Masked /proc/asound#38299
Merged
thaJeztah merged 1 commit intomoby:masterfrom Nov 30, 2018
jaswdr:issue-38285
Merged
Conversation
Member
|
ping @justincormack @crosbymichael PTAL |
Member
|
No need to mask the path? |
Contributor
|
Yes, you will want to mask it -- removing it from the read-only list allows the container to write to it (making the container have more access than before). |
Contributor
Author
|
@cyphar @AkihiroSuda thanks for the tip, I'll change this |
Codecov Report
@@ Coverage Diff @@
## master #38299 +/- ##
=========================================
Coverage ? 36.12%
=========================================
Files ? 610
Lines ? 45271
Branches ? 0
=========================================
Hits ? 16352
Misses ? 26681
Partials ? 2238 |
Member
|
Also may want to update the first line of the commit message to mention we're now masking the path (instead of making it readonly) |
Contributor
Author
|
@thaJeztah everything done 👍 |
Member
|
Oh, I meant to have the description in the commit message as well (not only on GitHub); that way, the description is preserved in git history |
@sw-pschmied originally post this in #38285 While looking through the Moby source code was found /proc/asound to be shared with containers as read-only (as defined in https://github.com/moby/moby/blob/master/oci/defaults.go#L128). This can lead to two information leaks. --- **Leak of media playback status of the host** Steps to reproduce the issue: - Listen to music/Play a YouTube video/Do anything else that involves sound output - Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat /proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep RUNNING || echo 'not running'" - See that the containerized process is able to check whether someone on the host is playing music as it prints RUNNING - Stop the music output - Execute the command again (The sleep is delaying the output because information regarding playback status isn't propagated instantly) - See that it outputs not running **Describe the results you received:** A containerized process is able to gather information on the playback status of an audio device governed by the host. Therefore a process of a container is able to check whether and what kind of user activity is present on the host system. Also, this may indicate whether a container runs on a desktop system or a server as media playback rarely happens on server systems. The description above is in regard to media playback - when examining `/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this can also leak information regarding capturing sound, as in recording audio or making calls on the host system. Signed-off-by: Jonathan A. Schweder <[email protected]>
Contributor
Author
|
@thaJeztah I think now is good 😄 |
Member
|
Perfect, thanks! |
thaJeztah
added
area/runtime
This was referenced Nov 30, 2018
Member
|
Opened pull requests in containerd to make the same change there; containerd/containerd#2846 (and backports for the release branches) |
Member
|
Actually, there may be a test that needs updating; moby/integration-cli/docker_cli_run_test.go Lines 2841 to 2848 in 3c5eac3 I think it will still pass, because it's masked (thus writing to For reference; that test was added in d87da59, part of #13073 (it may have been cherry-picked from another PR though) @crosbymichael ^^ looks like you wrote that test originally |
justincormack
approved these changes
Nov 30, 2018
Member
|
@thaJeztah Will leave to you to merge since you have a "request change" on it still. |
thaJeztah
approved these changes
Nov 30, 2018
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM
We can have a look at improving these tests separately
Member
|
PowerPC failure is unrelated, and a known flaky test; |
Contributor
Author
|
@thaJeztah thanks a lot, I'll keep going trying to help 👍 |
|
That is bad, now only privileged add-ons can play music :( |
Member
|
docker/cli#1347 will give you flexibility to allow access to /proc/asound without passing |
KentaTada
pushed a commit
to KentaTada/runc
that referenced
this pull request
Aug 26, 2019
This commit updates the masked paths of /proc. Related issues: * moby/moby#37404 * moby/moby#38299 * moby/moby#36368 Signed-off-by: Kenta Tada <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit bc9a7ec) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit ac0ab11) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit bc9a7ec) Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby/moby#36368 Add /proc/keys to masked paths - relates to moby/moby#38299 Masked /proc/asound - relates to moby/moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: bc9a7ec8987ffe028f8eab3978d4c36da3d3490f Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby/moby#36368 Add /proc/keys to masked paths - relates to moby/moby#38299 Masked /proc/asound - relates to moby/moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: ac0ab114a2ad14eab4a4da6a855831d90d777139 Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby/moby#36368 Add /proc/keys to masked paths - relates to moby/moby#38299 Masked /proc/asound - relates to moby/moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit bc9a7ec8987ffe028f8eab3978d4c36da3d3490f) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 10a716997d52013713b75df9e2485e26ac8d9d27 Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby/moby#36368 Add /proc/keys to masked paths - relates to moby/moby#38299 Masked /proc/asound - relates to moby/moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit bc9a7ec8987ffe028f8eab3978d4c36da3d3490f) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: b4c03dd6338e0c320db669a198cf48001dfdd49b Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Sep 27, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby/moby#36368 Add /proc/keys to masked paths - relates to moby/moby#38299 Masked /proc/asound - relates to moby/moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit ac0ab114a2ad14eab4a4da6a855831d90d777139) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 8ddb4c4e958bca2991b15aab5f9d6ac9397a55ed Component: engine
1 task
burnMyDread
pushed a commit
to burnMyDread/moby
that referenced
this pull request
Oct 21, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: zach <[email protected]>
burnMyDread
pushed a commit
to burnMyDread/moby
that referenced
this pull request
Oct 21, 2019
full diff: opencontainers/runc@v1.0.0-rc8...3e425f8 - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions - opencontainers/runc#2029 Update dependencies - opencontainers/runc#2034 Support for logging from children processes - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module - opencontainers/runc#2057 main: not reopen /dev/stderr - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver) - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address" - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall - opencontainers/runc#2074 Update dependency libseccomp-golang - opencontainers/runc#2081 Bump CRIU to 3.12 - opencontainers/runc#2089 doc: First process in container needs `Init: true` - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes - closes opencontainers/runc#2093 HostDevices() race with older udevd versions - opencontainers/runc#2098 man: fix man-pages - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager - opencontainers/runc#2107 Make get devices function public - opencontainers/runc#2113 libcontainer: initial support for cgroups v2 - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package - removes github.com/coreos/pkg as dependency - opencontainers/runc#2117 Remove libcontainer detection for systemd features - fixes opencontainers/runc#2117 Cache the systemd detection results - opencontainers/runc#2119 libcontainer: update masked paths of /proc - relates to moby#36368 Add /proc/keys to masked paths - relates to moby#38299 Masked /proc/asound - relates to moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892) - opencontainers/runc#2122 nsenter: minor fixes - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support - opencontainers/runc#2125 cgroup: support mount of cgroup2 - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file - opencontainers/runc#2129 Only allow proc mount if it is procfs - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884) Signed-off-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: zach <[email protected]>
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Dec 31, 2019
This commit updates the masked paths of /proc. Related issues: * moby/moby#37404 * moby/moby#38299 * moby/moby#36368 Signed-off-by: Kenta Tada <[email protected]>
adrianreber
pushed a commit
to adrianreber/runc
that referenced
this pull request
Feb 10, 2020
This commit updates the masked paths of /proc. Related issues: * moby/moby#37404 * moby/moby#38299 * moby/moby#36368 Signed-off-by: Kenta Tada <[email protected]>
KentaTada
pushed a commit
to KentaTada/crun
that referenced
this pull request
Sep 14, 2020
Related issues: * moby/moby#37404 * moby/moby#38299 * moby/moby#36368 * moby/moby#35399 Signed-off-by: Kenta Tada <[email protected]>
dims
pushed a commit
to dims/libcontainer
that referenced
this pull request
Oct 19, 2024
This commit updates the masked paths of /proc. Related issues: * moby/moby#37404 * moby/moby#38299 * moby/moby#36368 Signed-off-by: Kenta Tada <[email protected]>
dims
pushed a commit
to dims/libcontainer
that referenced
this pull request
Oct 19, 2024
This commit updates the masked paths of /proc. Related issues: * moby/moby#37404 * moby/moby#38299 * moby/moby#36368 Signed-off-by: Kenta Tada <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
Fixes #38285
- How I did it
Moved /proc/asound to
MaskedPath- How to verify it
Start some video or audio like Youtube or Spotify
Run:
$ docker run --rm ubuntu:latest bash -c "sleep 7; cat /proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep RUNNING || echo 'not running'"This need to print 'not running'
- Description for the changelog
Moved /proc/asound to MaskedPath
- A picture of a cute animal (not mandatory but encouraged)
