2017-11-07 11:53:24 +01:00
|
|
|
From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001
|
2017-11-07 10:33:12 +01:00
|
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
|
|
|
Date: Tue, 7 Nov 2017 18:32:41 +1100
|
|
|
|
|
Subject: [PATCH] oci: add /proc/scsi to masked paths
|
|
|
|
|
|
|
|
|
|
This is writeable, and can be used to remove devices. Containers do
|
|
|
|
|
not need to know about scsi devices.
|
|
|
|
|
|
|
|
|
|
Fixes: CVE-2017-16539
|
|
|
|
|
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
|
|
|
|
|
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
|
|
|
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
|
|
|
---
|
2017-11-07 11:53:24 +01:00
|
|
|
oci/defaults.go | 1 +
|
|
|
|
|
1 file changed, 1 insertion(+)
|
2017-11-07 10:33:12 +01:00
|
|
|
|
|
|
|
|
diff --git a/oci/defaults.go b/oci/defaults.go
|
2017-11-07 11:53:24 +01:00
|
|
|
index d706fafcc021..a7fd285060c2 100644
|
2017-11-07 10:33:12 +01:00
|
|
|
--- a/oci/defaults.go
|
|
|
|
|
+++ b/oci/defaults.go
|
2017-11-07 11:53:24 +01:00
|
|
|
@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec {
|
2017-11-07 10:33:12 +01:00
|
|
|
"/proc/timer_list",
|
|
|
|
|
"/proc/timer_stats",
|
|
|
|
|
"/proc/sched_debug",
|
|
|
|
|
+ "/proc/scsi",
|
|
|
|
|
},
|
|
|
|
|
ReadonlyPaths: []string{
|
|
|
|
|
"/proc/asound",
|
|
|
|
|
--
|
|
|
|
|
2.14.3
|
|
|
|
|
|
