really? you need GLOBAL_ROOT_UID access for it, no? and with that, you can do all sorts of fun things in procfs, like messing with sysctls
-
-
if moby gives containers GLOBAL_ROOT_UID and procfs access, blacklisting every dangerous file they know about, missing one, that's on them
1 reply 0 retweets 0 likes -
just look at the commit you linked. they have a big blacklist of known ways to bypass their protections, and they missed one file.
2 replies 0 retweets 0 likes -
the kernel has an API for giving containers fake root, and that is user namespaces. and if you don't want to use that, at least whitelist.
2 replies 0 retweets 1 like -
Replying to @tehjh @SwiftOnSecurity
The sysctl are an exception, yes, but many other files in proc that check CAP_SYS_ADMIN.
1 reply 0 retweets 1 like -
Replying to @ewindisch @SwiftOnSecurity
you could argue that these checks are inconsistent; but OTOH, there are users who actually want to be able to chown files in /proc
1 reply 0 retweets 0 likes -
for example, Android chowns /proc/sysrq-trigger to root:system so that system_server can use it (or at least Android used to do that)
1 reply 0 retweets 0 likes -
if you did a capability check in sysrq-trigger, the kernel API would lose this flexibility
2 replies 0 retweets 0 likes -
Replying to @tehjh @SwiftOnSecurity
If that's the contract then maybe remove unnecessary code checking capabilities for all other proc files?
1 reply 0 retweets 0 likes -
Replying to @ewindisch @SwiftOnSecurity
I think there is some granularity. For example, one could argue both ways for CAP_RAWIO checks in procfs
1 reply 0 retweets 0 likes
and the non-init_user_ns capability checks in /proc/$pid have to be that way for user namespaces to work properly
-
-
so yeah, it's a bit inconsistent, and there are opportunities for improvement, but IMO it's hard to figure out the balance for changes
1 reply 0 retweets 1 like -
Replying to @tehjh @SwiftOnSecurity
Totally valid points! As a l researcher I'm not excited about deciding who's issue it is to fix.
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.