Try using chattr to mark docker-runc as immutable

[justinsb]

May be a workaround for CVE-2019-5736, is defense in depth in any case.

[ghost]

Does this actually fix the problem? Root within the container can't simply remove the attribute?

[miguelbernadi]

Definitely not a fix, but at least would prevent an accidental overwrite.

[justinsb]

So I'm trying to get more details, but it might actually be a fix... https://seclists.org/oss-sec/2019/q1/134 says "Yes that mitigation would also work.". And the commenter there is the person that wrote the patch, so I treat that as highly credible.

[miguelbernadi]

@justinsb I stand corrected. The difference in opinion is that chattr +i is not a fix in general, but in the specific case of Docker due to it already removing by default the capability to work around the IMMUTABLE flag. Mind that an administrator can disable that limitation if they so desire, or if they have a process that requires that capabiity and those systems would still be vulnerable. (This is also per Aleksa Sarai's message).

[justinsb]

Absolutely agreed @miguelbernadi - I'm thinking though that this might be the best fix for us to ship by default for k8s <= 1.11, as I would expect it covers all non-privileged pods, and it seems minimally invasive. But we can also document how to change the docker version or add the hook for people that want to cover their bases. I'm suggesting that in #6522

[mikesplain]

This looks great. Agreed that chattr is probably the right fix for K8s <= 1.11. Thanks @justinsb!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb, mikesplain

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb,mikesplain]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment