[18.06] Add /proc/acpi to masked paths #14

thaJeztah · 2018-07-06T14:03:15Z

The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
from 1.11 to current upstream master does not block /proc/acpi pathnames
allowing attackers to modify host's hardware like enabling/disabling
bluetooth or turning up/down keyboard brightness. SELinux prevents all
of this if enabled.

Fix for CVE-2018-10892

cherry-pick of moby#37404 for 18.06 (no conflicts)

The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current upstream master does not block /proc/acpi pathnames allowing attackers to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. SELinux prevents all of this if enabled. Signed-off-by: Antonio Murdaca <[email protected]> (cherry picked from commit 569b970) Signed-off-by: Sebastiaan van Stijn <[email protected]>

n4ss · 2018-07-06T17:16:23Z

LGTM!

thaJeztah · 2018-07-06T18:37:58Z

Janky failed due to issues with hub; docker-library/official-images#4543 (comment)

14:25:11 /docker-py/tests/integration/models_containers_test.py:146: in test_get
14:25:11     container = client.containers.run("alpine", "sleep 300", detach=True)
14:25:11 /docker-py/docker/models/containers.py:760: in run
14:25:11     detach=detach, **kwargs)
14:25:11 /docker-py/docker/models/containers.py:814: in create
14:25:11     resp = self.client.api.create_container(**create_kwargs)
14:25:11 /docker-py/docker/api/container.py:404: in create_container
14:25:11     return self.create_container_from_config(config, name)
14:25:11 /docker-py/docker/api/container.py:415: in create_container_from_config
14:25:11     return self._result(res, True)
14:25:11 /docker-py/docker/api/client.py:229: in _result
14:25:11     self._raise_for_status(response)
14:25:11 /docker-py/docker/api/client.py:225: in _raise_for_status
14:25:11     raise create_api_error_from_http_exception(e)
14:25:11 /docker-py/docker/errors.py:31: in create_api_error_from_http_exception
14:25:11     raise cls(e, response=response, explanation=explanation)
14:25:11 E   ImageNotFound: 404 Client Error: Not Found ("No such image: alpine:latest")

thaJeztah · 2018-07-06T18:38:41Z

Power failed on flaky tests; restarting both

thaJeztah · 2018-07-06T20:59:53Z

Janky only had some flaky tests failing

andrewhsu

LGTM

andrewhsu · 2018-07-06T23:50:10Z

Ignoring the flakey failures on ppc64le:

FAIL: docker_api_swarm_test.go:296: DockerSwarmSuite.TestAPISwarmLeaderElection
FAIL: check_test.go:347: DockerSwarmSuite.TearDownTest

Although the Dockerfile builds without it, adding wheel back should save some time ``` 00:45:28 #14 10.70 Building wheels for collected packages: pathspec, pyyaml 00:45:28 #14 10.70 Running setup.py bdist_wheel for pathspec: started 00:45:28 #14 10.88 Running setup.py bdist_wheel for pathspec: finished with status 'error' 00:45:28 #14 10.88 Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-mbotnxes/pathspec/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/tmpg9pl4u6kpip-wheel- --python-tag cp35: 00:45:28 #14 10.88 usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] 00:45:28 #14 10.88 or: -c --help [cmd1 cmd2 ...] 00:45:28 #14 10.88 or: -c --help-commands 00:45:28 #14 10.88 or: -c cmd --help 00:45:28 #14 10.88 00:45:28 #14 10.88 error: invalid command 'bdist_wheel' 00:45:28 #14 10.88 00:45:28 #14 10.88 ---------------------------------------- 00:45:28 #14 10.88 Failed building wheel for pathspec 00:45:28 #14 10.88 Running setup.py clean for pathspec 00:45:28 #14 11.05 Running setup.py bdist_wheel for pyyaml: started 00:45:28 #14 11.25 Running setup.py bdist_wheel for pyyaml: finished with status 'error' 00:45:28 #14 11.25 Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-mbotnxes/pyyaml/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/tmpyci_xi0bpip-wheel- --python-tag cp35: 00:45:28 #14 11.25 usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] 00:45:28 #14 11.25 or: -c --help [cmd1 cmd2 ...] 00:45:28 #14 11.25 or: -c --help-commands 00:45:28 #14 11.25 or: -c cmd --help 00:45:28 #14 11.25 00:45:28 #14 11.25 error: invalid command 'bdist_wheel' 00:45:28 #14 11.25 00:45:28 #14 11.25 ---------------------------------------- 00:45:28 #14 11.25 Failed building wheel for pyyaml 00:45:28 #14 11.25 Running setup.py clean for pyyaml 00:45:28 #14 11.44 Failed to build pathspec pyyaml 00:45:28 #14 11.45 Installing collected packages: pathspec, pyyaml, yamllint 00:45:28 #14 11.45 Running setup.py install for pathspec: started 00:45:29 #14 11.73 Running setup.py install for pathspec: finished with status 'done' 00:45:29 #14 11.73 Running setup.py install for pyyaml: started 00:45:29 #14 12.05 Running setup.py install for pyyaml: finished with status 'done' 00:45:29 #14 12.12 Successfully installed pathspec-0.5.9 pyyaml-5.1.2 yamllint-1.16.0 ``` Signed-off-by: Sebastiaan van Stijn <[email protected]>

