GMS-2021-177: Devices resource list treated as a denylist by default

December 20, 2021

Contrary to the OCI runtime specification runc’s implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn’t prefix a deny-all rule ({"allow": false, "permissions": "rwm"} or equivalent) were not provided protection by the devices cgroup.

References

github.com/advisories/GHSA-g54h-m393-cpwq
github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

Code Behaviors & Features

Detect and mitigate GMS-2021-177 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →