1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/profiles/seccomp
Justin Cormack ccd22ffcc8
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG
This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Fix #37897

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2018-09-27 14:27:05 -07:00
..
fixtures move default seccomp profile into package 2016-01-21 16:55:29 -08:00
default.json Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG 2018-09-27 14:27:05 -07:00
generate.go New seccomp format 2016-09-01 11:53:07 +02:00
seccomp.go If container will run as non root user, drop permitted, effective caps early 2018-03-19 14:45:27 -07:00
seccomp_default.go Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG 2018-09-27 14:27:05 -07:00
seccomp_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
seccomp_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00