cb2255f199
On old kernels (like v4.9), kernel applies CLOECEC in wrong order w.r.t. dumpable task flags. As a result, we might leak guest file descriptor to containers. This is a former runc CVE-2016-9962 and still applies to kata agent. Although Kata container is still valid at protecting the host, we should not leak extra resources to user containers. This sets the init processes that join and setup the container's namespaces as non-dumpable before they setns to the container's pid (or any other ) namespace. This settings is automatically reset to the default after the Exec in the container so that it does not change functionality for the applications that are running inside, just our init processes. This prevents parent processes, the pid 1 of the container, to ptrace the init process before it drops caps and other sets LSMs. The order during the exec syscall is that the process is set back to dumpable before O_CLOEXEC are processed. Refs: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=613cc2b6f272c1a8ad33aefa21cad77af23139f7 https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 opencontainers/runc@50a19c6 https://nvd.nist.gov/vuln/detail/CVE-2016-9962 Fixes: #890 Signed-off-by: Peng Tao <bergwolf@hyper.sh> |
||
|---|---|---|
| .github/workflows | ||
| ci | ||
| docs | ||
| pkg/logging | ||
| snap | ||
| src | ||
| tools | ||
| .gitignore | ||
| .travis.yml | ||
| CODE_OF_CONDUCT.md | ||
| CODEOWNERS | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| utils.mk | ||
| VERSION | ||
| versions.yaml | ||
Kata Containers
Welcome to Kata Containers!
The purpose of this repository is to act as a "top level" site for the project. Specifically it is used:
-
To provide a list of the various other Kata Containers repositories, along with a brief explanation of their purpose.
-
To provide a general area for Raising Issues.
Raising issues
This repository is used for raising issues:
-
That might affect multiple code repositories.
-
Where the raiser is unsure which repositories are affected.
Note:
- If an issue affects only a single component, it should be raised in that components repository.
Kata Containers repositories
CI
The CI repository stores the Continuous Integration (CI) system configuration information.
Community
The Community repository is the first place to go if you want to use or contribute to the project.
Code Repositories
Kata Containers-developed components
Agent
The kata-agent runs inside the
virtual machine and sets up the container environment.
KSM throttler
The kata-ksm-throttler
is an optional utility that monitors containers and deduplicates memory to
maximize container density on a host.
Runtime
The kata-runtime is usually
invoked by a container manager and provides high-level verbs to manage
containers.
Trace forwarder
The kata-trace-forwarder is a component only used
when tracing the agent process.
Additional
Hypervisor
The qemu hypervisor is used to
create virtual machines for hosting the containers.
Kernel
The hypervisor uses a Linux* kernel to boot the guest image.
Documentation
The docs directory holds documentation common to all code components.
Packaging
We use the packaging to create packages for the system components including rootfs and kernel images.
Test code
The tests repository hosts all test code except the unit testing code (which is kept in the same repository as the component it tests).
Utilities
OS builder
The osbuilder tool can create a rootfs and a "mini O/S" image. This image is used by the hypervisor to setup the environment before switching to the workload.
kata-agent-ctl
kata-agent-ctl is a low-level test tool for
interacting with the agent.
Web content
The www.katacontainers.io repository contains all sources for the https://www.katacontainers.io site.
Credits
Kata Containers uses packagecloud for package hosting.