moby: unable to modify permissions of /dev/stdout without tty

Description

Permission denied error when attempting to chmod /dev/stdout without passing -t to docker run. Selinux is enabled and enforcing.

Steps to reproduce the issue:

  1. Enable selinux on daemon
  2. Set to enforcing mode
  3. Run docker run -i fedora chmod +r /dev/stdout

Describe the results you received:

chmod: changing permissions of ‘/dev/stdout’: Permission denied. avc denied errors (see below)

Describe the results you expected:

The command/container to be run without permissions error.

Additional information you deem important (e.g. issue happens only occasionally):

Container Linux 1235.9.0

$ cat /etc/os-release 
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1235.9.0
VERSION_ID=1235.9.0
BUILD_ID=2017-02-02-0235
PRETTY_NAME="Container Linux by CoreOS 1235.9.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"
$ docker version
Client:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   d5236f0
 Built:        Thu Feb  2 02:27:34 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   d5236f0
 Built:        Thu Feb  2 02:27:34 2017
 OS/Arch:      linux/amd64
# /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=containerd.service docker.socket early-docker.target network.target
Requires=containerd.service docker.socket early-docker.target

[Service]
Type=notify
EnvironmentFile=-/run/flannel/flannel_docker_opts.env

# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/lib/coreos/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock --selinux-enabled --userns-remap=docker $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

[Install]
WantedBy=multi-user.target
$ getenforce 
Enforcing
$ docker run -i fedora chmod +r /dev/stdout
chmod: changing permissions of '/dev/stdout': Permission denied
$ docker run -it fedora chmod +r /dev/stdout
$ dmesg | grep avc   
[ 2331.370824] audit: type=1400 audit(1487292483.922:92): avc:  denied  { setattr } for  pid=1922 comm="chmod" name="" dev="pipefs" ino=22235 scontext=system_u:system_r:svirt_lxc_net_t:s0:c393,c530 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=0

Fedora 25

# cat /etc/os-release 
NAME=Fedora
VERSION="25 (Atomic Host)"
ID=fedora
VERSION_ID=25
PRETTY_NAME="Fedora 25 (Atomic Host)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:25"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=25
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=25
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Atomic Host"
VARIANT_ID=atomic.host
# docker version
Client:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-common-1.12.6-5.git037a2f5.fc25.x86_64
 Go version:      go1.7.4
 Git commit:      037a2f5/1.12.6
 Built:           Wed Jan 18 12:11:29 2017
 OS/Arch:         linux/amd64

Server:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-common-1.12.6-5.git037a2f5.fc25.x86_64
 Go version:      go1.7.4
 Git commit:      037a2f5/1.12.6
 Built:           Wed Jan 18 12:11:29 2017
 OS/Arch:         linux/amd64
# systemctl cat docker
# /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker-containerd.service
Wants=docker-storage-setup.service
Requires=docker-containerd.service

[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
ExecStart=/usr/bin/dockerd-current \
          --add-runtime oci=/usr/libexec/docker/docker-runc-current \
          --default-runtime=oci \
          --selinux-enabled \
          --containerd /run/containerd.sock \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY
ExecReload=/bin/kill -s HUP $MAINPID
TasksMax=8192
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

# /usr/lib/systemd/system/docker.service.d/flannel.conf
[Service]
EnvironmentFile=-/run/flannel/docker
# getenforce
Enforcing
# docker run -i fedora chmod +r /dev/stdout
chmod: changing permissions of '/dev/stdout': Permission denied
# docker run -ti fedora chmod +r /dev/stdout 
# cat /var/log/audit/audit.log | grep denied

type=AVC msg=audit(1487292992.182:404): avc:  denied  { setattr } for  pid=2791 comm="chmod" name="" dev="pipefs" ino=29054 scontext=system_u:system_r:container_t:s0:c123,c494 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0

@rhatdan @mrunal

About this issue

  • Original URL
  • State: open
  • Created 7 years ago
  • Reactions: 2
  • Comments: 17 (6 by maintainers)

Most upvoted comments

@rhatdan @justincormack the real issue (which necessitated chmod’ing /dev/stdout) is here:

docker run -it ubuntu bash
root@257c6a2ab2f2:/# useradd test
root@257c6a2ab2f2:/# su test
test@257c6a2ab2f2:/$ echo 'abc' > /dev/stdout
bash: /dev/stdout: Permission denied
test@257c6a2ab2f2:/$ ls -la /dev/stdout
lrwxrwxrwx 1 root root 15 Feb 21 15:53 /dev/stdout -> /proc/self/fd/1

If you are trying to run a command and write the output to a file and, getting permission denied. then point the output

I’m pretty sure we’re all aware of how to do that. The root cause, that /dev/stdout cannot be written to, is a big deal when you are running somebody else’s code.

If you are trying to run a command and write the output to a file and, getting permission denied. then point the output in a file under /tmp command > /tmp/file

@justincormack any thoughts? it seems it has been solved only in limited use cases. In this one, the container defaults to root user and switches to another, unprivileged user. /dev/stdout is inaccessible to them.