blob: 60d04962d91115e1f080f7ffeee68a1c57dbb19c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Thu, 5 Jul 2018 17:06:08 +0200
Subject: [PATCH] Add /proc/acpi to masked paths
The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
from 1.11 to current upstream master does not block /proc/acpi pathnames
allowing attackers to modify host's hardware like enabling/disabling
bluetooth or turning up/down keyboard brightness. SELinux prevents all
of this if enabled.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
CVE: CVE-2018-10892
Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
Signed-off-by: Sinan Kaya<okaya@kernel.org>
---
oci/defaults.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/oci/defaults.go b/oci/defaults.go
index 4145412dd..992157b0f 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go
@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
s.Linux = &specs.Linux{
MaskedPaths: []string{
+ "/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
--
2.19.0
|
