[Linux-ima-user] docker container fails to execute in enforce mode with overlayfs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.
I am using kernel version 4.8.8 and I see the permission error below when using IMA in 'enforce' mode. I am trying to instantiate a new docker container (version 1.12.1) and every time the '.dockerenv' file is created without the security.ima xattr and then a openat syscall (whith O_CREAT) fails with 'permission denied'. The error is not reproducible if I turn IMA off. I am using the TCB policy.

# docker run alpine sh
docker : Error response from daemon: open /var/lib/docker/overlay/<id>-init/upper/.dockerenv permission denied.

This is the related dmesg line:
[  928.351976] audit: type=1800 audit(1480955917.279:5): pid=3661 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="missing-hash" comm="dockerd" name="/var/lib/docker/overlay/d69486a52aca472d5bc06ef47dec48460fbca4c2d4e07cde71e5e5759a7db251-init/upper/.dockerenv" dev="sda1" ino=26359 res=0

The 'dockerenv' hidden file is created by Docker during the container initialization along with other /etc and /dev files. All these files are created, but the required xattr is missing.

The Docker daemon is using overlayfs as the storage driver. If I use another storage driver the container is instantiated correctly. Actually I used AUFS as the alternative storage driver to test.

I could found a similar error with Docker containers in recent kernel versions. Although it is not related to IMA, it might be helpful:
https://github.com/docker/docker/issues/20950

Is it a known issue?
Thanks.

--
Guilherme