Bug 1094188 - Docker access to /sys
Summary: Docker access to /sys
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-05 09:20 UTC by Lukáš Doktor
Modified: 2014-07-01 23:00 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-19 17:47:43 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Lukáš Doktor 2014-05-05 09:20:12 UTC
Description of problem:
Docker gives access to host /sys. This is expected as some apps requires /sys and one would expect it's protected (in --privileged=False). Well, is it?

After first round directly on HW (resulting in crashed X and lost of all work) I switched to qemu vm:

My first game was echo disk > /sys/power/state. It fails with:
sh: write error: Operation not permitted

Than I tried the same in while loop:
...
PM: Cannot find swap device, try swapon -a
PM: Cannot get swap writer
PM: Cannot find swap device, try swapon -a
PM: Cannot get swap writer
PM: Cannot find swap device, try swapon -a
PM: Cannot get swap writer
...
Which significantly slowed the VM response. When I tried the same and connect using ssh, it was almost unusable and after couple of seconds hanged the whole VM (ctrl+alt+delete not working)

Version-Release number of selected component (if applicable):
qemu machine running F19:
docker-io-0.9.1-1.fc19.x86_64
kernel-3.12.8-200

How reproducible:
Always

Steps to Reproduce:
1. Just play with /sys

Actual results:
Most stuff works even in non-privileged mode

Expected results:
Docker should prevent hazardous interaction with the machine (suspend, cpu settings, ...)

Additional info:
The docker-io-0.10 behaves even weirder, I'll fill separate bugzilla for it.

Comment 1 Daniel Walsh 2014-05-19 17:47:43 UTC
/sys is mounted read/only in docker-io-0.11.1-1.fc19


Note You need to log in before you can comment on or make changes to this bug.