Limit permissions for Android images. #746
Conversation
|
Converted to a draft since this will have merge conflicts with #745. |
|
I've confirmed this works on Linux, WSL2, Docker Desktop for Windows. It should work without issue on macOS, but I haven't manually confirmed that yet. |
Alexhuszagh
force-pushed
the
seccomp
branch
2 times, most recently
from
69973c0
to
8e2cfd8
Compare
Alexhuszagh
force-pushed
the
seccomp
branch
3 times, most recently
from
7e43e26
to
70ece91
Compare
|
I should probably add: this still allows you to pass the |
Alexhuszagh
force-pushed
the
seccomp
branch
2 times, most recently
from
88e6357
to
4888d06
Compare
|
Update: this doesn't work with writing long file names on Windows, I'll probably have to fix this to a UNC path or something, and it seems to be related to docker/for-win#12760. Or actually, it's different? It seems to be trying to open the actual file, then pass that to the container and then complain that this is the path? Weird. Both Docker and Podman have separate issues here, weirdly enough. It was working earlier on Docker for Desktop. EDIT: This is currently dependent on #755. |
|
On Windows Docker, this seems to be a Docker issue which I've filed upstream. We might just have to use |
Alexhuszagh
force-pushed
the
seccomp
branch
2 times, most recently
from
316ac6f
to
e7dc70a
Compare
Nope, I've added a workaround for Docker on Windows. I'm going to rebase, then try to check on OS X, and it all passes, I'll make this ready for review. |
|
Ok I've tested this on the following targets, and this passes on all (except podman on macOS, but for unrelated issues, see #756 and #757):
I've had to do a few special workarounds for Windows, but those work well. This is ready for review and merging. #756 currently can't be fixed, so the failure on podman on macOS I think shouldn't be an issue. I've added a tracking issue for the unexpected requirement to provide WSL paths to podman here. |
src/docker.rs
Outdated
| let mut path = env::current_dir() | ||
| .wrap_err("couldn't get current directory")? | ||
| .canonicalize() | ||
| .wrap_err_with(|| "when canonicalizing current_dir".to_string())? | ||
| .join("target") | ||
| .join(target.triple()) | ||
| .join("seccomp.json"); | ||
| if !path.exists() { | ||
| write_file(&path, false)?.write_all(SECCOMP.as_bytes())?; | ||
| } | ||
| #[cfg(target_os = "windows")] | ||
| if is_podman { | ||
| // podman weirdly expects a WSL path here, and fails otherwise | ||
| path = wslpath(&path, verbose)?; | ||
| } |
There was a problem hiding this comment.
I think the windows path thing would be solved by canonicalizing with file::canonicalize, haven't tested it myself
There was a problem hiding this comment.
It is not, see docker/for-win#12760.
There was a problem hiding this comment.
sorry, meant the podman issue
There was a problem hiding this comment.
Unfortunately that's also another issue. See containers/podman#14494. Fortunately, it will always accept a WSL path in the future, as long as it is expected to have consistent behavior with volumes (which also do).
Remove the use of the `--privileged` flag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allow `clone` and `clone3`. The documentation is [docker seccomp](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow `personality` syscall, which then allows us to use our Android images. On Windows with Docker Desktop, we currently have an issue where Docker tries to read the seccomp profile, and then interpret that as the path, rather than load the profile from the path, which is tracked by the following issue: docker/for-win#12760 On Podman (not inside WSL2), we have a separate issue where it expects a WSL path to be provided for the seccomp profile, despite the path being provided for the host.
|
bors r=Alexhuszagh |
I think that's supposed to be |
|
use |
|
bors r- bors r=otavio,emilgardis |
|
Canceled. |
745: Add `thumbv7neon-*` targets. r=otavio a=Alexhuszagh
Add the `thumbv7neon-linux-androideabi` and `thumbv7neon-unknown-linux-gnueabihf` targets.
Closes #254.
746: Limit permissions for Android images. r=otavio,emilgardis a=Alexhuszagh
Remove the use of the `--privileged` flag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allow `clone` and `clone3`.
The documentation is [docker seccomp](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow `personality` syscall, which then allows us to use our Android images.
Co-authored-by: Alex Huszagh <[email protected]>
|
This PR was included in a batch that was canceled, it will be automatically retried |
|
Build succeeded: |
Remove the use of the
--privilegedflag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allowcloneandclone3.The documentation is docker seccomp, which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow
personalitysyscall, which then allows us to use our Android images.