-
Notifications
You must be signed in to change notification settings - Fork 49
Lock Down FUSE #165
Lock Down FUSE #165
Conversation
Codecov Report
@@ Coverage Diff @@
## master #165 +/- ##
=========================================
+ Coverage 33.56% 34.06% +0.5%
=========================================
Files 63 64 +1
Lines 7588 7629 +41
=========================================
+ Hits 2547 2599 +52
+ Misses 4734 4720 -14
- Partials 307 310 +3
|
Pull Request Test Coverage Report for Build 1888
💛 - Coveralls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the code/setup pieces LGTM, but I don't have a good way to verify that apparmor and seccomp profiles are good and locked down enough, and I will just trust you there.
return err | ||
} | ||
if fuseEnabled || c.TitusInfo.GetAllowNestedContainers() { | ||
if _, ok := addedCapabilities["SYS_ADMIN"]; !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: extract "SYS_ADMIN"
to a const
} | ||
// We can do this here because nested containers can do everything fuse containers can | ||
if c.TitusInfo.GetAllowNestedContainers() { | ||
apparmorProfile = "docker-nested" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do the nested apparmor and seccomp profiles include everything that's in the fuse ones? (in case both FUSE && nestedContainers
is enabled for a task)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fabiokung Yeah, I thought the comment indicated that: // We can do this here because nested containers can do everything fuse containers can
-- The capabilities of nested containers are a superset of fuse containers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ugh, I missed that comment. LGTM
@fabiokung The only thing the FUSE profiles have beyond the default Docker profile are mounting. |
This introduces a new seccomp policy and apparmor policy meant to allow containers which need FUSE to use FUSE, without getting all of the scary capabilities that nested containers need.
No description provided.