kubernetes

github-personal/kubernetes

Fork 0

mirror of https://github.com/outbackdingo/kubernetes.git synced 2026-01-28 10:19:31 +00:00

Commit Graph

Author	SHA1	Message	Date
Sascha Grunert	65b8fba34b	Mask Linux thermal interrupt info in /proc and /sys. On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to https://github.com/moby/moby/pull/49560 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>	2025-03-24 12:53:50 +01:00

Author

SHA1

Message

Date

Sascha Grunert

65b8fba34b

Mask Linux thermal interrupt info in /proc and /sys.

On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle"
inside containers by default. Privileged containers or containers started
with --security-opt="systempaths=unconfined" are not affected.

Mitigates potential Thermal Side-Channel Vulnerability Exploit
(https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).

Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure
default masked paths don't apply to privileged containers.

Refers to https://github.com/moby/moby/pull/49560

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

2025-03-24 12:53:50 +01:00

1 Commits