Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_…
…SYSLOG This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Relates to moby/moby#37897 "docker exposes dmesg to containers by default" See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 267a0cf) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Loading branch information