From 106a9b776778eea9e1485f5340277dcd900590b9 Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bjorn.neergaard@docker.com>
Date: Mon, 18 Sep 2023 16:56:11 -0600
Subject: [PATCH 1/2] oci/spec: deny /sys/devices/virtual/powercap

The ability to read these files may offer a power-based sidechannel
attack against any workloads running on the same kernel.

This was originally [CVE-2020-8694][1], which was fixed in
[949dd0104c496fa7c14991a23c03c62e44637e71][2] by restricting read access
to root. However, since many containers run as root, this is not
sufficient for our use case.

While untrusted code should ideally never be run, we can add some
defense in depth here by masking out the device class by default.

[Other mechanisms][3] to access this hardware exist, but they should not
be accessible to a container due to other safeguards in the
kernel/container stack (e.g. capabilities, perf paranoia).

[1]: https://nvd.nist.gov/vuln/detail/CVE-2020-8694
[2]: https://github.com/torvalds/linux/commit/949dd0104c496fa7c14991a23c03c62e44637e71
[3]: https://web.eece.maine.edu/~vweaver/projects/rapl/

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
---
 oci/spec.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/oci/spec.go b/oci/spec.go
index a28abaf91..a3e09c8a6 100644
--- a/oci/spec.go
+++ b/oci/spec.go
@@ -196,6 +196,7 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
 				"/proc/timer_stats",
 				"/proc/sched_debug",
 				"/sys/firmware",
+				"/sys/devices/virtual/powercap",
 				"/proc/scsi",
 			},
 			ReadonlyPaths: []string{

From 6c6dfcbce267d2a709b409c6c1947ef729413519 Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bjorn.neergaard@docker.com>
Date: Mon, 18 Sep 2023 16:57:09 -0600
Subject: [PATCH 2/2] contrib/apparmor: deny /sys/devices/virtual/powercap

While this is not strictly necessary as the default OCI config masks this
path, it is possible that the user disabled path masking, passed their
own list, or is using a forked (or future) daemon version that has a
modified default config/allows changing the default config.

Add some defense-in-depth by also masking out this problematic hardware
device with the AppArmor LSM.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
---
 contrib/apparmor/template.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
index 20ac3c9bf..75df0d99e 100644
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@@ -77,6 +77,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
   # allow processes within the container to trace each other,