search

cormander / tpe-lkm

Trusted Path Execution (TPE) Linux Kernel Module
Other
157 stars 55 forks source link

Can TPE work with Docker containers? #32

Open morfikov opened 5 years ago

morfikov commented 5 years ago

When I start some docker containers I get the following log:

kernel: tpe: Denied untrusted exec of /usr/local/bin/docker-entrypoint.sh (uid:999) by /usr/local/bin/gosu (uid:999), parents: /usr/bin/containerd-shim (uid:0), /usr/bin/containerd (uid:0), /lib/systemd/systemd (uid:0). Deny reason: file is writable
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /usr/local/bin/docker-entrypoint.sh. To silence this message, run; sysctl tpe.log_verbose = 0

It says, that /usr/local/bin/docker-entrypoint.sh is untrusted , but I don't have this file in my system:

#  ls -al /usr/local/bin/docker-entrypoint.sh
ls: cannot access '/usr/local/bin/docker-entrypoint.sh': No such file or directory
#  ls -ald /usr/local/bin
drwxr-xr-x 2 root root 4096 2019-02-21 20:06:32 /usr/local/bin/

The file in question is inside of the container:

root@mariadb:/# ls -al /usr/local/bin/*
-rwxrwxr-x 1 root root    5816 Jan  8 23:47 /usr/local/bin/docker-entrypoint.sh
-rwxr-xr-x 1 root root 1286720 May 24  2017 /usr/local/bin/gosu

I tried to add the execs to tpe.trusted_apps , but that doesn't work. So how to handle such case like docker?

cormander commented 5 years ago

This kernel module wasn't designed with filesystem name-spacing in mind, as it was started prior to docker becoming popular. You don't see /usr/local/bin/docker-entrypoint.sh on your filesystem, because that file exists within the namespace of the docker container.

As far as allowing execution of it -- the real fix should be to the container itself. Inside docker or not, proper filesystem owernship and permissions should always be done first. It's the group writable bit on this file that's causing the problem.

Now of course in the world of docker, you have a lot of images which don't conform to proper filesystem security & other things, because people are assuming the docker does sandboxing well enough. In short, you're going to have a lot of problem running docker containers that you didn't craft yourself.

The easiest workaround I can think of is to add an option to disable checking for execution outside of the root namespace (ie; inside docker containers) to prevent collisions between TPE and running docker containers. The containers won't get the TPE protection, but the host still will.

Does that sound like an acceptable solution to you?

morfikov commented 5 years ago

I think it should be.