mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-09-02 23:47:11 +00:00
moby: device "all" will add to the cgroup whitelist
After the runc security advisory[1] the default cgroup device
whitelist was changed.
In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.
In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.
However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:
```
- path: all
type: b
```
Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.
[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq
Signed-off-by: David Scott <dave@recoil.org>
This commit is contained in:
David Scott
@@ -4,6 +4,10 @@ config:
|
||||
- /dev:/dev
|
||||
- /var:/var:rshared,rbind
|
||||
- /:/hostroot
|
||||
devices:
|
||||
# all block devices
|
||||
- path: all
|
||||
type: b
|
||||
capabilities:
|
||||
- CAP_SYS_ADMIN
|
||||
rootfsPropagation: shared
|
||||
|
||||
Reference in New Issue
Block a user