Skip to content
This repository was archived by the owner on Oct 13, 2023. It is now read-only.

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG#64

Merged
andrewhsu merged 1 commit intodocker-archive:18.09from
thaJeztah:18.09_backport_syslog
Oct 22, 2018
Merged

[18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG#64
andrewhsu merged 1 commit intodocker-archive:18.09from
thaJeztah:18.09_backport_syslog

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Oct 2, 2018

backport of moby#37929 for 18.09

git checkout -b 18.09_backport_syslog ce-engine/18.09
git cherry-pick -s -S -x ccd22ffcc8b564dfc21e7067b5248819d68c56c6
git push -u origin

cherry-pick was clean

This call is what is used to implement dmesg to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl kernel.dmesg_restrict = 1 is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Fix moby#37897

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Justin Cormack justin.cormack@docker.com
(cherry picked from commit ccd22ff)
Signed-off-by: Sebastiaan van Stijn github@gone.nl

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@justincormack @thaJeztah
Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG
16836e6 
This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Fix moby#37897

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit ccd22ff)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 18.09.0 milestone Oct 2, 2018
@thaJeztah thaJeztah changed the title [18.09] bacport move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG [18.09] backport move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG Oct 2, 2018
@thaJeztah thaJeztah changed the title [18.09] backport move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG [18.09 backport] move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG Oct 17, 2018
andrewhsu
andrewhsu approved these changes Oct 22, 2018
View reviewed changes
Copy link
Copy Markdown

@andrewhsu andrewhsu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewhsu andrewhsu merged commit 6f1145e into docker-archive:18.09 Oct 22, 2018
@thaJeztah thaJeztah deleted the 18.09_backport_syslog branch October 22, 2018 17:03
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@andrewhsu andrewhsu andrewhsu approved these changes

@justincormack justincormack justincormack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

18.09.0

Development

Successfully merging this pull request may close these issues.

3 participants

@thaJeztah @andrewhsu @justincormack