-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try using chattr to mark docker-runc as immutable #6506
Try using chattr to mark docker-runc as immutable #6506
Conversation
May be a workaround for CVE-2019-5736, is defense in depth in any case.
f9f4a59
to
9bfa0cd
Compare
Does this actually fix the problem? Root within the container can't simply remove the attribute? |
Definitely not a fix, but at least would prevent an accidental overwrite. |
So I'm trying to get more details, but it might actually be a fix... https://seclists.org/oss-sec/2019/q1/134 says "Yes that mitigation would also work.". And the commenter there is the person that wrote the patch, so I treat that as highly credible. |
@justinsb I stand corrected. The difference in opinion is that |
Absolutely agreed @miguelbernadi - I'm thinking though that this might be the best fix for us to ship by default for k8s <= 1.11, as I would expect it covers all non-privileged pods, and it seems minimally invasive. But we can also document how to change the docker version or add the hook for people that want to cover their bases. I'm suggesting that in #6522 |
This looks great. Agreed that chattr is probably the right fix for K8s <= 1.11. Thanks @justinsb! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, mikesplain The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Cherry pick of #6506 onto release-1.11
May be a workaround for CVE-2019-5736, is defense in depth in any case.