diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2017-11-22 09:54:22 -0500 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2017-11-22 15:49:56 +0000 |
commit | 91b406ea4a175a7b996f8810e1eb2f2653ff335d (patch) | |
tree | 51da98455b9f3ba5bf3191694a069e687ce3a06b | |
parent | 768fb6fe0f59467442a1aaaa4ca863d179255020 (diff) | |
download | podman-91b406ea4a175a7b996f8810e1eb2f2653ff335d.tar.gz podman-91b406ea4a175a7b996f8810e1eb2f2653ff335d.tar.bz2 podman-91b406ea4a175a7b996f8810e1eb2f2653ff335d.zip |
Need to block access to kernel file systems in /proc and /sys
Users of kpod run could use these file systems to perform a breakout
or to learn valuable system information.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #61
Approved by: mheon
-rw-r--r-- | cmd/kpod/spec.go | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index 1ae050d25..581be5241 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -17,6 +17,33 @@ import ( "golang.org/x/sys/unix" ) +func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) { + if !config.privileged { + for _, mp := range []string{ + "/proc/kcore", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware", + } { + g.AddLinuxMaskedPaths(mp) + } + + for _, rp := range []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + } { + g.AddLinuxReadonlyPaths(rp) + } + } +} + func addRlimits(config *createConfig, g *generate.Generator) error { var ( ul *units.Ulimit @@ -127,6 +154,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { g.SetProcessApparmorProfile(config.apparmorProfile) g.SetProcessSelinuxLabel(config.processLabel) g.SetLinuxMountLabel(config.mountLabel) + blockAccessToKernelFilesystems(config, &g) // RESOURCES - PIDS if config.resources.pidsLimit != 0 { |