From 87cd2bf7ea33dcdcd52cd736a62f35b83a42e7c7 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Wed, 21 Feb 2018 16:23:34 +0000
Subject: [PATCH] Add /proc/keys to masked paths

This leaks information about keyrings on the host. Keyrings are
not namespaced.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: de23cb939858a66829d5b75057c7ac664c5acda5
Component: engine
---
 components/engine/oci/defaults.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
index 578da3a81b..4145412dd4 100644
--- a/components/engine/oci/defaults.go
+++ b/components/engine/oci/defaults.go
@@ -115,6 +115,7 @@ func DefaultLinuxSpec() specs.Spec {
 	s.Linux = &specs.Linux{
 		MaskedPaths: []string{
 			"/proc/kcore",
+			"/proc/keys",
 			"/proc/latency_stats",
 			"/proc/timer_list",
 			"/proc/timer_stats",