Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
docker exposes dmesg to containers by default #37897
Docker exposes the dmesg kernel log to containers by default, unless the host distribution prevents non-root from accessing dmesg. This is a potential security risk and leaks host state into the container; the dmesg log can contain things like kernel register dumps, which can aid in exploiting the kernel, and metadata about other processes running on the system. Therefore, I believe that docker should not allow containers to access dmesg, even if the distribution permits it for unprivileged userspace processes.
I am filing a public bug, rather than sending a private security report, because I believe that this counts as a security hardening suggestion, not a security bug.
Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
Additional environment details (AWS, VirtualBox, physical, etc.):
Running in a KVM guest.
Hmm, ok so I tested this on Docker for Mac, and I get