Can TPE work with Docker containers? #32
Description
When I start some docker containers I get the following log:
kernel: tpe: Denied untrusted exec of /usr/local/bin/docker-entrypoint.sh (uid:999) by /usr/local/bin/gosu (uid:999), parents: /usr/bin/containerd-shim (uid:0), /usr/bin/containerd (uid:0), /lib/systemd/systemd (uid:0). Deny reason: file is writable
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /usr/local/bin/docker-entrypoint.sh. To silence this message, run; sysctl tpe.log_verbose = 0
It says, that /usr/local/bin/docker-entrypoint.sh is untrusted , but I don't have this file in my system:
# ls -al /usr/local/bin/docker-entrypoint.sh
ls: cannot access '/usr/local/bin/docker-entrypoint.sh': No such file or directory
# ls -ald /usr/local/bin
drwxr-xr-x 2 root root 4096 2019-02-21 20:06:32 /usr/local/bin/
The file in question is inside of the container:
root@mariadb:/# ls -al /usr/local/bin/*
-rwxrwxr-x 1 root root 5816 Jan 8 23:47 /usr/local/bin/docker-entrypoint.sh
-rwxr-xr-x 1 root root 1286720 May 24 2017 /usr/local/bin/gosu
I tried to add the execs to tpe.trusted_apps , but that doesn't work. So how to handle such case like docker?