MIRRORS/meta-virtualization
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 12:50:22 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

docker: CVE-2018-10892

Browse Source 
* CVE-2018-10892
Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
modify host's hardware like enabling/disabling Bluetooth or turning up/down
keyboard brightness.

Affects < 18.03.01

CVE: CVE-2018-10892
Ref: https://access.redhat.com/security/cve/cve-2018-10892
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
This commit is contained in:
Sinan Kaya 2018-10-10 04:18:24 +00:00 committed by Bruce Ashfield
parent dd32e94c88
commit 4583c63317
2 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
recipes-containers/docker/docker_git.bb
View File

@ -30,6 +30,8 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
"
SRC_URI_append_docker += "CVE-2018-10892.patch"
# Apache-2.0 for docker
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"

34
recipes-containers/docker/files/CVE-2018-10892.patch Normal file
View File

@ -0,0 +1,34 @@
From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Thu, 5 Jul 2018 17:06:08 +0200
Subject: [PATCH] Add /proc/acpi to masked paths
The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
from 1.11 to current upstream master does not block /proc/acpi pathnames
allowing attackers to modify host's hardware like enabling/disabling
bluetooth or turning up/down keyboard brightness. SELinux prevents all
of this if enabled.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
CVE: CVE-2018-10892
Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
Signed-off-by: Sinan Kaya<okaya@kernel.org>
---
oci/defaults.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/oci/defaults.go b/oci/defaults.go
index 4145412dd..992157b0f 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go
@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
s.Linux = &specs.Linux{
MaskedPaths: []string{
+ "/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
--
2.19.0