moby/profiles
Justin Cormack ccd22ffcc8
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG
This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Fix #37897

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2018-09-27 14:27:05 -07:00
..
apparmor Add canonical import comment 2018-02-05 16:51:57 -05:00
seccomp Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG 2018-09-27 14:27:05 -07:00