Bug 1419120 - Cannot create container with no-new-privileges
Summary: Cannot create container with no-new-privileges
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-03 15:51 UTC by Lukas Slebodnik
Modified: 2017-02-10 22:19 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-10 22:19:00 UTC
Type: Bug


Attachments (Terms of Use)
joutnald output (18.22 KB, text/plain)
2017-02-04 15:01 UTC, Lukas Slebodnik
no flags Details

Description Lukas Slebodnik 2017-02-03 15:51:22 UTC
Description of problem:
I tried to debug some issues with recent changes in atomic utility
and I found a problem in docker as part of finding a reproducer.
It's not related to SElinux because the same problem is in permissive mode.

Version-Release number of selected component (if applicable):
sh4 rpm -q docker selinux-policy container-selinux 
docker-1.12.6-17.git037a2f5.fc26.x86_64
selinux-policy-3.13.1-236.fc26.ls.1486052064.noarch
container-selinux-2.5-1.fc26.noarch

How reproducible:
Deterministic

Steps to Reproduce:
1. docker run -ti --security-opt=no-new-privileges --name test fedora:25 bas

Actual results:
panic: standard_init_linux.go:178: exec user process caused "operation not permitted" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "operation not permitted"

goroutine 1 [running, locked to thread]:
panic(0x6f3080, 0xc420153d50)
        /usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/urfave/cli.HandleAction.func1(0xc420089748)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247
panic(0x6f3080, 0xc420153d50)
        /usr/lib/golang/src/runtime/panic.go:458 +0x243
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc420089198, 0xc420026078, 0xc420089238)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x18f
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc420056690, 0xaac9c0, 0xc420153d50)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x353
main.glob..func8(0xc42008c780, 0x0, 0x0)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main_unix.go:26 +0x66
reflect.Value.call(0x6dde00, 0x769e68, 0x13, 0x73c329, 0x4, 0xc420089708, 0x1, 0x1, 0x4d17c8, 0x732160, ...)
        /usr/lib/golang/src/reflect/value.go:434 +0x5c8
reflect.Value.Call(0x6dde00, 0x769e68, 0x13, 0xc420089708, 0x1, 0x1, 0xac2720, 0xc4200896e8, 0x4da7a6)
        /usr/lib/golang/src/reflect/value.go:302 +0xa4
github.com/urfave/cli.HandleAction(0x6dde00, 0x769e68, 0xc42008c780, 0x0, 0x0)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0
github.com/urfave/cli.Command.Run(0x73c4f5, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74db3d, 0x51, 0x0, ...)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b
github.com/urfave/cli.(*App).Run(0xc4200f0000, 0xc42000c120, 0x2, 0x2, 0x0, 0x0)
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611
main.main()
        /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main.go:137 +0xbd6

Expected results:
//Terminal is opened

Additional info:
The "test" container was created and here is a output of docker inspect

[
    {
        "Id": "3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8",
        "Created": "2017-02-03T15:48:45.751342327Z",
        "Path": "bash",
        "Args": [],
        "State": {
            "Status": "exited",
            "Running": false,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 0,
            "ExitCode": 2,
            "Error": "",
            "StartedAt": "2017-02-03T15:48:46.895469087Z",
            "FinishedAt": "2017-02-03T15:48:47.0361698Z"
        },
        "Image": "sha256:a1e614f0f30eb9823d71882f3165e33b15ec30226d08a6a328be2209dd4e1175",
        "ResolvConfPath": "/var/lib/docker/containers/3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8/hostname",
        "HostsPath": "/var/lib/docker/containers/3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8/hosts",
        "LogPath": "",
        "Name": "/test",
        "RestartCount": 0,
        "Driver": "btrfs",
        "MountLabel": "system_u:object_r:container_file_t:s0:c308,c642",
        "ProcessLabel": "system_u:system_r:container_t:s0:c308,c642",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": null,
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "journald",
                "Config": {}
            },
            "NetworkMode": "default",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "no",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": null,
            "CapDrop": null,
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": [
                "no-new-privileges"
            ],
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "oci",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": -1,
            "OomKillDisable": false,
            "PidsLimit": 0,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0
        },
        "GraphDriver": {
            "Name": "btrfs",
            "Data": null
        },
        "Mounts": [],
        "Config": {
            "Hostname": "3b7b0282d03b",
            "Domainname": "",
            "User": "",
            "AttachStdin": true,
            "AttachStdout": true,
            "AttachStderr": true,
            "Tty": true,
            "OpenStdin": true,
            "StdinOnce": true,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "DISTTAG=f25docker",
                "FGC=f25"
            ],
            "Cmd": [
                "bash"
            ],
            "Image": "fedora:25",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {}
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "16f12375ff3bd721a3aa8df791e7c3b10273cb6d088b28ee3d023e3758ed20f4",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": null,
            "SandboxKey": "/var/run/docker/netns/16f12375ff3b",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "19150271848bcedb265df956a0d44506d1cb4a8626cc6f5942d0aa68e2aebe97",
                    "EndpointID": "",
                    "Gateway": "",
                    "IPAddress": "",
                    "IPPrefixLen": 0,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": ""
                }
            }
        }
    }
]

Comment 1 Daniel Walsh 2017-02-03 18:52:17 UTC
Works for me.
 docker run -ti --security-opt=no-new-privileges --name test fedora:25 bash
Unable to find image 'fedora:25' locally
Trying to pull repository atomic-registry.usersys.redhat.com:500/fedora ... 
Trying to pull repository docker.io/library/fedora ... 
sha256:a99209cbb485b98d17b47be2bf990a7fbd63b4d3fa61395a313308d99a326930: Pulling from docker.io/library/fedora
0fc456f626d7: Pull complete 
Digest: sha256:a99209cbb485b98d17b47be2bf990a7fbd63b4d3fa61395a313308d99a326930
Status: Downloaded newer image for docker.io/fedora:25
[root@e7614e3c8bc8 /]# id
uid=0(root) gid=0(root) groups=0(root)
[root@e7614e3c8bc8 /]# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
[root@e7614e3c8bc8 /]# exit
sh-4.4# getenforce 
Enforcing
# rpm -q docker container-selinux selinux-policy
docker-1.12.6-17.git037a2f5.fc26.x86_64
container-selinux-2.5-1.fc26.noarch
selinux-policy-3.13.1-235.fc26.noarch


ps -eZ | grep docker
system_u:system_r:container_runtime_t:s0 1132 ? 00:00:00 docker-containe
system_u:system_r:container_runtime_t:s0 21631 ? 00:00:05 dockerd-current

Comment 2 Daniel Walsh 2017-02-03 18:53:00 UTC
Any AVCs?

ausearch -m avc -ts recent

Comment 3 Lukas Slebodnik 2017-02-04 14:59:44 UTC
(In reply to Daniel Walsh from comment #2)
> Any AVCs?
> 
> ausearch -m avc -ts recent

NO,
the same problem is in permissive mode.

Comment 4 Lukas Slebodnik 2017-02-04 15:01:56 UTC
Created attachment 1247707 [details]
joutnald output

Attached is journald output related to creating container.
I enabled --debug for docker.service docker-containerd.service

Hope it helps

Comment 5 Daniel Walsh 2017-02-06 13:36:53 UTC
You are using a BTRFS back end which could be the problem.  I doubt anyone has tested this with anything other then devicemapper or overlay2.

Comment 6 Daniel Walsh 2017-02-06 13:38:20 UTC
Does it work if you run with --security-opt label:disable

I am thinking this has something to do with SELinux labels trying to be assigned somewhere but not being allowed.  But if everything works without --no-new-privs?

Comment 7 Lukas Slebodnik 2017-02-07 09:30:01 UTC
(In reply to Daniel Walsh from comment #6)
> Does it work if you run with --security-opt label:disable
> 
It works.

and it also works with SELinux type docker_t or container_runtime_t
docker run -ti --security-opt=label:type:docker_t \
               --security-opt=no-new-privileges --rm fedora:25 bash

The only problem is with default container_t

Comment 8 Daniel Walsh 2017-02-07 14:14:33 UTC
docker_t is a very privileged domain, container_t is a less privileged domain.


I have build container-selinux-2.6-1.fc26 could you try this with that package.  I will push it to replace the update.  I think it will fix your issue.

Comment 9 Lukas Slebodnik 2017-02-07 17:36:04 UTC
I saw following error when upgrading to 2.7-1

[root@host ~]# dnf update https://kojipkgs.fedoraproject.org//packages/container-selinux/2.7/1.fc26/noarch/container-selinux-2.7-1.fc26.noarch.rpm
Last metadata expiration check: 1:49:34 ago on Tue Feb 07 16:40:10 2017 CET.
Dependencies resolved.
================================================================================
 Package                Arch        Version             Repository         Size
================================================================================
Upgrading:
 container-selinux      noarch      2:2.7-1.fc26        @commandline       29 k

Transaction Summary
================================================================================
Upgrade  1 Package

Total size: 29 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Upgrading   : container-selinux-2:2.7-1.fc26.noarch                       1/2 
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t container_t (capability2 (mac_override mac_admin)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2721
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2722
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2723
      (allow container_t self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read epolwakeup)))
  (allow container_t container_t (capability (sys_module)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2721
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2722
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2724
      (allow container_t self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
Failed to generate binary
/usr/sbin/semodule:  Failed!
  Cleanup     : container-selinux-2:2.5-1.fc26.noarch                       2/2 
  Verifying   : container-selinux-2:2.7-1.fc26.noarch                       1/2 
  Verifying   : container-selinux-2:2.5-1.fc26.noarch                       2/2 

Upgraded:
  container-selinux.noarch 2:2.7-1.fc26                                         

Complete!

Comment 10 Lukas Slebodnik 2017-02-07 17:36:56 UTC
So I am not sure that policy was applied.
But it did not help.

Comment 11 Daniel Walsh 2017-02-07 21:26:02 UTC
It was not applied.

Modify expand-check in /etc/selinux/semanage.conf
to


expand-check=0

And then reinstall container-selinux

This should stop that error. The problem is in selinux-policy package in Rawhide.  I have opened a pull request to fix this.

https://github.com/fedora-selinux/selinux-policy/pull/187

Comment 12 Lukas Slebodnik 2017-02-10 21:21:53 UTC
Works well with container-selinux-2:2.8-1.fc26.noarch.

Thank you.


Note You need to log in before you can comment on or make changes to this bug.