Bug 1094198

Summary: docker-io-0.10 access to /sys
Product: [Fedora] Fedora Reporter: Lukáš Doktor <ldoktor>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 20CC: admiller, deb2, dwalsh, golang-updates, jkeck, lsm5, mattdm, mgoldman, s, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-19 17:48:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Doktor 2014-05-05 09:39:00 UTC 
Description of problem:
This bugzilla maps the https://bugzilla.redhat.com/show_bug.cgi?id=1094188 issue on newer docker-io-0.10 on real hardware.

Docker gives access to host /sys. This is expected as some apps requires /sys and one would expect it's protected (in --privileged=False). Well, is it?

This time I tried `echo mem > /sys/power/state` which (unlike on older docker) succeeded and suspended the whole laptop. I guess this is not required from containerized machine to be able to do?

Additionally I tried modifying the cpu frequence:
echo 1200000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

passes (which is IMO improper behavior)

Last but not least I tried `poweroff -f`, but "sadly" it just stopped the container without powering off the host machine.

Version-Release number of selected component (if applicable):
docker-io-0.10.0-2.fc20.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Play with /sys

Actual results:
container is able to interact/suspend/modify the underlying host machine.

Expected results:
docker should prevent these operations.
Comment 1 Lukáš Doktor 2014-05-09 15:07:01 UTC 
Hello guys, the RHEL version of docker mounts /sys as read-only, which fixes the problem of interacting with underlying machine. Question is, whether an attacker can't abuse some /sys information for potential attack. Anyway that's not the purpose of this bugzilla.
Comment 2 Daniel Walsh 2014-05-19 17:48:42 UTC 
docker-io-0.11.1-2.fc20 mounts /sys as read/only.