The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.
Created docker tracking bugs for this issue: Affects: epel-6 [bug 1598585] Affects: fedora-all [bug 1598583] Created docker-latest tracking bugs for this issue: Affects: fedora-all [bug 1598582]
I already have a fix for upstream and downstream docker.
Acknowledgments: Name: Antonio Murdaca (Red Hat)
Upstream fix is here https://github.com/moby/moby/pull/37404
Our projectatomoic/docker downstream fork has been fixed as well.
The tracking and other problems surrounding this issue are entirely my fault. I thought of this more as an OCI/compliance issue and directly went against Red Hat policy on upstream disclosure. It was my *wrong* call. If there's any remaining loose ends from that fallout, please let me know. I think we are tracking correctly now (special thanks to everyone who got cri-o marked affected especially). Like I said: if anything else has fallen between the cracks, let me know so I can get some grout. _Trevor
Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 1599131] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1599130]
Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 1599135] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1599134]
Is it too late to fix a typo? Should be "default"
(In reply to Ed Santiago from comment #17) > Is it too late to fix a typo? Should be "default" Nope, thanks for pointing out. Maxim, typo fixed in Doc Text 'cause' field.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2018:2482 https://access.redhat.com/errata/RHSA-2018:2482