Running poplog under Docker - GetPoplog/Seed GitHub Wiki

By default, poplog cannot run under docker without some special flags set to enable it to function.

$ docker run --security-opt seccomp=/path/to/poplog_seccomp.json -it --name poplog-ubuntu ubuntu:20.04
# apt update && apt install -y wget
# wget "https://github.com/GetPoplog/Seed/releases/download/v0.0.1-test10/poplog_16.1-1_amd64.deb"
# apt install ./poplog_16.1-1_amd64.deb

This uses a custom seccomp profile, poplog_seccomp.json. It works by adding a few extra permissions onto the the default security profile in order to allow the personality system call with a couple of extra bitflags.

TECHNICAL DETAILS:

Poplog's Requirements

Poplog makes use of the personality(2) syscall which is banned by Docker's default security profile. This system call is used to get and set flags associated with the process that control fundamental aspects of how memory is used, amongst other things. Poplog requires two flags to be set.

  • READ_IMPLIES_EXEC, With this flag set, PROT_READ implies PROT_EXEC for mmap(2).
  • ADDR_NO_RANDOMIZE, With this flag set, disable address-space-layout randomization.

We believe we can work around the need for READ_IMPLIES_EXEC, insofar that we can re-use a 'hack' for AIX that replaces calls to brk and sbrk with calls to mmap. But unfortunately we do not have a work around for ADDR_NO_RANDOMIZE yet. The layout of Poplog's store is pervasive in the source code and we have not isolated which types of access that ASLR will impact.

Docker Security Profiles