Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

specconv.Example(): add /proc/scsi to masked paths #1641

Merged
merged 1 commit into from
Nov 6, 2017

Conversation

AkihiroSuda
Copy link
Member

Port over moby/moby#35399

Signed-off-by: Akihiro Suda [email protected]

@vielmetti
Copy link

This is related to CVE-2017-16539.

@@ -116,6 +116,7 @@ func Example() *specs.Spec {
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Paths should be sorted.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the existing list is not sorted, I wonder sorting in this PR might have some negative impact on git commit traceability.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, fair enough.

@vielmetti
Copy link

There exists a kernel patch too: https://marc.info/?l=linux-scsi&m=150982199728895&w=2

@cyphar
Copy link
Member

cyphar commented Nov 6, 2017

LGTM.

Approved with PullApprove

@crosbymichael
Copy link
Member

crosbymichael commented Nov 6, 2017

LGTM

Approved with PullApprove

@crosbymichael crosbymichael merged commit cc0cd1a into opencontainers:master Nov 6, 2017
@cyphar
Copy link
Member

cyphar commented Nov 6, 2017

This also should have a runtime-tools patch.

@AkihiroSuda
Copy link
Member Author

looks like runtime-tools doesn't set masked paths by default? https://github.com/opencontainers/runtime-tools/search?utf8=✓&q=maskedpaths&type=

cc @Mashimiao @q384566678

@Mashimiao
Copy link

@AkihiroSuda currently, yes. runtime-tools will supply which kind of default config as template, which has not been determined. Discussion is here.
If we decided to supply good default config as template for users, I think we should have this path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants