Google Git
Sign in
fuchsia / third_party / github.com / moby / moby / 5fffdb32261145b1178f571e25fbd71572769d58^! / .
commit5fffdb32261145b1178f571e25fbd71572769d58[log] [tgz]
authorJonathan A. Schweder <jonathanschweder@gmail.com>Thu Nov 29 22:03:22 2018 -0200
committerSebastiaan van Stijn <github@gone.nl>Fri Nov 30 14:57:51 2018 +0100
treea15693ceaa8e599ad32b381aea4b5b128a94af62
parente32fc16daa20c087eae4e7d4b16a79725a430108 [diff]
Masked /proc/asound

@sw-pschmied originally post this in #38285

While looking through the Moby source code was found /proc/asound to be
shared with containers as read-only (as defined in
https://github.com/moby/moby/blob/master/oci/defaults.go#L128).

This can lead to two information leaks.

---

**Leak of media playback status of the host**

Steps to reproduce the issue:

 - Listen to music/Play a YouTube video/Do anything else that involves
sound output
 - Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
/proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 |
grep RUNNING || echo 'not running'"
 - See that the containerized process is able to check whether someone
on the host is playing music as it prints RUNNING
 - Stop the music output
 - Execute the command again (The sleep is delaying the output because
information regarding playback status isn't propagated instantly)
 - See that it outputs not running

**Describe the results you received:**

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

Signed-off-by: Jonathan A. Schweder <jonathanschweder@gmail.com>

(cherry picked from commit 64e52ff3dbdb31adc0a9930b3ea74b04b0df8d86)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

diff --git a/oci/defaults.go b/oci/defaults.go
index 992157b..8ba9240 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go

@@ -114,6 +114,7 @@
 
 	s.Linux = &specs.Linux{
 		MaskedPaths: []string{
+			"/proc/asound",
 			"/proc/acpi",
 			"/proc/kcore",
 			"/proc/keys",
@@ -125,7 +126,6 @@
 			"/sys/firmware",
 		},
 		ReadonlyPaths: []string{
-			"/proc/asound",
 			"/proc/bus",
 			"/proc/fs",
 			"/proc/irq",