Add /proc/acpi to masked paths #37404

runcom · 2018-07-06T09:53:46Z

The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
from 1.11 to current upstream master does not block /proc/acpi pathnames
allowing attackers to modify host's hardware like enabling/disabling
bluetooth or turning up/down keyboard brightness and probably other stuff. SELinux prevents all
of this if enabled. Probably apparmor does prevent this as well but I haven't tested.

This is reproducible with just:

docker run --rm -ti alpine sh -c 'echo "2" >/proc/acpi/ibm/kbdlight' (turns up the brightness of the kbd)
docker run --rm -ti alpine sh -c 'echo "enable" >/proc/acpi/ibm/bluetooth' (enable bluetooth)

We've reserved CVE-2018-10892 for this.

@thaJeztah @cyphar et all, PTAL

Signed-off-by: Antonio Murdaca runcom@redhat.com

The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current upstream master does not block /proc/acpi pathnames allowing attackers to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. SELinux prevents all of this if enabled. Signed-off-by: Antonio Murdaca <runcom@redhat.com>

cyphar · 2018-07-06T10:48:33Z

Probably apparmor does prevent this as well but I haven't tested.

AppArmor does protect against this (it protects against all writes to /proc files unless they are inside /proc/sys/ or /proc/<pid>/). I've tested this on openSUSE Tumbleweed and /proc/acpi writes are disallowed inside containers.

LGTM.

runcom · 2018-07-06T12:50:30Z

failures seems to be unrelated

n4ss · 2018-07-06T17:05:49Z

LGTM!

cpuguy83

LGTM

andrewhsu

LGTM

thaJeztah

LGTM

codecov · 2018-07-06T20:38:49Z

Codecov Report

Merging #37404 into master will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #37404      +/-   ##
==========================================
+ Coverage   34.91%   34.93%   +0.01%     
==========================================
  Files         610      610              
  Lines       44884    44884              
==========================================
+ Hits        15672    15679       +7     
+ Misses      27092    27087       -5     
+ Partials     2120     2118       -2

n4ss · 2018-07-07T14:57:34Z

Additional Information on CVE-2018-10892

Since this is linked from the CVE (which I'll make sure we amend and add additional documentation because the description shows extremely small understanding of what ACPI is and can be used for, as well as the use of the procfs interface for this purpose) and people will visit this issue, a few key points:

Both SELinux and AppArmor with the default profiles protect against this (if you use an official Docker packaging and don't disable security features, you're safe).
The /proc/acpi interface is either removed or deprecated since 2011/2012 of almost every kernel / drivers (if you use a kernel > 2.6 - current version is 4.17.4 - and no legacy/bad drivers, you're safe). [1]
If your /proc/acpi is not empty (except button on some laptops for the LiD light), please report it to your distribution or driver provider support

[1] Please see the note on the kernel config option that gates all /proc/acpi population: https://github.com/torvalds/linux/blob/master/drivers/acpi/Kconfig#L100

thaJeztah · 2018-07-07T15:11:19Z

Locking the conversation on this PR, as it got a bit of attention on Twitter, and I want to prevent a long discussion from hiding that summary.

Feel free to discuss on Slack, the forums, or open a new ticket it more discussion is needed

GordonTheTurtle added the status/0-triage label Jul 6, 2018

runcom requested a review from tonistiigi July 6, 2018 09:54

n4ss approved these changes Jul 6, 2018

View reviewed changes

thaJeztah added area/runtime status/2-code-review area/security and removed status/0-triage labels Jul 6, 2018

This was referenced Jul 6, 2018

[18.06] Add /proc/acpi to masked paths docker-archive/engine#14

Merged

[18.03] Add /proc/acpi to masked paths docker-archive/docker-ce#535

Closed

cpuguy83 added the rebuild/janky label Jul 6, 2018

GordonTheTurtle removed the rebuild/janky label Jul 6, 2018

cpuguy83 approved these changes Jul 6, 2018

View reviewed changes

thaJeztah mentioned this pull request Jul 6, 2018

Flaky test: TestAPISwarmServicesFailedUpdate #37408

Open

andrewhsu approved these changes Jul 6, 2018

View reviewed changes

thaJeztah approved these changes Jul 6, 2018

View reviewed changes

thaJeztah added status/4-merge impact/changelog and removed status/2-code-review labels Jul 6, 2018

thaJeztah merged commit 86a41e4 into moby:master Jul 6, 2018

runcom deleted the no-acpi branch July 6, 2018 22:13

moby locked and limited conversation to collaborators Jul 7, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add /proc/acpi to masked paths #37404

Add /proc/acpi to masked paths #37404

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Add /proc/acpi to masked paths #37404

Add /proc/acpi to masked paths #37404

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Additional Information on CVE-2018-10892

Uh oh!

Uh oh!

Uh oh!