rootlesskit + shiftfs in Docker
5 min readMay 25, 2020
備忘録。
https://github.com/rootless-containers/rootlesskit/tree/748ea095d9b18f9ea9e8a3487a2e43dce534ca8c をビルドしたものが、$HOME/go/bin/rootlesskit
にある。
$ docker run --rm -v $HOME/go/bin:/gobin --cap-add=setuid --cap-add=setgid --cap-add=sys_admin --security-opt="apparmor=unconfined" -it ubuntu:20.04
root@fe4ab0a7b0cc:/# apt -y install uidmap
root@fe4ab0a7b0cc:/# useradd -m user1 -s /bin/bash -u 1234
root@fe4ab0a7b0cc:/# for d in etc var usr opt; do mkdir -p /shift/$d; mount -t shiftfs -o mark /$d /shift/$d; done
root@fe4ab0a7b0cc:/# su - user1
user1@fe4ab0a7b0cc:~$ /gobin/rootlesskit bashroot@fe4ab0a7b0cc:~# cat /proc/$$/uid_map
0 1234 1
1 100000 65536
root@fe4ab0a7b0cc:~# cat /proc/$$/gid_map
0 1234 1
1 100000 65536
root@fe4ab0a7b0cc:~# cat /proc/$$/setgroups
allowroot@fe4ab0a7b0cc:~# for f in resolv.conf hostname hosts; do cp /{etc,tmp}/$f; done
root@fe4ab0a7b0cc:~# for d in etc var usr opt; do mount -t shiftfs /shift/$d /$d; done
root@fe4ab0a7b0cc:~# for f in resolv.conf hostname hosts; do cp /{tmp,etc}/$f; doneroot@fe4ab0a7b0cc:~# ls -l /etc/ | head
total 432
drwxr-xr-x 3 root root 4096 May 23 11:38 X11
-rw-r--r-- 1 root root 3028 Apr 23 11:06 adduser.conf
drwxr-xr-x 1 root root 4096 May 23 11:39 alternatives
drwxr-xr-x 3 root root 4096 May 23 11:38 apparmor.d
drwxr-xr-x 1 root root 4096 Apr 23 11:06 apt
-rw-r--r-- 1 root root 2319 Feb 25 12:03 bash.bashrc
drwxr-xr-x 2 root root 4096 May 23 11:39 bash_completion.d
-rw-r--r-- 1 root root 367 Apr 14 19:26 bindresvport.blacklist
drwxr-xr-x 3 root root 4096 May 23 11:38 ca-certificatesroot@fe4ab0a7b0cc:~# capsh --drop=cap_sys_admin --root@fe4ab0a7b0cc:~# apt update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [107 kB]
(中略)
Fetched 564 kB in 2s (229 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.root@fe4ab0a7b0cc:~# apt install sl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sl
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
(中略)
Setting up sl (5.02-1) ...
TODO:
- AppArmorのプロファイル
- 普通に
unshare --user —-mount
してsetgroups: denyにすると、aptが失敗する。gid_mapとsetgroupsは排他のはずだけど、なぜallowになっているのか(rootlesskitのコードを追う)追記→ https://github.com/shadow-maint/shadow/blob/5cb839d9779ee95d16a8f60e1e22c76798cbf7ba/src/newgidmap.c#L58 ここ