Bug 1094198 - docker-io-0.10 access to /sys
Summary: docker-io-0.10 access to /sys
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-05 09:39 UTC by Lukáš Doktor
Modified: 2014-07-01 23:00 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-19 17:48:42 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Lukáš Doktor 2014-05-05 09:39:00 UTC
Description of problem:
This bugzilla maps the https://bugzilla.redhat.com/show_bug.cgi?id=1094188 issue on newer docker-io-0.10 on real hardware.

Docker gives access to host /sys. This is expected as some apps requires /sys and one would expect it's protected (in --privileged=False). Well, is it?

This time I tried `echo mem > /sys/power/state` which (unlike on older docker) succeeded and suspended the whole laptop. I guess this is not required from containerized machine to be able to do?

Additionally I tried modifying the cpu frequence:
echo 1200000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

passes (which is IMO improper behavior)

Last but not least I tried `poweroff -f`, but "sadly" it just stopped the container without powering off the host machine.

Version-Release number of selected component (if applicable):
docker-io-0.10.0-2.fc20.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Play with /sys

Actual results:
container is able to interact/suspend/modify the underlying host machine.

Expected results:
docker should prevent these operations.

Comment 1 Lukáš Doktor 2014-05-09 15:07:01 UTC
Hello guys, the RHEL version of docker mounts /sys as read-only, which fixes the problem of interacting with underlying machine. Question is, whether an attacker can't abuse some /sys information for potential attack. Anyway that's not the purpose of this bugzilla.

Comment 2 Daniel Walsh 2014-05-19 17:48:42 UTC
docker-io-0.11.1-2.fc20 mounts /sys as read/only.


Note You need to log in before you can comment on or make changes to this bug.