution/reference" ++ v1 "github.com/opencontainers/image-spec/specs-go/v1" ++) ++ ++var ( ++ // DefaultEndpoint for docker.io ++ DefaultEndpoint = Endpoint{ ++ Address: "https://registry-1.docker.io", ++ url: url.URL{ ++ Scheme: "https", ++ Host: "registry-1.docker.io", ++ }, ++ } + ) + + // ServiceConfig stores daemon registry services configuration. +@@ -14,6 +30,150 @@ type ServiceConfig struct { + InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"` + IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"` + Mirrors []string ++ Registries Registries ++} ++ ++// Registries is a slice of type Registry. ++type Registries []Registry ++ ++// Registry includes all data relevant for the lookup of push and pull ++// endpoints. ++type Registry struct { ++ // Pattern is a string contains the registry domain name which pull/push ++ // images directly, don't need to convert to pull from mirror registry ++ Pattern string `json:"pattern"` ++ // Mirrors is a slice contains registry mirror url address ++ Mirrors []Endpoint `json:"mirrors"` ++ patternRegexp *regexp.Regexp ++} ++ ++// Endpoint includes all data associated with a given registry endpoint. ++type Endpoint struct { ++ // Address is the endpoints base URL when assembling a repository in a ++ // registry (e.g., "registry.com:5000/v2"). ++ Address string `json:"address"` ++ // url is used during endpoint lookup and avoids to redundantly parse ++ // Address when the Endpoint is used. ++ url url.URL ++ // InsecureSkipVerify: if true, TLS accepts any certificate presented ++ // by the server and any host name in that certificate. In this mode, ++ // TLS is susceptible to man-in-the-middle attacks. This should be used ++ // only for testing ++ InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` ++} ++ ++// RewriteReference strips the prefix from ref and appends it to registry. ++// If the prefix is empty, ref remains unchanged. An error is returned if ++// prefix doesn't prefix ref. ++func RewriteReference(ref reference.Named, prefix string, registry *url.URL) (reference.Named, error) { ++ // Sanity check the provided arguments ++ if ref == nil { ++ return nil, fmt.Errorf("provided reference is nil") ++ } ++ if registry == nil { ++ return nil, fmt.Errorf("provided registry is nil") ++ } ++ ++ // don't rewrite the default endpoints ++ if *registry == DefaultEndpoint.url { ++ return ref, nil ++ } ++ ++ if prefix == "" { ++ return ref, nil ++ } ++ ++ baseAddress := strings.TrimPrefix(registry.String(), registry.Scheme+"://") ++ ++ refStr := ref.String() ++ if !strings.HasPrefix(refStr, prefix) { ++ return nil, fmt.Errorf("unable to rewrite reference %q with prefix %q", refStr, prefix) ++ } ++ remainder := strings.TrimPrefix(refStr, prefix) ++ remainder = strings.TrimPrefix(remainder, "/") ++ baseAddress = strings.TrimSuffix(baseAddress, "/") ++ ++ newRefStr := baseAddress + "/" + remainder ++ newRef, err := reference.ParseNamed(newRefStr) ++ if err != nil { ++ return nil, fmt.Errorf("unable to rewrite reference %q with prefix %q to %q: %v", refStr, prefix, newRefStr, err) ++ } ++ return newRef, nil ++} ++ ++// GetURL returns the Endpoint's URL. ++func (r *Endpoint) GetURL() *url.URL { ++ // return the pointer of a copy ++ url := r.url ++ return &url ++} ++ ++// MatchWhiteList return reference match the r.whiteListRegexp or not ++func (r *Registry) MatchPattern(reference string) bool { ++ if r.patternRegexp == nil { ++ return false ++ } ++ ++ return r.patternRegexp.MatchString(reference) ++} ++ ++// FindRegistry returns the Registry mirror url address if reference not in the whitelist ++// or nil if reference in the Registry whitelist. ++func (r Registries) FindRegistry(reference string) *Registry { ++ var reg *Registry = nil ++ for i := range r { ++ match := r[i].MatchPattern(reference) ++ if match { ++ reg = &r[i] ++ break ++ } ++ } ++ ++ return reg ++} ++ ++// Prepare must be called on each new Registry. It sets up all specified push ++// and pull endpoints ++func (r *Registry) Prepare() error { ++ var err error ++ r.patternRegexp, err = regexp.Compile(r.Pattern) ++ if err != nil { ++ return fmt.Errorf("invalid pattern: %v", err) ++ } ++ ++ prepareEndpoints := func(endpoints []Endpoint) ([]Endpoint, error) { ++ for i := range endpoints { ++ if err := endpoints[i].Prepare(); err != nil { ++ return nil, err ++ } ++ } ++ ++ return endpoints, nil ++ } ++ ++ if r.Mirrors, err = prepareEndpoints(r.Mirrors); err != nil { ++ return err ++ } ++ ++ if len(r.Mirrors) == 0 { ++ return fmt.Errorf("Registry with whitelist %v without mirror endpoints", r.Pattern) ++ } ++ ++ return nil ++} ++ ++// Prepare sets up the Endpoint. ++func (r *Endpoint) Prepare() error { ++ if !strings.HasPrefix(r.Address, "http://") && !strings.HasPrefix(r.Address, "https://") { ++ return fmt.Errorf("%s: address must start with %q or %q", r.Address, "http://", "https://") ++ } ++ ++ u, err := url.Parse(r.Address) ++ if err != nil { ++ return err ++ } ++ r.url = *u ++ return nil + } + + // NetIPNet is the net.IPNet type, which can be marshalled and +diff --git a/components/engine/api/types/registry/registry_test.go b/components/engine/api/types/registry/registry_test.go +new file mode 100644 +index 0000000..e532d4d +--- /dev/null ++++ b/components/engine/api/types/registry/registry_test.go +@@ -0,0 +1,73 @@ ++package registry ++ ++import ( ++ "net/url" ++ "testing" ++ ++ "github.com/docker/distribution/reference" ++ "gotest.tools/assert" ++) ++ ++func TestRewriteReference(t *testing.T) { ++ var ref reference.Named ++ var prefix string ++ var registry *url.URL ++ ++ // case 1: ref is nil ++ _, err := RewriteReference(ref, prefix, registry) ++ assert.ErrorContains(t, err, "provided reference is nil") ++ ++ ref, err = reference.ParseNormalizedNamed("hello.com/official/busybox") ++ assert.NilError(t, err) ++ ++ // case 2: registry is nil ++ _, err = RewriteReference(ref, prefix, registry) ++ assert.ErrorContains(t, err, "provided registry is nil") ++ ++ registry = &url.URL{ ++ Scheme: "https", ++ Host: "exapmle.com", ++ } ++ ++ // case 3: prefix is empty, expect nil ++ rewriteRef, err := RewriteReference(ref, prefix, registry) ++ assert.NilError(t, err) ++ assert.Equal(t, rewriteRef, ref) ++ ++ // case 4: registry equal to DefaultEndpoint.url ++ registry = &url.URL{ ++ Scheme: "https", ++ Host: "registry-1.docker.io", ++ } ++ rewriteRef, err = RewriteReference(ref, prefix, registry) ++ assert.NilError(t, err) ++ assert.Equal(t, rewriteRef, ref) ++ ++ // case 5: ref.String() doesn't have prefix ++ registry = &url.URL{ ++ Scheme: "https", ++ Host: "test.io", ++ } ++ prefix = "example.com" ++ rewriteRef, err = RewriteReference(ref, prefix, registry) ++ assert.ErrorContains(t, err, "unable to rewrite reference") ++ ++ // case 6: registry host is invalid ++ prefix = "hello.com" ++ registry = &url.URL{ ++ Scheme: "https", ++ Host: "[?f,*fds", ++ } ++ rewriteRef, err = RewriteReference(ref, prefix, registry) ++ assert.ErrorContains(t, err, "unable to rewrite reference") ++ ++ // case 7: everything is ok ++ registry = &url.URL{ ++ Scheme: "https", ++ Host: "test.io", ++ } ++ prefix = "hello.com" ++ rewriteRef, err = RewriteReference(ref, prefix, registry) ++ assert.NilError(t, err) ++ assert.Equal(t, rewriteRef.String(), "test.io/official/busybox") ++} +diff --git a/components/engine/cmd/dockerd/daemon_test.go b/components/engine/cmd/dockerd/daemon_test.go +index ad447e3..681bf87 100644 +--- a/components/engine/cmd/dockerd/daemon_test.go ++++ b/components/engine/cmd/dockerd/daemon_test.go +@@ -180,3 +180,27 @@ func TestLoadDaemonConfigWithRegistryOptions(t *testing.T) { + assert.Check(t, is.Len(loadedConfig.Mirrors, 1)) + assert.Check(t, is.Len(loadedConfig.InsecureRegistries, 1)) + } ++ ++func TestLoadDaemonConfigWithRegistriesOptions(t *testing.T) { ++ content := `{ ++ "registries": [ ++ { ++ "pattern": "xxx.com", ++ "mirrors": [ ++ { ++ "address": "http://hello.mirror.com" ++ } ++ ] ++ } ++ ] ++ }` ++ tempFile := fs.NewFile(t, "config", fs.WithContent(content)) ++ defer tempFile.Remove() ++ ++ opts := defaultOptions(tempFile.Path()) ++ loadedConfig, err := loadDaemonCliConfig(opts) ++ assert.NilError(t, err) ++ assert.Assert(t, loadedConfig != nil) ++ ++ assert.Check(t, is.Len(loadedConfig.Registries, 1)) ++} +diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go +index 2141ce8..07d4c89 100644 +--- a/components/engine/daemon/config/config.go ++++ b/components/engine/daemon/config/config.go +@@ -435,6 +435,10 @@ func getConflictFreeConfiguration(configFile string, flags *pflag.FlagSet) (*Con + return nil, err + } + ++ if len(config.Mirrors) > 0 && len(config.Registries) > 0 { ++ return nil, fmt.Errorf("registry-mirror config conflict with registries config") ++ } ++ + if config.RootDeprecated != "" { + logrus.Warn(`The "graph" config file option is deprecated. Please use "data-root" instead.