From 6e916fca020b7fb2de08dab7be03728e86173e1e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 12 May 2016 11:17:47 +0200 Subject: [PATCH 1/9] Merge pull request #22579 from jfrazelle/docs-add-security-non-events docs: add security non-events (cherry picked from commit a14e85c40d210252096bfb6bbef1e7b66e2e2bfd) Signed-off-by: Sebastiaan van Stijn --- docs/security/non-events.md | 84 +++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 docs/security/non-events.md diff --git a/docs/security/non-events.md b/docs/security/non-events.md new file mode 100644 index 0000000000..fcfd55d809 --- /dev/null +++ b/docs/security/non-events.md @@ -0,0 +1,84 @@ + + +# Docker Security Non-events + +This page lists security vulnerabilities which Docker mitigated, such that +processes run in Docker containers were never vulnerable to the bug—even before +it was fixed. This assumes containers are run without adding extra capabilities +or not run as `--privileged`. + +The list below is not even remotely complete. Rather, it is a sample of the few +bugs we've actually noticed to have attracted security review and publicly +disclosed vulnerabilities. In all likelihood, the bugs that haven't been +reported far outnumber those that have. Luckily, since Docker's approach to +secure by default through apparmor, seccomp, and dropping capabilities, it +likely mitigates unknown bugs just as well as it does known ones. + +Bugs mitigated: + +* [CVE-2013-1956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1956), +[1957](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1957), +[1958](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1958), +[1959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1959), +[1979](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1979), +[CVE-2014-4014](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014), +[5206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206), +[5207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5207), +[7970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970), +[7975](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975), +[CVE-2015-2925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925), +[8543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543), +[CVE-2016-3134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134), +[3135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135), etc.: +The introduction of unprivileged user namespaces lead to a huge increase in the +attack surface available to unprivileged users by giving such users legitimate +access to previously root-only system calls like `mount()`. All of these CVEs +are examples of security vulnerabilities due to introduction of user namespaces. +Docker can use user namespaces to set up containers, but then disallows the +process inside the container from creating its own nested namespaces through the +default seccomp profile, rendering these vulnerabilities unexploitable. +* [CVE-2014-0181](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0181), +[CVE-2015-3339](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339): +These are bugs that require the presence of a setuid binary. Docker disables +setuid binaries inside containers via the `NO_NEW_PRIVS` process flag and +other mechanisms. +* [CVE-2014-4699](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4699): +A bug in `ptrace()` could allow privilege escalation. Docker disables `ptrace()` +inside the container using apparmor, seccomp and by dropping `CAP_PTRACE`. +Three times the layers of protection there! +* [CVE-2014-9529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529): +A series of crafted `keyctl()` calls could cause kernel DoS / memory corruption. +Docker disables `keyctl()` inside containers using seccomp. +* [CVE-2015-3214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3214), +[4036](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4036): These are +bugs in common virtualization drivers which could allow a guest OS user to +execute code on the host OS. Exploiting them requires access to virtualization +devices in the guest. Docker hides direct access to these devices when run +without `--privileged`. Interestingly, these seem to be cases where containers +are "more secure" than a VM, going against common wisdom that VMs are +"more secure" than containers. +* [CVE-2016-0728](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0728): +Use-after-free caused by crafted `keyctl()` calls could lead to privilege +escalation. Docker disables `keyctl()` inside containers using the default +seccomp profile. +* [CVE-2016-2383](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383): +A bug in eBPF -- the special in-kernel DSL used to express things like seccomp +filters -- allowed arbitrary reads of kernel memory. The `bpf()` system call +is blocked inside Docker containers using (ironically) seccomp. + +Bugs *not* mitigated: + +* [CVE-2015-3290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3290), +[5157](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5157): Bugs in +the kernel's non-maskable interrupt handling allowed privilege escalation. +Can be exploited in Docker containers because the `modify_ldt()` system call is +not currently blocked using seccomp. From e7d0711142f5bb20e38fc76b038219164781259b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 May 2016 18:05:52 +0200 Subject: [PATCH 2/9] Merge pull request #22666 from yongtang/05112016-update-deprecated-docs-cli-flags Update deprecated docs for cli flags removal. (cherry picked from commit 3710f9074e7cb752def69b1b80e4af3e6ed87daf) Signed-off-by: Sebastiaan van Stijn --- docs/deprecated.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deprecated.md b/docs/deprecated.md index d4702c0f90..2536278f88 100644 --- a/docs/deprecated.md +++ b/docs/deprecated.md @@ -92,7 +92,7 @@ The lxc-conf flag and API fields will also be removed. ### Old Command Line Options **Deprecated In Release: [v1.8.0](https://github.com/docker/docker/releases/tag/v1.8.0)** -**Target For Removal In Release: v1.10** +**Removed In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)** The flags `-d` and `--daemon` are deprecated in favor of the `daemon` subcommand: From 36a62de41fc09ebe816e88e5163a01b60527738b Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Wed, 11 May 2016 18:59:53 +0200 Subject: [PATCH 3/9] Merge pull request #22669 from thaJeztah/docs-update-seccomp-whitelist docs: update seccomp whitelist (cherry picked from commit 4c654eeea209b9770071fe190d27976622298cdd) Signed-off-by: Sebastiaan van Stijn --- docs/security/seccomp.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/security/seccomp.md b/docs/security/seccomp.md index bf56790619..36b5cd56c4 100644 --- a/docs/security/seccomp.md +++ b/docs/security/seccomp.md @@ -99,7 +99,6 @@ the reason each syscall is blocked rather than white-listed. | `keyctl` | Prevent containers from using the kernel keyring, which is not namespaced. | | `lookup_dcookie` | Tracing/profiling syscall, which could leak a lot of information on the host. | | `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | -| `modify_ldt` | Old syscall only used in 16-bit code and a potential information leak. | | `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. | | `move_pages` | Syscall that modifies kernel memory and NUMA settings. | | `name_to_handle_at` | Sister syscall to `open_by_handle_at`. Already gated by `CAP_SYS_NICE`. | From 785665203d4e66fffd6f6d7a162164aa96f21079 Mon Sep 17 00:00:00 2001 From: Sven Dowideit Date: Thu, 12 May 2016 14:15:39 +1000 Subject: [PATCH 4/9] Merge pull request #22672 from kevinmeredith/correct_trapped_signals Correct docs for a docker container's clean-up. (cherry picked from commit c273163e80da5f5895db1dc1102a470ec45e0a69) Signed-off-by: Sebastiaan van Stijn --- docs/reference/builder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/builder.md b/docs/reference/builder.md index a932276b75..9a2f42ea8b 100644 --- a/docs/reference/builder.md +++ b/docs/reference/builder.md @@ -834,7 +834,7 @@ does some more work: # USE the trap if you need to also do manual cleanup after the service is stopped, # or need to start multiple services in the one container -trap "echo TRAPed signal" HUP INT QUIT KILL TERM +trap "echo TRAPed signal" HUP INT QUIT TERM # start service in background here /usr/sbin/apachectl start From b28e6b7edab3275c7714d2e4b98718dfb54a3fd0 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 12 May 2016 21:29:45 +0200 Subject: [PATCH 5/9] Merge pull request #22683 from npcode/docs-no-request-status docs: Remove RequestStatusCode (cherry picked from commit 2ae863c28fdae1da9794942c90efa9f217bccd83) Signed-off-by: Sebastiaan van Stijn --- docs/extend/plugins_authorization.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/extend/plugins_authorization.md b/docs/extend/plugins_authorization.md index 8a1352c6d2..86d3db017d 100644 --- a/docs/extend/plugins_authorization.md +++ b/docs/extend/plugins_authorization.md @@ -151,8 +151,7 @@ should implement the following two methods: "RequestMethod": "The HTTP method", "RequestURI": "The HTTP request URI", "RequestBody": "Byte array containing the raw HTTP request body", - "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string ", - "RequestStatusCode": "Request status code" + "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string " } ``` @@ -177,7 +176,6 @@ should implement the following two methods: "RequestURI": "The HTTP request URI", "RequestBody": "Byte array containing the raw HTTP request body", "RequestHeader": "Byte array containing the raw HTTP request header as a map[string][]string", - "RequestStatusCode": "Request status code", "ResponseBody": "Byte array containing the raw HTTP response body", "ResponseHeader": "Byte array containing the raw HTTP response header as a map[string][]string", "ResponseStatusCode":"Response status code" From c23ad97de54a20787a0c436dff636b0a8d7f8f11 Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Thu, 12 May 2016 