oci/defaults: deny /sys/devices/virtual/powercap
The ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. This was originally [CVE-2020-8694][1], which was fixed in [949dd0104c496fa7c14991a23c03c62e44637e71][2] by restricting read access to root. However, since many containers run as root, this is not sufficient for our use case. While untrusted code should ideally never be run, we can add some defense in depth here by masking out the device class by default. [Other mechanisms][3] to access this hardware exist, but they should not be accessible to a container due to other safeguards in the kernel/container stack (e.g. capabilities, perf paranoia). [1]: https://nvd.nist.gov/vuln/detail/CVE-2020-8694 [2]:949dd0104c
[3]: https://web.eece.maine.edu/~vweaver/projects/rapl/ Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> (cherry picked from commit83cac3c3e3
) Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
This commit is contained in:
parent
29a0e76e64
commit
4b242784ca
1 changed files with 1 additions and 0 deletions
|
@ -105,6 +105,7 @@ func DefaultLinuxSpec() specs.Spec {
|
|||
"/proc/sched_debug",
|
||||
"/proc/scsi",
|
||||
"/sys/firmware",
|
||||
"/sys/devices/virtual/powercap",
|
||||
},
|
||||
ReadonlyPaths: []string{
|
||||
"/proc/bus",
|
||||
|
|
Loading…
Reference in a new issue