7

I'm running a docker container that monitors other containers in a Centos 7 server. Since SELinux is enabled by default, it blocks my monitoring process when it calls any bpf operation with this info: 

type=AVC msg=audit: avc:  denied  { map_create } for
pid=16739 comm="monitor" scontext=system_u:system_r:spc_t:s0 
tcontext=system_u:system_r:spc_t:s0 tclass=bpf permissive=0

I'm using a test-bpf.c program like this

#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <linux/bpf.h>
#include <unistd.h>
#include <sys/syscall.h>

int main() {
    union bpf_attr attr = {
        .map_type = BPF_MAP_TYPE_HASH,
        .key_size = 4,
        .value_size = 4,
        .max_entries = 256,
    };
    int ret = syscall(__NR_bpf, BPF_MAP_CREATE, &attr, 120);
    fprintf(stderr, "ret = %d (%s)\n", ret, strerror((ret > 0) ? 0 : ret));
    return 0;
}

And a Dockerfile like

FROM ubuntu:20.04
ADD strace /usr/bin/strace
ADD test-bpf /test-bpf

And run the container with --privileged --security-opt seccomp=unconfined -v /sys/kernel/debug:/sys/kernel/debug.

This works if the docker server runs on ubuntu (where SELinux disabled by default). Can I update a SELinux policy on the host that will allow bpf calls in the container ? Can the docker server modify the SELinux policy in order to enable bpf calls ?

patraulea
  • 652
  • 2
  • 5
  • 26
  • Shouldn't enabling the `SELinux policy` be an outside job ideally? – Tarun Lalwani May 20 '20 at 06:40
  • Can you elaborate ? True, the operator installing the monitoring container should apply selinux policy changes as needed, but I suspect that docker unconditionally drops bpf capabilities and the result is they can't be marked as pass-through for the host selinux. – patraulea May 21 '20 at 14:19
  • I am not an expert at this. But I can say look at this https://docs.docker.com/engine/security/seccomp/ and https://kubernetes.io/blog/2017/12/using-ebpf-in-kubernetes/. See if these make any sense – Tarun Lalwani May 21 '20 at 14:38

0 Answers0