aboutsummaryrefslogtreecommitdiff
path: root/cmd/kpod/spec.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2017-11-22 09:54:22 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2017-11-22 15:49:56 +0000
commit91b406ea4a175a7b996f8810e1eb2f2653ff335d (patch)
tree51da98455b9f3ba5bf3191694a069e687ce3a06b /cmd/kpod/spec.go
parent768fb6fe0f59467442a1aaaa4ca863d179255020 (diff)
downloadpodman-91b406ea4a175a7b996f8810e1eb2f2653ff335d.tar.gz
podman-91b406ea4a175a7b996f8810e1eb2f2653ff335d.tar.bz2
podman-91b406ea4a175a7b996f8810e1eb2f2653ff335d.zip
Need to block access to kernel file systems in /proc and /sys
Users of kpod run could use these file systems to perform a breakout or to learn valuable system information. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #61 Approved by: mheon
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r--cmd/kpod/spec.go28
1 files changed, 28 insertions, 0 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index 1ae050d25..581be5241 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -17,6 +17,33 @@ import (
"golang.org/x/sys/unix"
)
+func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) {
+ if !config.privileged {
+ for _, mp := range []string{
+ "/proc/kcore",
+ "/proc/latency_stats",
+ "/proc/timer_list",
+ "/proc/timer_stats",
+ "/proc/sched_debug",
+ "/proc/scsi",
+ "/sys/firmware",
+ } {
+ g.AddLinuxMaskedPaths(mp)
+ }
+
+ for _, rp := range []string{
+ "/proc/asound",
+ "/proc/bus",
+ "/proc/fs",
+ "/proc/irq",
+ "/proc/sys",
+ "/proc/sysrq-trigger",
+ } {
+ g.AddLinuxReadonlyPaths(rp)
+ }
+ }
+}
+
func addRlimits(config *createConfig, g *generate.Generator) error {
var (
ul *units.Ulimit
@@ -127,6 +154,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
g.SetProcessApparmorProfile(config.apparmorProfile)
g.SetProcessSelinuxLabel(config.processLabel)
g.SetLinuxMountLabel(config.mountLabel)
+ blockAccessToKernelFilesystems(config, &g)
// RESOURCES - PIDS
if config.resources.pidsLimit != 0 {