** Description changed: + [Impact] Hi, I noticed that the 'docker' provided by the 'docker.io' package is not built with seccomp support. This is seems to be true in xenial, yakkety, and zesty: - ubuntu@ubuntu-xenial:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status - Seccomp: 0 + ubuntu@ubuntu-xenial:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status + Seccomp: 0 + ubuntu@ubuntu-yakkety:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status + Seccomp: 0 - ubuntu@ubuntu-yakkety:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status - Seccomp: 0 - - - ubuntu@ubuntu-zesty:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status - Seccomp: 0 - + ubuntu@ubuntu-zesty:~$ sudo docker run -it ubuntu grep Seccomp /proc/self/status + Seccomp: 0 This is despite the fact that the Ubuntu kernels are built with seccomp support and that the necessary 'seccomp' version (2.2.1) is available. This damages Docker's security on Ubuntu: + This exploit of CVE-2016-5195 works on Ubuntu Docker but not on - stock Docker, because of the availabilty of the 'ptrace' system - call, which is blocked by Docker's default seccomp filter: - https://github.com/gebl/dirtycow-docker-vdso + stock Docker, because of the availabilty of the 'ptrace' system + call, which is blocked by Docker's default seccomp filter: + https://github.com/gebl/dirtycow-docker-vdso + Ubuntu Docker allows the 'perf_event_open' system call, which, - combined with /proc/sys/kernel/perf_event_paranoid being 1 by - default on xenial, allows disclosure of registers in the - kernel. This can be used to break KASLR, and possibly to leak other - sensitive values, like the /dev/urandom seed. + combined with /proc/sys/kernel/perf_event_paranoid being 1 by + default on xenial, allows disclosure of registers in the + kernel. This can be used to break KASLR, and possibly to leak other + sensitive values, like the /dev/urandom seed. + Ubuntu Docker allows access to system calls like 'move_pages', which - could be used to deny service to other NUMA-aware processes on the - host. + could be used to deny service to other NUMA-aware processes on the + host. + Processes in Ubuntu Docker containers can 'unshare' to create a new - user namespace and obtain a new set of capabilities, potentially - including capabilities the user intended to drop. + user namespace and obtain a new set of capabilities, potentially + including capabilities the user intended to drop. These are acceptable security trade-offs to make in some contexts, but I think the fact that they're different from Docker's packages could easily make this surprising or unexpected behavior. + + [Test Case] + "sudo docker run -it ubuntu grep Seccomp /proc/self/status" should show that Seccomp is enabled. + + Also see https://wiki.ubuntu.com/DockerUpdates + + [Regression potential] + See above.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639407 Title: Docker not built with seccomp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1639407/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
