Skip to content
This repository has been archived by the owner on Oct 13, 2023. It is now read-only.

[18.09 backport] Masked /proc/asound #126

Merged

Conversation

thaJeztah
Copy link
Member

Backport of moby#38299 for the 18.09 branch
fixes moby#38285 for 18.09

git checkout -b 18.09_backport_mask_asound ce-engine/18.09
git cherry-pick -s -S -x 64e52ff3dbdb31adc0a9930b3ea74b04b0df8d86
git push -u origin

cherry-pick was clean; no conflicts

While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.

This can lead to two information leaks.


Leak of media playback status of the host

Steps to reproduce the issue:

  • Listen to music/Play a YouTube video/Do anything else that involves sound
    output
  • Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
    /proc/asound/card*/pcmp/sub/status | grep state | cut -d ' ' -f2 | grep
    RUNNING || echo 'not running'"
  • See that the containerized process is able to check whether someone on the
    host is playing music as it prints RUNNING
  • Stop the music output
  • Execute the command again (The sleep is delaying the output because
    information regarding playback status isn't propagated instantly)
  • See that it outputs not running

Describe the results you received:

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
/proc/asound/card*/pcm*c/sub*/status (pcm*c instead of pcm*p) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

@sw-pschmied originally post this in moby#38285

While looking through the Moby source code was found /proc/asound to be
shared with containers as read-only (as defined in
https://github.com/moby/moby/blob/master/oci/defaults.go#L128).

This can lead to two information leaks.

---

**Leak of media playback status of the host**

Steps to reproduce the issue:

 - Listen to music/Play a YouTube video/Do anything else that involves
sound output
 - Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
/proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 |
grep RUNNING || echo 'not running'"
 - See that the containerized process is able to check whether someone
on the host is playing music as it prints RUNNING
 - Stop the music output
 - Execute the command again (The sleep is delaying the output because
information regarding playback status isn't propagated instantly)
 - See that it outputs not running

**Describe the results you received:**

A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.

The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.

Signed-off-by: Jonathan A. Schweder <jonathanschweder@gmail.com>

(cherry picked from commit 64e52ff)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 18.09.1 milestone Nov 30, 2018
Copy link

@andrewhsu andrewhsu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewhsu andrewhsu merged commit 82a4418 into docker-archive:18.09 Dec 3, 2018
@thaJeztah thaJeztah deleted the 18.09_backport_mask_asound branch December 4, 2018 07:49
@pvizeli
Copy link

pvizeli commented Jan 15, 2019

@thaJeztah now only privileged add-ons can play music :(

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants