Docker not built with seccomp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
docker.io (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned | ||
runc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Hi,
I noticed that the 'docker' provided by the 'docker.io' package
is not built with seccomp support.
This is seems to be true in xenial, yakkety, and zesty:
ubuntu@
Seccomp: 0
ubuntu@
Seccomp: 0
ubuntu@
Seccomp: 0
This is despite the fact that the Ubuntu kernels are built with
seccomp support and that the necessary 'seccomp' version (2.2.1) is
available.
This damages Docker's security on Ubuntu:
+ This exploit of CVE-2016-5195 works on Ubuntu Docker but not on
stock Docker, because of the availabilty of the 'ptrace' system
call, which is blocked by Docker's default seccomp filter:
https:/
+ Ubuntu Docker allows the 'perf_event_open' system call, which,
combined with /proc/sys/
default on xenial, allows disclosure of registers in the
kernel. This can be used to break KASLR, and possibly to leak other
sensitive values, like the /dev/urandom seed.
+ Ubuntu Docker allows access to system calls like 'move_pages', which
could be used to deny service to other NUMA-aware processes on the
host.
+ Processes in Ubuntu Docker containers can 'unshare' to create a new
user namespace and obtain a new set of capabilities, potentially
including capabilities the user intended to drop.
These are acceptable security trade-offs to make in some contexts, but
I think the fact that they're different from Docker's packages could
easily make this surprising or unexpected behavior.
[Test Case]
"sudo docker run -it ubuntu grep Seccomp /proc/self/status" should show that Seccomp is enabled.
Also see https:/
[Regression potential]
See above.
information type: | Private Security → Public Security |
Changed in docker.io (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in docker.io (Ubuntu Yakkety): | |
status: | New → In Progress |
Changed in runc (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in runc (Ubuntu Yakkety): | |
status: | New → In Progress |
description: | updated |
Thanks for the report, Lizzie. I've subscribed the Docker Ubuntu Maintainers so that they can have a look and comment.