docker: CVE-2018-10892

* CVE-2018-10892 Docker does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling Bluetooth or turning up/down keyboard brightness. Affects < 18.03.01 CVE: CVE-2018-10892 Ref: https://access.redhat.com/security/cve/cve-2018-10892 Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Sinan Kaya <okaya@kernel.org> 2018-10-10 04:18:24 +0000
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2018-10-11 14:10:45 -0400
commit: 4583c6331737c072fe23b77f2453bcce3d25f81e (patch)
tree: 329b748a29d28c25ed62f9dbb508f6da1377d9a7
parent: dd32e94c88550d7629aa696acb565c1597954603 (diff)
download: meta-virtualization-4583c6331737c072fe23b77f2453bcce3d25f81e.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
index e055a4f6..7c7bd4c0 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -30,6 +30,8 @@ SRC_URI = "\
        file://0001-libnetwork-use-GO-instead-of-go.patch \
        "
+SRC_URI_append_docker += "CVE-2018-10892.patch"
 # Apache-2.0 for docker
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch b/recipes-containers/docker/files/CVE-2018-10892.patch
new file mode 100644
index 00000000..60d04962
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2018-10892.patch
@@ -0,0 +1,34 @@
+From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <runcom@redhat.com>
+Date: Thu, 5 Jul 2018 17:06:08 +0200
+Subject: [PATCH] Add /proc/acpi to masked paths
+The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
+from 1.11 to current upstream master does not block /proc/acpi pathnames
+allowing attackers to modify host's hardware like enabling/disabling
+bluetooth or turning up/down keyboard brightness. SELinux prevents all
+of this if enabled.
+Signed-off-by: Antonio Murdaca <runcom@redhat.com>
+CVE: CVE-2018-10892
+Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
+Signed-off-by: Sinan Kaya<okaya@kernel.org>
+---
+ oci/defaults.go | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/oci/defaults.go b/oci/defaults.go
+index 4145412dd..992157b0f 100644
+--- a/oci/defaults.go
+++ b/oci/defaults.go
+@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
+ 
+        s.Linux = &specs.Linux{
+                MaskedPaths: []string{
+                       "/proc/acpi",
+                        "/proc/kcore",
+                        "/proc/keys",
+                        "/proc/latency_stats",
+-- 
+2.19.0
author	Sinan Kaya <okaya@kernel.org>	2018-10-10 04:18:24 +0000
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2018-10-11 14:10:45 -0400
commit	4583c6331737c072fe23b77f2453bcce3d25f81e (patch)
tree	329b748a29d28c25ed62f9dbb508f6da1377d9a7
parent	dd32e94c88550d7629aa696acb565c1597954603 (diff)
download	meta-virtualization-4583c6331737c072fe23b77f2453bcce3d25f81e.tar.gz

diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb index e055a4f6..7c7bd4c0 100644 --- a/recipes-containers/docker/docker_git.bb +++ b/recipes-containers/docker/docker_git.bb
@@ -30,6 +30,8 @@ SRC_URI = "\
30	file://0001-libnetwork-use-GO-instead-of-go.patch \	30	file://0001-libnetwork-use-GO-instead-of-go.patch \
31	"	31	"
32		32
		33	SRC_URI_append_docker += "CVE-2018-10892.patch"
		34
33	# Apache-2.0 for docker	35	# Apache-2.0 for docker
34	LICENSE = "Apache-2.0"	36	LICENSE = "Apache-2.0"
35	LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"	37	LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"


diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch b/recipes-containers/docker/files/CVE-2018-10892.patch new file mode 100644 index 00000000..60d04962 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2018-10892.patch
@@ -0,0 +1,34 @@
		1	From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
		2	From: Antonio Murdaca <runcom@redhat.com>
		3	Date: Thu, 5 Jul 2018 17:06:08 +0200
		4	Subject: [PATCH] Add /proc/acpi to masked paths
		5
		6	The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
		7	from 1.11 to current upstream master does not block /proc/acpi pathnames
		8	allowing attackers to modify host's hardware like enabling/disabling
		9	bluetooth or turning up/down keyboard brightness. SELinux prevents all
		10	of this if enabled.
		11
		12	Signed-off-by: Antonio Murdaca <runcom@redhat.com>
		13	CVE: CVE-2018-10892
		14	Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
		15	Signed-off-by: Sinan Kaya<okaya@kernel.org>
		16	---
		17	oci/defaults.go \| 1 +
		18	1 file changed, 1 insertion(+)
		19
		20	diff --git a/oci/defaults.go b/oci/defaults.go
		21	index 4145412dd..992157b0f 100644
		22	--- a/oci/defaults.go
		23	+++ b/oci/defaults.go
		24	@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
		25
		26	s.Linux = &specs.Linux{
		27	MaskedPaths: []string{
		28	+ "/proc/acpi",
		29	"/proc/kcore",
		30	"/proc/keys",
		31	"/proc/latency_stats",
		32	--
		33	2.19.0
		34