On Mon, Sep 30, 2013 at 08:19:28AM -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/30/2013 04:23 AM, Daniel P. Berrange wrote: > > On Fri, Sep 27, 2013 at 01:28:29PM -0400, Matthew Miller wrote: > >> Quick backstory: unless run in privledged mode, Docker drops a bunch of > >> capabilities when launching a container. One of these is setfcap. This > >> breaks of binary RPMs like httpd where the daemon is installed with file > >> capabilities instead. > >> > >> We're considering removing setfcap from the list of dropped capabilities. > >> It seems safe to me (note that you run as root inside the container), but > >> I'd like some security-minded review. Could this be used for evil? > >> > >> https://bugzilla.redhat.com/show_bug.cgi?id=1012952 > > > > Docker with the its sf.net LXC backend does not utilize any kind of MAC > > driver, nor does it utilizer user namespaces, so even with those > > capabilities dropped it is still insecure if the container app runs as the > > 'root' user. As such allowing CAP_FCAP does not make the situation worse > > AFAICT > > > > Regards, Daniel > > > Yes lets eliminate the idea that running as root within a container without > something like SELinux or User Namespace, is going to be much more secure then > running processes as root outside the container. > > I plan on working on adding SELinux to wrap the docker container as we have > done for the virt-sandbox containers, but we still allow a lot of privs to a > privledged process within the container. I have an RFE open to get user namespaces enabled in Fedora rawhide https://bugzilla.redhat.com/show_bug.cgi?id=917708 Both Libvirt & sf.net lxc have support for user namespaces, so the key missing piece is getting Docker to make use of this & setup its filesystems with suitable ownership. This would allow the DAC security model to fully confine docker instances, even if SELinux is not enforcing it. Having both DAC & MAC confinement for this is valuable long term. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
