← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1639407] Re: Docker not built with seccomp

 

This bug was fixed in the package runc - 1.0.0~rc1-0ubuntu2~16.04.1

---------------
runc (1.0.0~rc1-0ubuntu2~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1639407)

 -- Michael Hudson-Doyle <michael.hudson@xxxxxxxxxx>  Thu, 15 Dec 2016
13:33:42 +1300

** Changed in: runc (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639407

Title:
  Docker not built with seccomp

Status in docker.io package in Ubuntu:
  Fix Released
Status in runc package in Ubuntu:
  Fix Released
Status in docker.io source package in Xenial:
  Fix Released
Status in runc source package in Xenial:
  Fix Released
Status in docker.io source package in Yakkety:
  Fix Released
Status in runc source package in Yakkety:
  Fix Released

Bug description:
  [Impact]
  Hi,

  I noticed that the 'docker' provided by the 'docker.io' package
  is not built with seccomp support.

  This is seems to be true in xenial, yakkety, and zesty:

    ubuntu@ubuntu-xenial:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status
    Seccomp:	0

    ubuntu@ubuntu-yakkety:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status
    Seccomp:	0

    ubuntu@ubuntu-zesty:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status
    Seccomp:	0

  This is despite the fact that the Ubuntu kernels are built with
  seccomp support and that the necessary 'seccomp' version (2.2.1) is
  available.

  This damages Docker's security on Ubuntu:

  + This exploit of CVE-2016-5195 works on Ubuntu Docker but not on
    stock Docker, because of the availabilty of the 'ptrace' system
    call, which is blocked by Docker's default seccomp filter:
    https://github.com/gebl/dirtycow-docker-vdso

  + Ubuntu Docker allows the 'perf_event_open' system call, which,
    combined with /proc/sys/kernel/perf_event_paranoid being 1 by
    default on xenial, allows disclosure of registers in the
    kernel. This can be used to break KASLR, and possibly to leak other
    sensitive values, like the /dev/urandom seed.

  + Ubuntu Docker allows access to system calls like 'move_pages', which
    could be used to deny service to other NUMA-aware processes on the
    host.

  + Processes in Ubuntu Docker containers can 'unshare' to create a new
    user namespace and obtain a new set of capabilities, potentially
    including capabilities the user intended to drop.

  These are acceptable security trade-offs to make in some contexts, but
  I think the fact that they're different from Docker's packages could
  easily make this surprising or unexpected behavior.

  [Test Case]
  "sudo docker run -it ubuntu grep Seccomp /proc/self/status" should show that Seccomp is enabled.

  Also see https://wiki.ubuntu.com/DockerUpdates

  [Regression potential]
  See above.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1639407/+subscriptions