Nothing Special   »   [go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.1 backport] Add /proc/asound to masked paths #2848

Merged
merged 1 commit into from
Nov 30, 2018
Merged

[release/1.1 backport] Add /proc/asound to masked paths #2848

merged 1 commit into from
Nov 30, 2018

Conversation

thaJeztah
Copy link
Member

Backport of #2846 for the 1.1 branch

This ports moby/moby#38299 to containerd

relates to moby/moby#38285

While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.

Leak of media playback status of the host

Steps to reproduce the issue:

  • Listen to music/Play a YouTube video/Do anything else that involves sound
    output
  • Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
    /proc/asound/card*/pcmp/sub/status | grep state | cut -d ' ' -f2 | grep
    RUNNING || echo 'not running'"
  • See that the containerized process is able to check whether someone on the
    host is playing music as it prints RUNNING
  • Stop the music output
  • Execute the command again (The sleep is delaying the output because
    information regarding playback status isn't propagated instantly)
  • See that it outputs not running

Describe the results you received:

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
/proc/asound/card*/pcm*c/sub*/status (pcm*c instead of pcm*p) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

@thaJeztah
Add /proc/asound to masked paths
3d31338 
While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.

---

**Leak of media playback status of the host**

Steps to reproduce the issue:

 - Listen to music/Play a YouTube video/Do anything else that involves sound
   output
 - Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
   /proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep
   RUNNING || echo 'not running'"
 - See that the containerized process is able to check whether someone on the
   host is playing music as it prints RUNNING
 - Stop the music output
 - Execute the command again (The sleep is delaying the output because
   information regarding playback status isn't propagated instantly)
 - See that it outputs not running

**Describe the results you received:**

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

Reported-by: Philipp Schmied <pschmied@mailbox.org>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@codecov-io
Copy link

Codecov Report

Merging #2848 into release/1.1 will not change coverage.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##           release/1.1    #2848   +/-   ##
============================================
  Coverage        48.99%   48.99%           
============================================
  Files               85       85           
  Lines             7603     7603           
============================================
  Hits              3725     3725           
  Misses            3203     3203           
  Partials           675      675
Flag Coverage Δ
#linux 48.99% <100%> (ø) ⬆️
Impacted Files Coverage Δ
oci/spec_unix.go 98.4% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6bb83f2...3d31338. Read the comment docs.

@crosbymichael
Copy link
Member

LGTM

@AkihiroSuda AkihiroSuda merged commit dbf186d into containerd:release/1.1 Nov 30, 2018
@thaJeztah thaJeztah deleted the 1.1_backport_mask_asound branch November 30, 2018 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thaJeztah @codecov-io @crosbymichael @AkihiroSuda