14:35:21 +0200 Subject: [PATCH 6/9] Merge pull request #22687 from haoshuwei/fix-docs-securitymd Fixing security.md (cherry picked from commit edf5e097a2ee1e1b90a6634d6fa6cf1547dff65c) Signed-off-by: Sebastiaan van Stijn --- docs/security/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security/security.md b/docs/security/security.md index 88b5b3f09a..c22d6bc3f7 100644 --- a/docs/security/security.md +++ b/docs/security/security.md @@ -52,8 +52,8 @@ How mature is the code providing kernel namespaces and private networking? Kernel namespaces were introduced [between kernel version 2.6.15 and 2.6.26](http://lxc.sourceforge.net/index.php/about/kernel-namespaces/). -This means that since July 2008 (date of the 2.6.26 release, now 7 years -ago), namespace code has been exercised and scrutinized on a large +This means that since July 2008 (date of the 2.6.26 release +), namespace code has been exercised and scrutinized on a large number of production systems. And there is more: the design and inspiration for the namespaces code are even older. Namespaces are actually an effort to reimplement the features of [OpenVZ]( From 77efb507b3fd675ac5c821ecbaa05c3acb6841a5 Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Thu, 12 May 2016 14:35:39 +0200 Subject: [PATCH 7/9] Merge pull request #22694 from allencloud/fix-typos-in-docs docs: correct some typos (cherry picked from commit 475c37dd66ce4b2f3994ac61a4494950e43873b9) Signed-off-by: Sebastiaan van Stijn --- docs/migration.md | 2 +- docs/security/apparmor.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/migration.md b/docs/migration.md index 8ff5c70fc2..28c2d7a480 100644 --- a/docs/migration.md +++ b/docs/migration.md @@ -29,7 +29,7 @@ instructions that didn’t modify the filesystem. Content addressability is the foundation for the new distribution features. The image pull and push code has been reworked to use a download/upload manager -concept that makes pushing and pulling images much more stable and mitigate any +concept that makes pushing and pulling images much more stable and mitigates any parallel request issues. The download manager also brings retries on failed downloads and better prioritization for concurrent downloads. diff --git a/docs/security/apparmor.md b/docs/security/apparmor.md index bc80a24509..62df4b794c 100644 --- a/docs/security/apparmor.md +++ b/docs/security/apparmor.md @@ -232,7 +232,7 @@ Congrats! You just deployed a container secured with a custom apparmor profile! ## Debug AppArmor -You can use `demsg` to debug problems and `aa-status` check the loaded profiles. +You can use `dmesg` to debug problems and `aa-status` check the loaded profiles. ### Use dmesg From fcd432d110d2fffc65aa24c3898c628177d72e6c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 12 May 2016 23:27:57 +0200 Subject: [PATCH 8/9] Merge pull request #22707 from TimWolla/patch-1 User network does not work with IPv6 (cherry picked from commit ab090291dd15c76687672fec10eb9f4106c1cb21) Signed-off-by: Sebastiaan van Stijn --- docs/userguide/networking/work-with-networks.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/userguide/networking/work-with-networks.md b/docs/userguide/networking/work-with-networks.md index 6cd669484c..867c5fa52f 100644 --- a/docs/userguide/networking/work-with-networks.md +++ b/docs/userguide/networking/work-with-networks.md @@ -228,7 +228,8 @@ $ docker run --net=isolated_nw --ip=172.25.3.3 -itd --name=container3 busybox As you can see you were able to specify the ip address for your container. As long as the network to which the container is connecting was created with a user specified subnet, you will be able to select the IPv4 and/or IPv6 address(es) -for your container when executing `docker run` and `docker network connect` commands. +for your container when executing `docker run` and `docker network connect` commands +by respectively passing the `--ip` and `--ip6` flags for IPv4 and IPv6. The selected IP address is part of the container networking configuration and will be preserved across container reload. The feature is only available on user defined networks, because they guarantee their subnets configuration does not change across daemon reload. From ab595882e3dc2a72b88e7f44201938296eaf1c5d Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Thu, 12 May 2016 11:22:44 +0200 Subject: [PATCH 9/9] Merge pull request #22689 from thaJeztah/docs-update-menu-order docs: update menu order in security section (cherry picked from commit 24a0f1f3e89476f29c22e48d1e5cbdcc39611958) Signed-off-by: Sebastiaan van Stijn --- docs/security/non-events.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/security/non-events.md b/docs/security/non-events.md index fcfd55d809..97da919309 100644 --- a/docs/security/non-events.md +++ b/docs/security/non-events.md @@ -5,7 +5,6 @@ description = "Review of security vulnerabilities Docker mitigated" keywords = ["Docker, Docker documentation, security, security non-events"] [menu.main] parent = "smn_secure_docker" -weight =-99 +++