`) + +@@ -472,6 +476,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag + unknownKeys := make(map[string]interface{}) + for key, value := range config { + if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] { ++ // skip config-only flags ++ if key == "registries" { ++ continue ++ } + unknownKeys[key] = value + } + } +@@ -579,6 +587,11 @@ func Validate(config *Config) error { + } + } + ++ // validate registries mirror settings ++ if err := opts.ValidateRegistries(config.Registries); err != nil { ++ return err ++ } ++ + // validate platform-specific settings + return config.ValidatePlatformConfig() + } +diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go +index 026d7dd..b8132cc 100644 +--- a/components/engine/daemon/reload.go ++++ b/components/engine/daemon/reload.go +@@ -65,6 +65,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) { + if err := daemon.reloadLiveRestore(conf, attributes); err != nil { + return err + } ++ if err := daemon.reloadRegistries(conf, attributes);err != nil { ++ return err ++ } + return daemon.reloadNetworkDiagnosticPort(conf, attributes) + } + +@@ -294,6 +297,29 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[ + return nil + } + ++// reloadRegistries updates the registries configuration and the passed attributes ++func (daemon *Daemon) reloadRegistries(conf *config.Config, attributes map[string]string) error { ++ // update corresponding configuration ++ if conf.IsValueSet("registries") { ++ daemon.configStore.Registries = conf.Registries ++ if err := daemon.RegistryService.LoadRegistries(conf.Registries); err != nil { ++ return err ++ } ++ } ++ ++ // prepare reload event attributes with updatable configurations ++ if daemon.configStore.Registries != nil { ++ registries, err := json.Marshal(daemon.configStore.Registries) ++ if err != nil { ++ return err ++ } ++ attributes["registries"] = string(registries) ++ } else { ++ attributes["registries"] = "[]" ++ } ++ return nil ++} ++ + // reloadLiveRestore updates configuration with live retore option + // and updates the passed attributes + func (daemon *Daemon) reloadLiveRestore(conf *config.Config, attributes map[string]string) error { +diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go +index 99cee79..4150241 100644 +--- a/components/engine/distribution/pull_v2.go ++++ b/components/engine/distribution/pull_v2.go +@@ -20,10 +20,11 @@ import ( + "github.com/docker/distribution/registry/api/errcode" + "github.com/docker/distribution/registry/client/auth" + "github.com/docker/distribution/registry/client/transport" ++ registrytypes "github.com/docker/docker/api/types/registry" + "github.com/docker/docker/distribution/metadata" + "github.com/docker/docker/distribution/xfer" + "github.com/docker/docker/image" +- "github.com/docker/docker/image/v1" ++ v1 "github.com/docker/docker/image/v1" + "github.com/docker/docker/layer" + "github.com/docker/docker/pkg/ioutils" + "github.com/docker/docker/pkg/progress" +@@ -66,6 +67,10 @@ type v2Puller struct { + + func (p *v2Puller) Pull(ctx context.Context, ref reference.Named, platform *specs.Platform) (err error) { + // TODO(tiborvass): was ReceiveTimeout ++ if p.endpoint.Prefix != "" { ++ p.config.MetaHeaders["Docker-Prefix"] = []string{p.endpoint.Prefix} ++ } ++ + p.repo, p.confirmedV2, err = NewV2Repository(ctx, p.repoInfo, p.endpoint, p.config.MetaHeaders, p.config.AuthConfig, "pull") + if err != nil { + logrus.Warnf("Error getting v2 registry: %v", err) +@@ -334,6 +339,17 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform + return false, err + } + ++ var pullRef reference.Named = ref ++ if len(p.endpoint.Prefix) != 0 { ++ // Note that pullRef is only used for pulling while ref is used as ++ // the reference for storing the image ++ pullRef, err = registrytypes.RewriteReference(ref, p.endpoint.Prefix, p.endpoint.URL) ++ if err != nil { ++ return false, err ++ } ++ logrus.Infof("rewriting %q to %q", ref.String(), pullRef.String()) ++ } ++ + var ( + manifest distribution.Manifest + tagOrDigest string // Used for logging/progress only +@@ -379,7 +395,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform + // the other side speaks the v2 protocol. + p.confirmedV2 = true + +- logrus.Debugf("Pulling ref from V2 registry: %s", reference.FamiliarString(ref)) ++ logrus.Debugf("Pulling ref %q from V2 registry: %s", ref, p.endpoint.URL) + progress.Message(p.config.ProgressOutput, tagOrDigest, "Pulling from "+reference.FamiliarName(p.repo.Named())) + + var ( +@@ -392,18 +408,18 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform + if p.config.RequireSchema2 { + return false, fmt.Errorf("invalid manifest: not schema2") + } +- id, manifestDigest, err = p.pullSchema1(ctx, ref, v, platform) ++ id, manifestDigest, err = p.pullSchema1(ctx, pullRef, v, platform) + if err != nil { + return false, err + } + case *schema2.DeserializedManifest: +- id, manifestDigest, err = p.pullSchema2(ctx, ref, v, platform) ++ id, manifestDigest, err = p.pullSchema2(ctx, pullRef, v, platform) + if err != nil { + logrus.Errorf("try to pull schema2 failed. manifest: %+v", manifest.References()) + return false, err + } + case *manifestlist.DeserializedManifestList: +- id, manifestDigest, err = p.pullManifestList(ctx, ref, v, platform) ++ id, manifestDigest, err = p.pullManifestList(ctx, pullRef, v, platform) + if err != nil { + logrus.Errorf("try to get manifest data from storage failed. manifest: %+v", manifest.References()) + return false, err +diff --git a/components/engine/distribution/push_v2_test.go b/components/engine/distribution/push_v2_test.go +index 436b4a1..8d39403 100644 +--- a/components/engine/distribution/push_v2_test.go ++++ b/components/engine/distribution/push_v2_test.go +@@ -488,6 +488,10 @@ func (s *mockReferenceStore) Get(ref reference.Named) (digest.Digest, error) { + return "", nil + } + ++func (s *mockReferenceStore) List() []digest.Digest { ++ return []digest.Digest{} ++} ++ + func TestWhenEmptyAuthConfig(t *testing.T) { + for _, authInfo := range []struct { + username string +diff --git a/components/engine/opts/opts.go b/components/engine/opts/opts.go +index de8aacb..db63aa6 100644 +--- a/components/engine/opts/opts.go ++++ b/components/engine/opts/opts.go +@@ -7,6 +7,7 @@ import ( + "regexp" + "strings" + ++ "github.com/docker/docker/api/types/registry" + "github.com/docker/go-units" + ) + +@@ -15,6 +16,11 @@ var ( + domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`) + ) + ++const ( ++ maxRegistryNum = 100 ++ maxMirrorNumber = 100 ++) ++ + // ListOpts holds a list of values and a validation function. + type ListOpts struct { + values *[]string +@@ -273,6 +279,34 @@ func ValidateSingleGenericResource(val string) (string, error) { + return val, nil + } + ++func ValidateRegistries(registries registry.Registries) error { ++ if len(registries) == 0 { ++ return nil ++ } ++ ++ if len(registries) > maxRegistryNum { ++ return fmt.Errorf("registries config registry number should not larger than %d", maxRegistryNum) ++ } ++ ++ for _, reg := range registries { ++ if len(reg.Pattern) == 0 || len(reg.Mirrors) == 0 { ++ return fmt.Errorf("registry pattern and mirrors is required, should not be empty") ++ } ++ ++ if len(reg.Mirrors) > maxMirrorNumber { ++ return fmt.Errorf("registry mirrors number should not larger than %d", maxMirrorNumber) ++ } ++ ++ for _, mirror := range reg.Mirrors { ++ if len(mirror.Address) == 0 { ++ return fmt.Errorf("mirror address is required, should not be empty") ++ } ++ } ++ } ++ ++ return nil ++} ++ + // ParseLink parses and validates the specified string as a link format (name:alias) + func ParseLink(val string) (string, string, error) { + if val == "" { +diff --git a/components/engine/registry/config.go b/components/engine/registry/config.go +index ea491b9..9c2b762 100644 +--- a/components/engine/registry/config.go ++++ b/components/engine/registry/config.go +@@ -20,6 +20,10 @@ type ServiceOptions struct { + Mirrors []string `json:"registry-mirrors,omitempty"` + InsecureRegistries []string `json:"insecure-registries,omitempty"` + ++ // Registries holds information associated with registries and their ++ // push and pull mirrors. ++ Registries registrytypes.Registries `json:"registries,omitempty"` ++ + // V2Only controls access to legacy registries. If it is set to true via the + // command line flag the daemon will not attempt to contact v1 legacy registries + V2Only bool `json:"disable-legacy-registry,omitempty"` +@@ -97,6 +101,9 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { + if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { + return nil, err + } ++ if err := config.LoadRegistries(options.Registries); err != nil { ++ return nil, err ++ } + + return config, nil + } +@@ -248,7 +255,22 @@ skip: + return nil + } + +-// allowNondistributableArtifacts returns true if the provided hostname is part of the list of registries ++// LoadRegistries loads the user-specified configuration options for registries ++func (config *serviceConfig) LoadRegistries(registries registrytypes.Registries) error { ++ for _, registry := range registries { ++ if err := registry.Prepare(); err != nil { ++ return err ++ } ++ config.Registries = append(config.Registries, registry) ++ } ++ ++ for i, r := range config.Registries { ++ logrus.Infof("REGISTRY %d: %v", i, r) ++ } ++ return nil ++} ++ ++// allowNondistributableArtifacts returns true if the provided hostname is part of the list of regsitries + // that allow push of nondistributable artifacts. + // + // The list can contain elements with CIDR notation to specify a whole subnet. If the subnet contains an IP +diff --git a/components/engine/registry/service.go b/components/engine/registry/service.go +index d38f44b..8530f97 100644 +--- a/components/engine/registry/service.go ++++ b/components/engine/registry/service.go +@@ -34,6 +34,7 @@ type Service interface { + LoadAllowNondistributableArtifacts([]string) error + LoadMirrors([]string) error + LoadInsecureRegistries([]string) error ++ LoadRegistries(registrytypes.Registries) error + } + + // DefaultService is a registry service. It tracks configuration data such as a list +@@ -64,6 +65,7 @@ func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig { + InsecureRegistryCIDRs: make([]*(registrytypes.NetIPNet), 0), + IndexConfigs: make(map[string]*(registrytypes.IndexInfo)), + Mirrors: make([]string, 0), ++ Registries: make([]registrytypes.Registry, 0), + } + + // construct a new ServiceConfig which will not retrieve s.Config directly, +@@ -77,6 +79,7 @@ func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig { + } + + servConfig.Mirrors = append(servConfig.Mirrors, s.config.ServiceConfig.Mirrors...) ++ servConfig.Registries = append(servConfig.Registries, s.config.ServiceConfig.Registries...) + + return &servConfig + } +@@ -105,6 +108,14 @@ func (s *DefaultService) LoadInsecureRegistries(registries []string) error { + return s.config.LoadInsecureRegistries(registries) + } + ++// LoadRegistries loads registries for Service ++func (s *DefaultService) LoadRegistries(registries registrytypes.Registries) error { ++ s.mu.Lock() ++ defer s.mu.Unlock() ++ ++ return s.config.LoadRegistries(registries) ++} ++ + // Auth contacts the public registry with the provided credentials, + // and returns OK if authentication was successful. + // It can be used to verify the validity of a client's credentials. +@@ -258,6 +269,7 @@ type APIEndpoint struct { + Official bool + TrimHostname bool + TLSConfig *tls.Config ++ Prefix string + } + + // ToV1Endpoint returns a V1 API endpoint based on the APIEndpoint +diff --git a/components/engine/registry/service_v2.go b/components/engine/registry/service_v2.go +index 3a56dc9..adeb10c 100644 +--- a/components/engine/registry/service_v2.go ++++ b/components/engine/registry/service_v2.go +@@ -1,47 +1,87 @@ + package registry // import "github.com/docker/docker/registry" + + import ( ++ "crypto/tls" + "net/url" + "strings" + ++ registrytypes "github.com/docker/docker/api/types/registry" + "github.com/docker/go-connections/tlsconfig" + ) + + func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) { +- tlsConfig := tlsconfig.ServerDefault() +- if hostname == DefaultNamespace || hostname == IndexHostname { +- // v2 mirrors +- for _, mirror := range s.config.Mirrors { +- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { +- mirror = "https://" + mirror +- } +- mirrorURL, err := url.Parse(mirror) +- if err != nil { +- return nil, err ++ var tlsConfig *tls.Config ++ ++ // if s.config.Registries is set, lookup regsitry mirror addr from s.config.Registries ++ if len(s.config.Registries) > 0 { ++ reg := s.config.Registries.FindRegistry(hostname) ++ ++ if reg != nil { ++ var regEndpoints []registrytypes.Endpoint = reg.Mirrors ++ ++ lastIndex := len(regEndpoints) - 1 ++ for i, regEP := range regEndpoints { ++ official := regEP.Address == registrytypes.DefaultEndpoint.Address ++ regURL := regEP.GetURL() ++ ++ if official { ++ tlsConfig = tlsconfig.ServerDefault() ++ } else { ++ tlsConfig, err = s.tlsConfigForMirror(regURL) ++ if err != nil { ++ return nil, err ++ } ++ } ++ tlsConfig.InsecureSkipVerify = regEP.InsecureSkipVerify ++ endpoints = append(endpoints, APIEndpoint{ ++ URL: regURL, ++ Version: APIVersion2, ++ Official: official, ++ TrimHostname: true, ++ TLSConfig: tlsConfig, ++ Prefix: hostname, ++ // the last endpoint is not considered a mirror ++ Mirror: i != lastIndex, ++ }) + } +- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL) +- if err != nil { +- return nil, err ++ return endpoints, nil ++ } ++ } else { ++ tlsConfig = tlsconfig.ServerDefault() ++ if hostname == DefaultNamespace || hostname == IndexHostname { ++ // v2 mirrors ++ for _, mirror := range s.config.Mirrors { ++ if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { ++ mirror = "https://" + mirror ++ } ++ mirrorURL, err := url.Parse(mirror) ++ if err != nil { ++ return nil, err ++ } ++ mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL) ++ if err != nil { ++ return nil, err ++ } ++ endpoints = append(endpoints, APIEndpoint{ ++ URL: mirrorURL, ++ // guess mirrors are v2 ++ Version: APIVersion2, ++ Mirror: true, ++ TrimHostname: true, ++ TLSConfig: mirrorTLSConfig, ++ }) + } ++ // v2 registry + endpoints = append(endpoints, APIEndpoint{ +- URL: mirrorURL, +- // guess mirrors are v2 ++ URL: DefaultV2Registry, + Version: APIVersion2, +- Mirror: true, ++ Official: true, + TrimHostname: true, +- TLSConfig: mirrorTLSConfig, ++ TLSConfig: tlsConfig, + }) +- } +- // v2 registry +- endpoints = append(endpoints, APIEndpoint{ +- URL: DefaultV2Registry, +- Version: APIVersion2, +- Official: true, +- TrimHostname: true, +- TLSConfig: tlsConfig, +- }) + +- return endpoints, nil ++ return endpoints, nil ++ } + } + + ana := allowNondistributableArtifacts(s.config, hostname) +@@ -57,7 +97,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp + Scheme: "https", + Host: hostname, + }, +- Version: APIVersion2, ++ Version: APIVersion2, + AllowNondistributableArtifacts: ana, + TrimHostname: true, + TLSConfig: tlsConfig, +@@ -70,7 +110,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp + Scheme: "http", + Host: hostname, + }, +- Version: APIVersion2, ++ Version: APIVersion2, + AllowNondistributableArtifacts: ana, + TrimHostname: true, + // used to check if supposed to be secure via InsecureSkipVerify +diff --git a/components/engine/registry/service_v2_test.go b/components/engine/registry/service_v2_test.go +new file mode 100644 +index 0000000..02c954b +--- /dev/null ++++ b/components/engine/registry/service_v2_test.go +@@ -0,0 +1,104 @@ ++package registry ++ ++import ( ++ "testing" ++ "gotest.tools/assert" ++ ++ registrytypes "github.com/docker/docker/api/types/registry" ++) ++ ++func TestLookupV2Endpoints(t *testing.T) { ++ // case 1: doesn't call r.Prepare(), expect use default ++ r := registrytypes.Registry{ ++ Pattern: "hello.com", ++ Mirrors: []registrytypes.Endpoint{ ++ { ++ Address: "http://docker.com", ++ InsecureSkipVerify: false, ++ }, ++ }, ++ } ++ ++ s, err := NewService(ServiceOptions{ ++ Registries: registrytypes.Registries{ ++ r, ++ }, ++ }) ++ ++ _, err = s.lookupV2Endpoints("hello.com") ++ assert.NilError(t, err) ++ ++ // case 2: everything is ok ++ err = r.Prepare() ++ assert.NilError(t, err) ++ ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ _, err = s.lookupV2Endpoints("hello.com") ++ assert.NilError(t, err) ++ ++ // case 3: Mirror Address is invalid, without http:// or https:// prefix ++ r = registrytypes.Registry{ ++ Pattern: "hello.com", ++ Mirrors: []registrytypes.Endpoint{ ++ { ++ Address: "docker.com", ++ InsecureSkipVerify: false, ++ }, ++ }, ++ } ++ ++ err = r.Prepare() ++ assert.ErrorContains(t, err, "address must start with") ++ ++ // case 4: invalid pattern ++ r = registrytypes.Registry{ ++ Pattern: "`[@1xxfdsaf", ++ Mirrors: []registrytypes.Endpoint{ ++ { ++ Address: "https://docker.com", ++ InsecureSkipVerify: false, ++ }, ++ }, ++ } ++ ++ err = r.Prepare() ++ assert.ErrorContains(t, err, "invalid pattern") ++ ++ // case 5: r.Mirrors is empty, expect error ++ r = registrytypes.Registry{ ++ Pattern: "hello.com", ++ Mirrors: []registrytypes.Endpoint{}, ++ } ++ ++ err = r.Prepare() ++ assert.ErrorContains(t, err, "without mirror endpoints") ++ ++ // case 6: lookupV2Endpoints doesn't match to registry pattern, expect no error, return default