Skip to content

Add /proc/asound to masked paths#2846

Merged
crosbymichael merged 1 commit intocontainerd:masterfrom
thaJeztah:mask_asound
Nov 30, 2018
Merged

Add /proc/asound to masked paths#2846
crosbymichael merged 1 commit intocontainerd:masterfrom
thaJeztah:mask_asound

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Nov 30, 2018

This ports moby/moby#38299 to containerd

relates to moby/moby#38285

While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.

Leak of media playback status of the host

Steps to reproduce the issue:

  • Listen to music/Play a YouTube video/Do anything else that involves sound
    output
  • Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
    /proc/asound/card*/pcmp/sub/status | grep state | cut -d ' ' -f2 | grep
    RUNNING || echo 'not running'"
  • See that the containerized process is able to check whether someone on the
    host is playing music as it prints RUNNING
  • Stop the music output
  • Execute the command again (The sleep is delaying the output because
    information regarding playback status isn't propagated instantly)
  • See that it outputs not running

Describe the results you received:

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
/proc/asound/card*/pcm*c/sub*/status (pcm*c instead of pcm*p) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

Reported-by: Philipp Schmied [email protected]
Signed-off-by: Sebastiaan van Stijn [email protected]

@thaJeztah
Add /proc/asound to masked paths
70084ea 
While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.

---

**Leak of media playback status of the host**

Steps to reproduce the issue:

 - Listen to music/Play a YouTube video/Do anything else that involves sound
   output
 - Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
   /proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep
   RUNNING || echo 'not running'"
 - See that the containerized process is able to check whether someone on the
   host is playing music as it prints RUNNING
 - Stop the music output
 - Execute the command again (The sleep is delaying the output because
   information regarding playback status isn't propagated instantly)
 - See that it outputs not running

**Describe the results you received:**

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

Reported-by: Philipp Schmied <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Nov 30, 2018

@AkihiroSuda @crosbymichael @justincormack PTAL

/cc @jaswdr @sw-pschmied

This was referenced Nov 30, 2018
Merged
Merged
Merged
Merged
@codecov-io
Copy link
Copy Markdown

codecov-io commented Nov 30, 2018

Codecov Report

Merging #2846 into master will not change coverage.
The diff coverage is 100%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #2846   +/-   ##
=======================================
  Coverage   43.76%   43.76%           
=======================================
  Files         100      100           
  Lines       10749    10749           
=======================================
  Hits         4704     4704           
  Misses       5315     5315           
  Partials      730      730
Flag Coverage Δ
#linux 47.42% <100%> (ø) ⬆️
#windows 40.92% <100%> (ø) ⬆️
Impacted Files Coverage Δ
oci/spec.go 93.71% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d5f00ed...70084ea. Read the comment docs.

@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Nov 30, 2018

LGTM

@crosbymichael crosbymichael merged commit 620d56a into containerd:master Nov 30, 2018
@thaJeztah thaJeztah deleted the mask_asound branch November 30, 2018 23:05
@pvizeli
Copy link
Copy Markdown

pvizeli commented Jan 15, 2019

Is there no better solution? now only privileged add-ons can play music :(

@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Jan 15, 2019

@pvizeli this is only the default spec that is generated. As a user, you can configure the spec however you see fit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thaJeztah @codecov-io @crosbymichael @pvizeli @AkihiroSuda