From 48dad93f2bfc6ac5a201e98d6029fcff9cfbba80 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 7 Nov 2017 18:32:41 +1100
Subject: [PATCH] oci: add /proc/scsi to masked paths

This is writeable, and can be used to remove devices. Containers do
not need to know about scsi devices.

Fixes: CVE-2017-16539
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
 oci/defaults.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/oci/defaults.go b/oci/defaults.go
index d706fafcc021..188ec3149659 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go
@@ -132,6 +132,8 @@ func DefaultLinuxSpec() specs.Spec {
 			"/proc/timer_list",
 			"/proc/timer_stats",
 			"/proc/sched_debug",
+			"/sys/firmware",
+			"/proc/scsi",
 		},
 		ReadonlyPaths: []string{
 			"/proc/asound",
-- 
2.14.3