-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
specconv.Example(): add /proc/scsi to masked paths #1641
Conversation
Port over moby/moby#35399 Signed-off-by: Akihiro Suda <[email protected]>
This is related to CVE-2017-16539. |
@@ -116,6 +116,7 @@ func Example() *specs.Spec { | |||
"/proc/timer_stats", | |||
"/proc/sched_debug", | |||
"/sys/firmware", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Paths should be sorted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the existing list is not sorted, I wonder sorting in this PR might have some negative impact on git commit traceability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, fair enough.
There exists a kernel patch too: https://marc.info/?l=linux-scsi&m=150982199728895&w=2 |
This also should have a |
looks like runtime-tools doesn't set masked paths by default? https://github.com/opencontainers/runtime-tools/search?utf8=✓&q=maskedpaths&type= cc @Mashimiao @q384566678 |
@AkihiroSuda currently, yes. runtime-tools will supply which kind of default config as template, which has not been determined. Discussion is here. |
Port over moby/moby#35399
Signed-off-by: Akihiro Suda [email protected]