Although the Dockerfile builds without it, adding wheel back should save some time ``` 00:45:28 #14 10.70 Building wheels for collected packages: pathspec, pyyaml 00:45:28 #14 10.70 Running setup.py bdist_wheel for pathspec: started 00:45:28 #14 10.88 Running setup.py bdist_wheel for pathspec: finished with status 'error' 00:45:28 #14 10.88 Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-mbotnxes/pathspec/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/tmpg9pl4u6kpip-wheel- --python-tag cp35: 00:45:28 #14 10.88 usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] 00:45:28 #14 10.88 or: -c --help [cmd1 cmd2 ...] 00:45:28 #14 10.88 or: -c --help-commands 00:45:28 #14 10.88 or: -c cmd --help 00:45:28 #14 10.88 00:45:28 #14 10.88 error: invalid command 'bdist_wheel' 00:45:28 #14 10.88 00:45:28 #14 10.88 ---------------------------------------- 00:45:28 #14 10.88 Failed building wheel for pathspec 00:45:28 #14 10.88 Running setup.py clean for pathspec 00:45:28 #14 11.05 Running setup.py bdist_wheel for pyyaml: started 00:45:28 #14 11.25 Running setup.py bdist_wheel for pyyaml: finished with status 'error' 00:45:28 #14 11.25 Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-mbotnxes/pyyaml/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/tmpyci_xi0bpip-wheel- --python-tag cp35: 00:45:28 #14 11.25 usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] 00:45:28 #14 11.25 or: -c --help [cmd1 cmd2 ...] 00:45:28 #14 11.25 or: -c --help-commands 00:45:28 #14 11.25 or: -c cmd --help 00:45:28 #14 11.25 00:45:28 #14 11.25 error: invalid command 'bdist_wheel' 00:45:28 #14 11.25 00:45:28 #14 11.25 ---------------------------------------- 00:45:28 #14 11.25 Failed building wheel for pyyaml 00:45:28 #14 11.25 Running setup.py clean for pyyaml 00:45:28 #14 11.44 Failed to build pathspec pyyaml 00:45:28 #14 11.45 Installing collected packages: pathspec, pyyaml, yamllint 00:45:28 #14 11.45 Running setup.py install for pathspec: started 00:45:29 #14 11.73 Running setup.py install for pathspec: finished with status 'done' 00:45:29 #14 11.73 Running setup.py install for pyyaml: started 00:45:29 #14 12.05 Running setup.py install for pyyaml: finished with status 'done' 00:45:29 #14 12.12 Successfully installed pathspec-0.5.9 pyyaml-5.1.2 yamllint-1.16.0 ``` Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit ad70bf6) Signed-off-by: Sebastiaan van Stijn <[email protected]>

thaJeztah added this to the 18.06.0 milestone Jul 6, 2018

n4ss approved these changes Jul 6, 2018

View reviewed changes

andrewhsu approved these changes Jul 6, 2018

View reviewed changes

andrewhsu merged commit 496e208 into docker-archive:18.06 Jul 6, 2018

thaJeztah deleted the 18.06-backport-CVE-2018-10892 branch July 7, 2018 00:52

DavidGarciaCat mentioned this pull request Aug 28, 2023

Potential unaligned/outdated CVE checks for Docker Desktop (MacBook ARM) wazuh/wazuh#18688

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[18.06] Add /proc/acpi to masked paths #14

[18.06] Add /proc/acpi to masked paths #14

thaJeztah commented Jul 6, 2018 •

edited

Loading

n4ss commented Jul 6, 2018

thaJeztah commented Jul 6, 2018

thaJeztah commented Jul 6, 2018

thaJeztah commented Jul 6, 2018

andrewhsu left a comment

andrewhsu commented Jul 6, 2018 •

edited

Loading

[18.06] Add /proc/acpi to masked paths #14

[18.06] Add /proc/acpi to masked paths #14

Conversation

thaJeztah commented Jul 6, 2018 • edited Loading

n4ss commented Jul 6, 2018

thaJeztah commented Jul 6, 2018

thaJeztah commented Jul 6, 2018

thaJeztah commented Jul 6, 2018

andrewhsu left a comment

Choose a reason for hiding this comment

andrewhsu commented Jul 6, 2018 • edited Loading

thaJeztah commented Jul 6, 2018 •

edited

Loading

andrewhsu commented Jul 6, 2018 •

edited

Loading