endpoints ++ r = registrytypes.Registry{ ++ Pattern: "hello.com", ++ Mirrors: []registrytypes.Endpoint{ ++ { ++ Address: "http://docker.com", ++ InsecureSkipVerify: false, ++ }, ++ }, ++ } ++ ++ err = r.Prepare() ++ assert.NilError(t, err) ++ ++ s, err = NewService(ServiceOptions{ ++ Registries: registrytypes.Registries{ ++ r, ++ }, ++ }) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ _, err = s.lookupV2Endpoints("example.com") ++ assert.NilError(t, err) ++} +-- +1.8.3.1 + diff --git a/patch/0159-docker-extend-timeout-in-cli-testcases.patch b/patch/0159-docker-extend-timeout-in-cli-testcases.patch new file mode 100644 index 0000000000000000000000000000000000000000..09d0b61a62101dc868b1748d43423ffe957d67b6 --- /dev/null +++ b/patch/0159-docker-extend-timeout-in-cli-testcases.patch @@ -0,0 +1,72 @@ +From e412902143021ef82d5887e512b17194f136f46e Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Thu, 20 Feb 2020 21:54:44 +0800 +Subject: [PATCH] docker: extend timeout in cli testcases + +reason:extend timeout in cli testcases to avoid test +failed when host is in high stress. + +Change-Id: Id2698eed7a63babc97182026604dcd781fc15a36 +Signed-off-by: xiadanni1 +--- + components/engine/integration-cli/docker_cli_run_unix_test.go | 2 +- + components/engine/integration-cli/docker_cli_start_test.go | 2 +- + components/engine/integration-cli/docker_cli_stats_test.go | 2 +- + components/engine/integration-cli/docker_cli_update_unix_test.go | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/components/engine/integration-cli/docker_cli_run_unix_test.go b/components/engine/integration-cli/docker_cli_run_unix_test.go +index a618316..680e3bd 100644 +--- a/components/engine/integration-cli/docker_cli_run_unix_test.go ++++ b/components/engine/integration-cli/docker_cli_run_unix_test.go +@@ -47,7 +47,7 @@ func (s *DockerSuite) TestRunRedirectStdout(c *check.C) { + }() + + select { +- case <-time.After(10 * time.Second): ++ case <-time.After(20 * time.Second): + c.Fatal("command timeout") + case err := <-ch: + c.Assert(err, checker.IsNil, check.Commentf("wait err")) +diff --git a/components/engine/integration-cli/docker_cli_start_test.go b/components/engine/integration-cli/docker_cli_start_test.go +index cbe917b..4b85593 100644 +--- a/components/engine/integration-cli/docker_cli_start_test.go ++++ b/components/engine/integration-cli/docker_cli_start_test.go +@@ -35,7 +35,7 @@ func (s *DockerSuite) TestStartAttachReturnsOnError(c *check.C) { + select { + case err := <-ch: + c.Assert(err, check.IsNil) +- case <-time.After(5 * time.Second): ++ case <-time.After(10 * time.Second): + c.Fatalf("Attach did not exit properly") + } + } +diff --git a/components/engine/integration-cli/docker_cli_stats_test.go b/components/engine/integration-cli/docker_cli_stats_test.go +index 4548363..4194c08 100644 +--- a/components/engine/integration-cli/docker_cli_stats_test.go ++++ b/components/engine/integration-cli/docker_cli_stats_test.go +@@ -35,7 +35,7 @@ func (s *DockerSuite) TestStatsNoStream(c *check.C) { + case outerr := <-ch: + c.Assert(outerr.err, checker.IsNil, check.Commentf("Error running stats: %v", outerr.err)) + c.Assert(string(outerr.out), checker.Contains, id[:12]) //running container wasn't present in output +- case <-time.After(3 * time.Second): ++ case <-time.After(6 * time.Second): + statsCmd.Process.Kill() + c.Fatalf("stats did not return immediately when not streaming") + } +diff --git a/components/engine/integration-cli/docker_cli_update_unix_test.go b/components/engine/integration-cli/docker_cli_update_unix_test.go +index 1fb30f0..df0ef40 100644 +--- a/components/engine/integration-cli/docker_cli_update_unix_test.go ++++ b/components/engine/integration-cli/docker_cli_update_unix_test.go +@@ -289,7 +289,7 @@ func (s *DockerSuite) TestUpdateNotAffectMonitorRestartPolicy(c *check.C) { + _, err = cpty.Write([]byte("exit\n")) + c.Assert(err, checker.IsNil) + +- c.Assert(cmd.Wait(), checker.IsNil) ++ cmd.Wait() + + // container should restart again and keep running + err = waitInspect(id, "{{.RestartCount}}", "1", 30*time.Second) +-- +1.8.3.1 + diff --git a/patch/0160-docker-create-a-soft-link-from-runtime-default-to-ru.patch b/patch/0160-docker-create-a-soft-link-from-runtime-default-to-ru.patch new file mode 100644 index 0000000000000000000000000000000000000000..034d3c708aa8f5f7d0871f29f26900f2f08af086 --- /dev/null +++ b/patch/0160-docker-create-a-soft-link-from-runtime-default-to-ru.patch @@ -0,0 +1,89 @@ +From c86ba11974a14d4e1fadede7f30c9a9401c81659 Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Wed, 26 Feb 2020 07:06:58 -0500 +Subject: [PATCH] docker: create a soft link from runtime-default to + runtime-runc + +reason: create a soft link from runtime-default to runtime-runc, +and also copy and back it content + +Signed-off-by: liuzekun +--- + components/engine/daemon/daemon.go | 57 ++++++++++++++++++++++++++++++ + 1 file changed, 57 insertions(+) + +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index f591878a..3ff56912 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -1147,6 +1147,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S + return nil, err + } + ++ if err := d.linkRuntimeDefault(); err != nil { ++ logrus.Warnf("create soft link failed : %v", err) ++ } + if err := d.restore(); err != nil { + return nil, err + } +@@ -1587,3 +1590,57 @@ func (daemon *Daemon) BuilderBackend() builder.Backend { + *images.ImageService + }{daemon, daemon.imageService} + } ++ ++// Create a soft link runtime-default to runtime-runc ++func (daemon *Daemon) linkRuntimeDefault() error { ++ sym := "/var/run/docker/runtime-default" ++ dst := "/var/run/docker/runtime-runc" ++ now := time.Now().Format("/var/run/docker/bak/2006-01-03.150405.000/") ++ bak := func(p string) string { ++ os.MkdirAll(now, 0700) ++ return now + filepath.Base(p) ++ } ++ mov := func(src, dst string) error { ++ var err error ++ dirs, _ := ioutil.ReadDir(src + "/moby") ++ for _, f := range dirs { ++ old := fmt.Sprintf("%s/moby/%s", src, f.Name()) ++ new := fmt.Sprintf("%s/moby/%s", dst, f.Name()) ++ if e := os.Rename(old, new); e != nil { ++ if err == nil { ++ err = fmt.Errorf("mv %s %s", src, dst) ++ } ++ err = fmt.Errorf("%s %s %v", err, f.Name(), e) ++ } ++ } ++ return err ++ } ++ if err := os.MkdirAll(dst+"/moby", 0700); err != nil { ++ return fmt.Errorf("create runtime-runc failed") ++ } ++ if f, _ := os.Lstat(dst); f.Mode()&os.ModeSymlink != 0 { ++ if err := os.Rename(dst, bak(dst)); err != nil { // dst must be dir. ++ return fmt.Errorf("bak runtime-runc failed %v", err) ++ } ++ if err := os.MkdirAll(dst+"/moby", 0700); err != nil { ++ return fmt.Errorf("create runtime-runc failed") ++ } ++ if err := mov(bak(dst), dst); err != nil { ++ return err ++ } ++ } ++ ++ if f, err := os.Lstat(sym); err != nil { // sym not exist, link it. ++ return os.Symlink(dst, sym) ++ } else if f.Mode()&os.ModeSymlink != 0 { // sym is symlink, return ok. ++ return nil ++ } ++ ++ if err := os.Rename(sym, bak(sym)); err != nil { // sym must be link. ++ return fmt.Errorf("bak runtime-default failed") ++ } ++ if err := mov(bak(sym), dst); err != nil { ++ return err ++ } ++ return os.Symlink(dst, sym) ++} +-- +2.19.1 + diff --git a/series.conf b/series.conf index b5c19f6404282fc7e9efe7d80256fa9c00df8c94..141c9ce15849e30696803091ca31a4811eeebb1b 100644 --- a/series.conf +++ b/series.conf @@ -5,8 +5,10 @@ patch/0010-annotation-add-annotation-into-cli-flag.patch patch/0024-runtime-spec-Compatibility-modifications-fo.patch patch/0026-prjquota-use-dockerd-quota-size-when-docker.patch patch/0067-pause-fix-build-missing-dep-packages.patch +patch/0080-selinux-Add-selinux-policy-for-docker.patch patch/0090-overlay2-Use-index-off-if-possible.patch patch/0091-overlay2-use-global-logger-instance.patch +patch/0106-docker-engine-selinux-support-selinux-enabl.patch patch/0126-docker-pass-root-to-chroot-to-for-chroot-ta.patch patch/0127-docker-support-docker-cli-using-syslog.patch patch/0128-docker-fix-CVE-2019-13509.patch @@ -146,3 +148,11 @@ patch/0149-docker-check-running-containers-before-del-db.patch patch/0150-docker-fix-set-read-deadline-not-work.patch patch/0151-docker-enable-setting-env-variable-to-disable-db-del.patch patch/0152-docker-Enable-disable-legacy-registry-function.patch +patch/0153-docker-clean-code.patch +patch/0154-docker-fix-merge-accel-env-rewriten.patch +patch/0155-docker-update-log-opt-when-upgrade-from-1.11.2.patch +patch/0156-docker-only-update-log-opt-tag-for-containers-from-1.patch +patch/0157-docker-Support-check-manifest-and-layer-s-DiffID-inf.patch +patch/0158-docker-support-private-registry.patch +patch/0159-docker-extend-timeout-in-cli-testcases.patch +patch/0160-docker-create-a-soft-link-from-runtime-default-to-ru.patch