[Bug 979533] New: when running trinity in docker, some network interfaces are created (on host)

http://bugzilla.opensuse.org/show_bug.cgi?id=979533 Bug ID: 979533 Summary: when running trinity in docker, some network interfaces are created (on host) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mpluskal@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 676580 --> http://bugzilla.opensuse.org/attachment.cgi?id=676580&action=edit trinity logs What: After executing trinity (see https://github.com/kernelslacker/trinity/) inside docker, several new, undesired network interfaces appeared on guest: # ip a ... 6: veth498404a@if5: mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 0a:60:f3:26:7f:c2 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::860:f3ff:fe26:7fc2/64 scope link valid_lft forever preferred_lft forever 7: rose0: <NOARP> mtu 249 qdisc noop state DOWN group default qlen 1 link/rose 00:00:00:00:00 brd 00:00:00:00:00 8: rose1: <NOARP> mtu 249 qdisc noop state DOWN group default qlen 1 link/rose 00:00:00:00:00 brd 00:00:00:00:00 And several unwanted modules were loaded (i.e. can which is servers canbus support). My understanding is that such behavior is undesirable and can be considered security issue. Steps to reproduce: Steps to reproduce: In test machine: # systemctl start docker # docker pull opensuse # docker run -t -i --memory 512M opensuse:latest /bin/bash (now we are inside docker container): # zypper in wget sudo # mkdir docker # chown nobody docker # cd docker # wget http://download.opensuse.org/repositories/devel:/tools/openSUSE_Leap_42.1/x8... # zypper in ./trinity-1.6+git.20160426-50.1.x86_64.rpm # sudo -u nobody trinity .... (see attached trinity logs, dmesg and output of ip a before and after trinity was executed in container). I have also noticed https://github.com/docker/libcontainer/pull/237 - which if I understand correctly means that this could be prevented by using libseccomp, which is however not enabled in openSUSE (and in SLE as well) -- You are receiving this mail because: You are on the CC list for the bug.