File access
lockc comes with policies about file access which is based on allow- and deny-listing. Baseline and restricted policies have their own pairs of lists. All those lists should contain path prefixes. All the children of listed paths/directories are included, since the decision is made by prefix matching.
The deny list has precedence over allow list. That's because main purpose of the deny list is specifying exceptions whose prefixes are specified in the allow list, but we don't want to allow them.
To sum it up, when any process in the container tries to access a file, lockc:
- Checks whether the given path's prefix is in the deny list. If yes, denies the access.
- Checks whether the given path's prefix is in the allow list. If yes, allows the access.
- In case of no matches, denies the access.
By default, the contents of lists are:
- baseline
- allow list
- /bin
- /dev/console
- /dev/full
- /dev/null
- /dev/pts
- /dev/tty
- /dev/urandom
- /dev/zero
- /etc
- /home
- /lib
- /proc
- /sys/fs/cgroup
- /tmp
- /usr
- /var
- deny list
- /proc/acpi
- allow list
- restricted
- allow list
- /bin
- /dev/console
- /dev/full
- /dev/null
- /dev/pts
- /dev/tty
- /dev/urandom
- /dev/zero
- /etc
- /home
- /lib
- /proc
- /sys/fs/cgroup
- /tmp
- /usr
- /var
- deny list
- /proc/acpi
- /proc/sys
- allow list
By default, with the baseline policy level, this is a good exampole of not allowed behavior:
# docker run --rm -it registry.opensuse.org/opensuse/toolbox:latest
9b34d760017f:/ # ls /sys
ls: cannot open directory '/sys': Operation not permitted
9b34d760017f:/ # ls /sys/fs/btrfs
ls: cannot access '/sys/fs/btrfs': No such file or directory
9b34d760017f:/ # ls /sys/fs/cgroup
blkio cpu,cpuacct cpuset freezer memory net_cls net_prio pids systemd
cpu cpuacct devices hugetlb misc net_cls,net_prio perf_event rdma
We are able to see cgroups (which is fine), but other parts of /sys are hidden.