group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #10422
[Bug 1639407] Re: Docker not built with seccomp
This bug was fixed in the package docker.io - 1.12.3-0ubuntu4~16.10.2
---------------
docker.io (1.12.3-0ubuntu4~16.10.2) yakkety; urgency=medium
* Update runc dep to account for its backported version.
docker.io (1.12.3-0ubuntu4~16.10.1) yakkety; urgency=medium
* Backport to Yakkety. (LP: #1647376, #1639407)
-- Michael Hudson-Doyle <michael.hudson@xxxxxxxxxx> Mon, 19 Dec 2016
09:20:48 +1300
** Changed in: docker.io (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639407
Title:
Docker not built with seccomp
Status in docker.io package in Ubuntu:
Fix Released
Status in runc package in Ubuntu:
Fix Released
Status in docker.io source package in Xenial:
Fix Released
Status in runc source package in Xenial:
Fix Released
Status in docker.io source package in Yakkety:
Fix Released
Status in runc source package in Yakkety:
Fix Released
Bug description:
[Impact]
Hi,
I noticed that the 'docker' provided by the 'docker.io' package
is not built with seccomp support.
This is seems to be true in xenial, yakkety, and zesty:
ubuntu@ubuntu-xenial:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status
Seccomp: 0
ubuntu@ubuntu-yakkety:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status
Seccomp: 0
ubuntu@ubuntu-zesty:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status
Seccomp: 0
This is despite the fact that the Ubuntu kernels are built with
seccomp support and that the necessary 'seccomp' version (2.2.1) is
available.
This damages Docker's security on Ubuntu:
+ This exploit of CVE-2016-5195 works on Ubuntu Docker but not on
stock Docker, because of the availabilty of the 'ptrace' system
call, which is blocked by Docker's default seccomp filter:
https://github.com/gebl/dirtycow-docker-vdso
+ Ubuntu Docker allows the 'perf_event_open' system call, which,
combined with /proc/sys/kernel/perf_event_paranoid being 1 by
default on xenial, allows disclosure of registers in the
kernel. This can be used to break KASLR, and possibly to leak other
sensitive values, like the /dev/urandom seed.
+ Ubuntu Docker allows access to system calls like 'move_pages', which
could be used to deny service to other NUMA-aware processes on the
host.
+ Processes in Ubuntu Docker containers can 'unshare' to create a new
user namespace and obtain a new set of capabilities, potentially
including capabilities the user intended to drop.
These are acceptable security trade-offs to make in some contexts, but
I think the fact that they're different from Docker's packages could
easily make this surprising or unexpected behavior.
[Test Case]
"sudo docker run -it ubuntu grep Seccomp /proc/self/status" should show that Seccomp is enabled.
Also see https://wiki.ubuntu.com/DockerUpdates
[Regression potential]
See above.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1639407/+subscriptions