https://bugzilla.redhat.com/show_bug.cgi?id=1094198
Bug ID: 1094198
Summary: docker-io-0.10 access to /sys
Product: Fedora
Version: 20
Component: docker-io
Severity: urgent
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected], [email protected]
Description of problem:
This bugzilla maps the https://bugzilla.redhat.com/show_bug.cgi?id=1094188
issue on newer docker-io-0.10 on real hardware.
Docker gives access to host /sys. This is expected as some apps requires /sys
and one would expect it's protected (in --privileged=False). Well, is it?
This time I tried `echo mem > /sys/power/state` which (unlike on older docker)
succeeded and suspended the whole laptop. I guess this is not required from
containerized machine to be able to do?
Additionally I tried modifying the cpu frequence:
echo 1200000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
passes (which is IMO improper behavior)
Last but not least I tried `poweroff -f`, but "sadly" it just stopped the
container without powering off the host machine.
Version-Release number of selected component (if applicable):
docker-io-0.10.0-2.fc20.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Play with /sys
Actual results:
container is able to interact/suspend/modify the underlying host machine.
Expected results:
docker should prevent these operations.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
golang mailing list
[email protected]
https://lists.fedoraproject.org/mailman/listinfo/golang
