kubernetes/pkg/securitycontext/util.go at master

mirror of https://github.com/outbackdingo/kubernetes.git synced 2026-01-28 10:19:31 +00:00

Files

Sascha Grunert 65b8fba34b Mask Linux thermal interrupt info in /proc and /sys.

On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle"
inside containers by default. Privileged containers or containers started
with --security-opt="systempaths=unconfined" are not affected.

Mitigates potential Thermal Side-Channel Vulnerability Exploit
(https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).

Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure
default masked paths don't apply to privileged containers.

Refers to https://github.com/moby/moby/pull/49560

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

2025-03-24 12:53:50 +01:00

7.8 KiB

Raw Permalink Blame History

View Raw

7.8 KiB Raw Permalink Blame History

7.8 KiB

Raw Permalink Blame History