From 9102c781859d9f4f52802ac2e564c73ffda05d1aa39c3165d3f58490d26d5059 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Nov 2017 09:33:12 +0000 Subject: [PATCH] Accepting request 539455 from home:cyphar:containers:docker_CVE-2017-16539 - Add a backport of https://github.com/moby/moby/pull/35399, which fixes a security issue where a Docker container (with a disabled AppArmor profile) could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 CVE-2017-16539 + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch OBS-URL: https://build.opensuse.org/request/show/539455 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=210 --- ...01-oci-add-proc-scsi-to-masked-paths.patch | 32 +++++++++++++++++++ docker.changes | 9 ++++++ docker.spec | 4 +++ 3 files changed, 45 insertions(+) create mode 100644 bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch diff --git a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch new file mode 100644 index 0000000..3e19a3c --- /dev/null +++ b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch @@ -0,0 +1,32 @@ +From 48dad93f2bfc6ac5a201e98d6029fcff9cfbba80 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 7 Nov 2017 18:32:41 +1100 +Subject: [PATCH] oci: add /proc/scsi to masked paths + +This is writeable, and can be used to remove devices. Containers do +not need to know about scsi devices. + +Fixes: CVE-2017-16539 +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801 +Signed-off-by: Justin Cormack +Signed-off-by: Aleksa Sarai +--- + oci/defaults.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/oci/defaults.go b/oci/defaults.go +index d706fafcc021..188ec3149659 100644 +--- a/oci/defaults.go ++++ b/oci/defaults.go +@@ -132,6 +132,8 @@ func DefaultLinuxSpec() specs.Spec { + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", ++ "/sys/firmware", ++ "/proc/scsi", + }, + ReadonlyPaths: []string{ + "/proc/asound", +-- +2.14.3 + diff --git a/docker.changes b/docker.changes index 1826677..894ea65 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com + +- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a + security issue where a Docker container (with a disabled AppArmor profile) + could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 + CVE-2017-16539 + + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch + ------------------------------------------------------------------- Tue Oct 24 06:50:29 UTC 2017 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 658c455..61173fa 100644 --- a/docker.spec +++ b/docker.spec @@ -68,6 +68,8 @@ Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781 Patch403: bsc1064781-0001-Allow-to-override-build-date.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 +Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -191,6 +193,8 @@ Test package for docker. It contains the source code and the tests. %patch402 -p1 -d components/engine # boo#1064781 %patch403 -p1 -d components/engine +# boo#1066801 CVE-2017-16539 +%patch404 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} .