New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document kernel keyrings are not namespaced in security article #10939

Open
ewindisch opened this Issue Feb 22, 2015 · 4 comments

Comments

Projects
None yet
7 participants
@ewindisch
Copy link
Contributor

ewindisch commented Feb 22, 2015

Kernel keyrings are not namespaced and thus not secure on hosts running Docker. This should be made clear and explicit in the security article.

Machines running full disk encryption and Docker may be vulnerable to attacks to the system keyring.

@NathanMcCauley

This comment has been minimized.

Copy link
Contributor

NathanMcCauley commented Apr 2, 2016

This is mitigated by the default seccomp policy.

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Apr 2, 2016

@NathanMcCauley we don't have seccomp support on all distros/versions (due to libseccomp being too old on those), do you think we should still document it?

@ewindisch

This comment has been minimized.

Copy link
Contributor

ewindisch commented Apr 3, 2016

What Docker does to secure containers, what it does not do, and when it may
not do these things should be documented.
On Apr 2, 2016 2:51 PM, "Sebastiaan van Stijn" notifications@github.com
wrote:

@NathanMcCauley https://github.com/NathanMcCauley we don't have seccomp
support on all distros/versions (due to libseccomp being too old on those),
do you think we should still document it?


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#10939 (comment)

@LK4D4 LK4D4 added the area/security label Nov 28, 2016

@LK4D4

This comment has been minimized.

Copy link
Contributor

LK4D4 commented Nov 28, 2016

@thaJeztah I think it's still a valid issue.
Here is more detailed description of the problem http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/
This must be in our docs.

@LK4D4 LK4D4 added the priority/P2 label Nov 28, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment