Skip to content

[release/1.1 backport] Add /proc/asound to masked paths#2848

Merged
AkihiroSuda merged 1 commit intocontainerd:release/1.1from
thaJeztah:1.1_backport_mask_asound
Nov 30, 2018
Merged

[release/1.1 backport] Add /proc/asound to masked paths#2848
AkihiroSuda merged 1 commit intocontainerd:release/1.1from
thaJeztah:1.1_backport_mask_asound

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Nov 30, 2018

Backport of #2846 for the 1.1 branch

This ports moby/moby#38299 to containerd

relates to moby/moby#38285

While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.

Leak of media playback status of the host

Steps to reproduce the issue:

  • Listen to music/Play a YouTube video/Do anything else that involves sound
    output
  • Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
    /proc/asound/card*/pcmp/sub/status | grep state | cut -d ' ' -f2 | grep
    RUNNING || echo 'not running'"
  • See that the containerized process is able to check whether someone on the
    host is playing music as it prints RUNNING
  • Stop the music output
  • Execute the command again (The sleep is delaying the output because
    information regarding playback status isn't propagated instantly)
  • See that it outputs not running

Describe the results you received:

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
/proc/asound/card*/pcm*c/sub*/status (pcm*c instead of pcm*p) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

@thaJeztah
Add /proc/asound to masked paths
3d31338 
While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.

---

**Leak of media playback status of the host**

Steps to reproduce the issue:

 - Listen to music/Play a YouTube video/Do anything else that involves sound
   output
 - Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
   /proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep
   RUNNING || echo 'not running'"
 - See that the containerized process is able to check whether someone on the
   host is playing music as it prints RUNNING
 - Stop the music output
 - Execute the command again (The sleep is delaying the output because
   information regarding playback status isn't propagated instantly)
 - See that it outputs not running

**Describe the results you received:**

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

Reported-by: Philipp Schmied <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@codecov-io
Copy link
Copy Markdown

codecov-io commented Nov 30, 2018

Codecov Report

Merging #2848 into release/1.1 will not change coverage.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##           release/1.1    #2848   +/-   ##
============================================
  Coverage        48.99%   48.99%           
============================================
  Files               85       85           
  Lines             7603     7603           
============================================
  Hits              3725     3725           
  Misses            3203     3203           
  Partials           675      675
Flag Coverage Δ
#linux 48.99% <100%> (ø) ⬆️
Impacted Files Coverage Δ
oci/spec_unix.go 98.4% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6bb83f2...3d31338. Read the comment docs.

@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Nov 30, 2018

LGTM

@AkihiroSuda AkihiroSuda merged commit dbf186d into containerd:release/1.1 Nov 30, 2018
@thaJeztah thaJeztah deleted the 1.1_backport_mask_asound branch November 30, 2018 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @codecov-io @crosbymichael @AkihiroSuda