-
Notifications
You must be signed in to change notification settings - Fork 379
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit permissions for Android images. #746
Conversation
Converted to a draft since this will have merge conflicts with #745. |
I've confirmed this works on Linux, WSL2, Docker Desktop for Windows. It should work without issue on macOS, but I haven't manually confirmed that yet. |
69973c0
to
8e2cfd8
Compare
7e43e26
to
70ece91
Compare
I should probably add: this still allows you to pass the |
88e6357
to
4888d06
Compare
Update: this doesn't work with writing long file names on Windows, I'll probably have to fix this to a UNC path or something, and it seems to be related to docker/for-win#12760. Or actually, it's different? It seems to be trying to open the actual file, then pass that to the container and then complain that this is the path? Weird. Both Docker and Podman have separate issues here, weirdly enough. It was working earlier on Docker for Desktop. EDIT: This is currently dependent on #755. |
On Windows Docker, this seems to be a Docker issue which I've filed upstream. We might just have to use |
316ac6f
to
e7dc70a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice, do we need to wait for the upstream issue to be fixed? I don't think so
Nope, I've added a workaround for Docker on Windows. I'm going to rebase, then try to check on OS X, and it all passes, I'll make this ready for review. |
Ok I've tested this on the following targets, and this passes on all (except podman on macOS, but for unrelated issues, see #756 and #757):
I've had to do a few special workarounds for Windows, but those work well. This is ready for review and merging. #756 currently can't be fixed, so the failure on podman on macOS I think shouldn't be an issue. I've added a tracking issue for the unexpected requirement to provide WSL paths to podman here. |
src/docker.rs
Outdated
let mut path = env::current_dir() | ||
.wrap_err("couldn't get current directory")? | ||
.canonicalize() | ||
.wrap_err_with(|| "when canonicalizing current_dir".to_string())? | ||
.join("target") | ||
.join(target.triple()) | ||
.join("seccomp.json"); | ||
if !path.exists() { | ||
write_file(&path, false)?.write_all(SECCOMP.as_bytes())?; | ||
} | ||
#[cfg(target_os = "windows")] | ||
if is_podman { | ||
// podman weirdly expects a WSL path here, and fails otherwise | ||
path = wslpath(&path, verbose)?; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the windows path thing would be solved by canonicalizing with file::canonicalize
, haven't tested it myself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not, see docker/for-win#12760.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, meant the podman issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately that's also another issue. See containers/podman#14494. Fortunately, it will always accept a WSL path in the future, as long as it is expected to have consistent behavior with volumes (which also do).
Remove the use of the `--privileged` flag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allow `clone` and `clone3`. The documentation is [docker seccomp](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow `personality` syscall, which then allows us to use our Android images. On Windows with Docker Desktop, we currently have an issue where Docker tries to read the seccomp profile, and then interpret that as the path, rather than load the profile from the path, which is tracked by the following issue: docker/for-win#12760 On Podman (not inside WSL2), we have a separate issue where it expects a WSL path to be provided for the seccomp profile, despite the path being provided for the host.
bors r=Alexhuszagh |
I think that's supposed to be |
use |
bors r- bors r=otavio,emilgardis |
Canceled. |
745: Add `thumbv7neon-*` targets. r=otavio a=Alexhuszagh Add the `thumbv7neon-linux-androideabi` and `thumbv7neon-unknown-linux-gnueabihf` targets. Closes #254. 746: Limit permissions for Android images. r=otavio,emilgardis a=Alexhuszagh Remove the use of the `--privileged` flag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allow `clone` and `clone3`. The documentation is [docker seccomp](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow `personality` syscall, which then allows us to use our Android images. Co-authored-by: Alex Huszagh <[email protected]>
This PR was included in a batch that was canceled, it will be automatically retried |
Build succeeded: |
Remove the use of the
--privileged
flag for Android images and instead use an seccomp permissions. The provided profile is derived from the docker documentation, with slight modifications to allowclone
andclone3
.The documentation is docker seccomp, which details the syscalls blocked by docker. The same is true for podman. We merely modified these settings to allow
personality
syscall, which then allows us to use our Android images.