Skip to content
This repository was archived by the owner on Oct 13, 2023. It is now read-only.

Commit 4fcf020

Browse files
AkihiroSudathaJeztah
AkihiroSuda
authored and
thaJeztah
committed
rootless: harden slirp4netns with mount namespace and seccomp
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using mount namespace ("sandbox") and seccomp to mitigate potential vulnerabilities. bump up rootlesskit: rootless-containers/rootlesskit@2fcff6c...791ac8c Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit e20b7323fb3546d5974d0ed49de099e4b127e96a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 5bd4233d7b0710005e0a520c137c64631c7e6664 Component: engine
1 parent d158d53 commit 4fcf020

2 files changed

Lines changed: 7 additions & 2 deletions

File tree

components/engine/contrib/dockerd-rootless.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ fi
3939

4040
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"
4141
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"
42+
# if slirp4netns v0.4.0+ is installed, slirp4netns is hardened using sandbox (mount namespace) and seccomp
43+
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX:=auto}"
44+
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}"
4245
net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET
4346
mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU
4447
if [ -z $net ]; then
@@ -77,6 +80,8 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
7780
# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace
7881
exec $rootlesskit \
7982
--net=$net --mtu=$mtu \
83+
--slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \
84+
--slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \
8085
--disable-host-loopback --port-driver=builtin \
8186
--copy-up=/etc --copy-up=/run \
8287
$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \

components/engine/hack/dockerfile/install/rootlesskit.installer

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#!/bin/sh
22

3-
# v0.6.0
4-
ROOTLESSKIT_COMMIT=2fcff6ceae968a1d895e6205e5154b107247356f
3+
# v0.7.0
4+
ROOTLESSKIT_COMMIT=791ac8cb209a107505cd1ca5ddf23a49913e176c
55

66
install_rootlesskit() {
77
case "$1" in

0 commit comments

Comments
 (0)