Allow access to /proc/PID/exe by default #40713
Description
Description
Access to /proc/PID/exe for processes running in the container as another user is denied by docker unless running the container with --cap-add=SYS_PTRACE. This breaks OS-provided init scripts that rely on start-stop-daemon's --exec feature, as it works by looping through processes and checks if the path supplied with the --exec flag matches the path that /proc/PID/exe points to.
As mere access to /proc/PID/exe should not introduce any security issues, it should be whitelisted by default. Otherwise, if whitelisting is not desired, it should at least be moved to its own CAP_ flag (in the manpage, the section about CAP_SYS_PTRACE doesn't mention /proc/PID/exe).
This is a duplicate of #7147 which got closed as a dupe of #6800 and #11049, which are both closed without providing ANY workaround for people needing this during the build phase (where --cap-add is not supported at all, see #1916).
The proper fix to this bug is to whitelist readlink calls to /proc/PID/exe no matter the user inside the container or the user of the process, while an (borderline acceptable) workaround would be implementing capabilities during build (#1916).
Steps to reproduce the issue:
- Run a container with Ubuntu 18.04:
docker run --rm -it ubuntu:18.04 bash - Run everything from now inside the container
- Install tomcat8:
apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yf tomcat8 openjdk-8-jdk-headless openjdk-11-jre-headless- - Install the prerequisites (mainly permission stuff, so that Tomcat can start):
usermod --home /var/lib/tomcat8 $TOMCAT8_USER > /dev/null 2>&1 || true
mkdir -p /tmp/tomcat8-tomcat8-tmp
chown -h tomcat8 /tmp/tomcat8-tomcat8-tmp
install -o tomcat8 -g adm -m 644 /dev/null /var/run/tomcat8.pid
su tomcat8 -s /bin/bash -c "install -m 644 /dev/null /var/log/tomcat8/catalina.out"
- Run tomcat8 as
tomcat8user:
su tomcat8 -s /bin/bash -c 'set -a; JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"; \
source "/etc/default/tomcat8"; CATALINA_HOME="/usr/share/tomcat8"; \
CATALINA_BASE="/var/lib/tomcat8"; \
JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC"; \
CATALINA_PID="/var/run/tomcat8.pid"; \
CATALINA_TMPDIR="/tmp/tomcat8-tomcat8-tmp"; \
LANG=""; JSSE_HOME=""; \
cd "/var/lib/tomcat8"; \
"/usr/share/tomcat8/bin/catalina.sh" start'
- Try to read the
/proc/PID/exepath as root:ls -lahn /proc/$(cat /var/run/tomcat8.pid)/exe - Try to read the
/proc/PID/exepath as tomcat8:su tomcat8 -s /bin/bash -c "ls -lahn /proc/"$(cat /var/run/tomcat8.pid)"/exe"
Describe the results you received:
Step 6 (reading the path as root) fails, step 7 succeeds:
root@3651a04ac34b:/# ls -lahn /proc/$(cat /var/run/tomcat8.pid)/exe
ls: cannot read symbolic link '/proc/3955/exe': Permission denied
lrwxrwxrwx 1 102 102 0 Mar 18 13:26 /proc/3955/exe
root@3651a04ac34b:/# su tomcat8 -s /bin/bash -c "ls -lahn /proc/"$(cat /var/run/tomcat8.pid)"/exe"
lrwxrwxrwx 1 102 102 0 Mar 18 13:26 /proc/3955/exe -> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Describe the results you expected:
Both steps 6 and 7 show the proper path:
lrwxrwxrwx 1 102 102 0 Mar 18 13:26 /proc/3955/exe -> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:22:34 2019
OS/Arch: darwin/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:29:19 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
Output of docker info:
Client:
Debug Mode: false
Server:
Containers: 12
Running: 0
Paused: 0
Stopped: 12
Images: 122
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.76-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 1.943GiB
Name: docker-desktop
ID: xxxxx
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 35
Goroutines: 52
System Time: 2020-03-18T13:29:20.5840226Z
EventsListeners: 3
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
Additional environment details (AWS, VirtualBox, physical, etc.):
Docker on Mac