Need to block access to kernel file systems in /proc and /sys

Users of kpod run could use these file systems to perform a breakout or to learn valuable system information. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #61 Approved by: mheon
2017-11-22 09:54:22 -05:00 · 2017-11-22 09:54:22 -05:00 · 91b406ea4a
parent 768fb6fe0f
commit 91b406ea4a
1 changed files with 28 additions and 0 deletions
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@ -17,6 +17,33 @@ import (
 	"golang.org/x/sys/unix"
 )

+func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) {
+	if !config.privileged {
+		for _, mp := range []string{
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/proc/scsi",
+			"/sys/firmware",
+		} {
+			g.AddLinuxMaskedPaths(mp)
+		}
+
+		for _, rp := range []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		} {
+			g.AddLinuxReadonlyPaths(rp)
+		}
+	}
+}
+
 func addRlimits(config *createConfig, g *generate.Generator) error {
 	var (
 		ul  *units.Ulimit
@ -127,6 +154,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	g.SetProcessApparmorProfile(config.apparmorProfile)
 	g.SetProcessSelinuxLabel(config.processLabel)
 	g.SetLinuxMountLabel(config.mountLabel)
+	blockAccessToKernelFilesystems(config, &g)

 	// RESOURCES - PIDS
 	if config.resources.pidsLimit != 0 {