From 91b406ea4a175a7b996f8810e1eb2f2653ff335d Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 22 Nov 2017 09:54:22 -0500
Subject: Need to block access to kernel file systems in /proc and /sys

Users of kpod run could use these file systems to perform a breakout
or to learn valuable system information.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #61
Approved by: mheon
---
 cmd/kpod/spec.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index 1ae050d25..581be5241 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -17,6 +17,33 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) {
+	if !config.privileged {
+		for _, mp := range []string{
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/proc/scsi",
+			"/sys/firmware",
+		} {
+			g.AddLinuxMaskedPaths(mp)
+		}
+
+		for _, rp := range []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		} {
+			g.AddLinuxReadonlyPaths(rp)
+		}
+	}
+}
+
 func addRlimits(config *createConfig, g *generate.Generator) error {
 	var (
 		ul  *units.Ulimit
@@ -127,6 +154,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	g.SetProcessApparmorProfile(config.apparmorProfile)
 	g.SetProcessSelinuxLabel(config.processLabel)
 	g.SetLinuxMountLabel(config.mountLabel)
+	blockAccessToKernelFilesystems(config, &g)
 
 	// RESOURCES - PIDS
 	if config.resources.pidsLimit != 0 {
-- 
cgit v1.2.3-54-g00ecf