[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG #64

thaJeztah · 2018-10-02T18:34:57Z

backport of moby#37929 for 18.09

git checkout -b 18.09_backport_syslog ce-engine/18.09
git cherry-pick -s -S -x ccd22ffcc8b564dfc21e7067b5248819d68c56c6
git push -u origin

cherry-pick was clean

This call is what is used to implement dmesg to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl kernel.dmesg_restrict = 1 is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Fix moby#37897

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Justin Cormack justin.cormack@docker.com
(cherry picked from commit ccd22ff)
Signed-off-by: Sebastiaan van Stijn github@gone.nl

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

This call is what is used to implement `dmesg` to get kernel messages about the host. This can leak substantial information about the host. It is normally available to unprivileged users on the host, unless the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set by standard on the majority of distributions. Blocking this to restrict leaks about the configuration seems correct. Fix moby#37897 See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit ccd22ff) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

andrewhsu

LGTM

thaJeztah added this to the 18.09.0 milestone Oct 2, 2018

thaJeztah changed the title ~~[18.09] bacport move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG~~ [18.09] backport move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG Oct 2, 2018

justincormack approved these changes Oct 2, 2018

View reviewed changes

thaJeztah changed the title ~~[18.09] backport move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG~~ [18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG Oct 17, 2018

andrewhsu approved these changes Oct 22, 2018

View reviewed changes

andrewhsu merged commit 6f1145e into docker-archive:18.09 Oct 22, 2018

thaJeztah deleted the 18.09_backport_syslog branch October 22, 2018 17:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG #64

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG #64

thaJeztah commented Oct 2, 2018

andrewhsu left a comment

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG #64

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG #64

Conversation

thaJeztah commented Oct 2, 2018

andrewhsu left a comment

Choose a reason for hiding this comment