Browse code
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG
This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.
Fix #37897
See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2018/09/28 06:27:05Showing 2 changed files
| ... | ... |
@@ -329,7 +329,6 @@ |
| 329 | 329 |
"sync_file_range", |
| 330 | 330 |
"syncfs", |
| 331 | 331 |
"sysinfo", |
| 332 |
- "syslog", |
|
| 333 | 332 |
"tee", |
| 334 | 333 |
"tgkill", |
| 335 | 334 |
"time", |
| ... | ... |
@@ -561,6 +560,7 @@ |
| 561 | 561 |
"setdomainname", |
| 562 | 562 |
"sethostname", |
| 563 | 563 |
"setns", |
| 564 |
+ "syslog", |
|
| 564 | 565 |
"umount", |
| 565 | 566 |
"umount2", |
| 566 | 567 |
"unshare" |
| ... | ... |
@@ -762,6 +762,20 @@ |
| 762 | 762 |
] |
| 763 | 763 |
}, |
| 764 | 764 |
"excludes": {}
|
| 765 |
+ }, |
|
| 766 |
+ {
|
|
| 767 |
+ "names": [ |
|
| 768 |
+ "syslog" |
|
| 769 |
+ ], |
|
| 770 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 771 |
+ "args": [], |
|
| 772 |
+ "comment": "", |
|
| 773 |
+ "includes": {
|
|
| 774 |
+ "caps": [ |
|
| 775 |
+ "CAP_SYSLOG" |
|
| 776 |
+ ] |
|
| 777 |
+ }, |
|
| 778 |
+ "excludes": {}
|
|
| 765 | 779 |
} |
| 766 | 780 |
] |
| 767 | 781 |
} |
| 768 | 782 |
\ No newline at end of file |
| ... | ... |
@@ -322,7 +322,6 @@ func DefaultProfile() *types.Seccomp {
|
| 322 | 322 |
"sync_file_range", |
| 323 | 323 |
"syncfs", |
| 324 | 324 |
"sysinfo", |
| 325 |
- "syslog", |
|
| 326 | 325 |
"tee", |
| 327 | 326 |
"tgkill", |
| 328 | 327 |
"time", |
| ... | ... |
@@ -492,6 +491,7 @@ func DefaultProfile() *types.Seccomp {
|
| 492 | 492 |
"setdomainname", |
| 493 | 493 |
"sethostname", |
| 494 | 494 |
"setns", |
| 495 |
+ "syslog", |
|
| 495 | 496 |
"umount", |
| 496 | 497 |
"umount2", |
| 497 | 498 |
"unshare", |
| ... | ... |
@@ -642,6 +642,16 @@ func DefaultProfile() *types.Seccomp {
|
| 642 | 642 |
Caps: []string{"CAP_SYS_NICE"},
|
| 643 | 643 |
}, |
| 644 | 644 |
}, |
| 645 |
+ {
|
|
| 646 |
+ Names: []string{
|
|
| 647 |
+ "syslog", |
|
| 648 |
+ }, |
|
| 649 |
+ Action: types.ActAllow, |
|
| 650 |
+ Args: []*types.Arg{},
|
|
| 651 |
+ Includes: types.Filter{
|
|
| 652 |
+ Caps: []string{"CAP_SYSLOG"},
|
|
| 653 |
+ }, |
|
| 654 |
+ }, |
|
| 645 | 655 |
} |
| 646 | 656 |
|
| 647 | 657 |
return &types.Seccomp{
|