From 1e30767278277f02d2f190a45201a7bd788fa6e4 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Wed, 18 Sep 2024 14:36:37 +0300 Subject: [PATCH] docs: Update gVisor design doc Update the gVisor design doc, to better reflect the current state of the gVisor integration. More specifically, the following have changed since this design doc was merged: * We have dropped the need for the `SETFCAP` capability. * We have added the SELinux label `container_engine_t` to the outer container. --- docs/developer/gvisor.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/developer/gvisor.md b/docs/developer/gvisor.md index 3f41dda..76871d8 100644 --- a/docs/developer/gvisor.md +++ b/docs/developer/gvisor.md @@ -59,9 +59,9 @@ Spawning the container now becomes a multi-stage process: The `Container` isolation provider spawns the container as before, with the following changes: -* It adds two Linux capabilities to the **outer** container that didn't exist - before: `SETFCAP` and `SYS_CHROOT`. Those capabilities are necessary to run - `runsc` rootless, and are not inherited by the **inner** container. +* It adds the `SYS_CHROOT` Linux capability, which was previously dropped, to + the **outer** container. This capability is necessary to run `runsc` + rootless, and is not inherited by the **inner** container. * It removes the `--userns keep-id` argument, which mapped the user outside the container to the same UID (normally `1000`) within the container. This was originally required when we were mounting host directories within the @@ -72,6 +72,10 @@ following changes: since the host user is not mapped within the container at all. * In distributions that offer Podman 3.x, we add a seccomp filter that adds the `ptrace` syscall, which is required for running gVisor. +* It labels the **outer** container with the `container_engine_t` SELinux label. + This label is reserved for running a container engine within a container, and + is necessary in environments where SELinux is enabled in enforcing mode (see + [#880](https://github.com/freedomofpress/dangerzone/issues/880)). Then, the following happens when Podman/Docker spawns the container: