http://bugzilla.opensuse.org/show_bug.cgi?id=979533
Bug ID: 979533
Summary: when running trinity in docker, some network
interfaces are created (on host)
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@suse.de
Reporter: mpluskal@suse.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
Created attachment 676580
--> http://bugzilla.opensuse.org/attachment.cgi?id=676580&action=edit
trinity logs
What:
After executing trinity (see https://github.com/kernelslacker/trinity/) inside
docker, several new, undesired network interfaces appeared on guest:
# ip a
...
6: veth498404a@if5: mtu 1500 qdisc noqueue
master docker0 state UP group default
link/ether 0a:60:f3:26:7f:c2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::860:f3ff:fe26:7fc2/64 scope link
valid_lft forever preferred_lft forever
7: rose0: <NOARP> mtu 249 qdisc noop state DOWN group default qlen 1
link/rose 00:00:00:00:00 brd 00:00:00:00:00
8: rose1: <NOARP> mtu 249 qdisc noop state DOWN group default qlen 1
link/rose 00:00:00:00:00 brd 00:00:00:00:00
And several unwanted modules were loaded (i.e. can which is servers canbus
support).
My understanding is that such behavior is undesirable and can be considered
security issue.
Steps to reproduce:
Steps to reproduce:
In test machine:
# systemctl start docker
# docker pull opensuse
# docker run -t -i --memory 512M opensuse:latest /bin/bash
(now we are inside docker container):
# zypper in wget sudo
# mkdir docker
# chown nobody docker
# cd docker
# wget
http://download.opensuse.org/repositories/devel:/tools/openSUSE_Leap_42.1/x8...
# zypper in ./trinity-1.6+git.20160426-50.1.x86_64.rpm
# sudo -u nobody trinity
....
(see attached trinity logs, dmesg and output of ip a before and after trinity
was executed in container).
I have also noticed https://github.com/docker/libcontainer/pull/237 - which if
I understand correctly means that this could be prevented by using libseccomp,
which is however not enabled in openSUSE (and in SLE as well)
--
You are receiving this mail because:
You are on the CC list for the bug.