mirror of
https://github.com/linuxkit/linuxkit.git
synced 2026-04-05 18:45:39 +00:00
4df5d394e8
Done as follows:
find -name build.yml | xargs dirname | while read d ; do
t=$(linuxkit pkg show-tag $d)
./scripts/update-component-sha.sh --image ${t%:*} ${t#*:}
done
git commit -s test pkg tools blueprints examples projects/kubernetes projects/swarmd docs linuxkit.yml Makefile src
This explicitly excludes projects/* which I did not know whether to update.
Then:
git reset --hard
for i in init runc containerd ca-certificates sysctl dhcpcd getty rngd ; do
o=$(git grep -h "\(image:\|-\) *linuxkit/$i:[0-9a-f]\{40\}" origin/master:linuxkit.yml | awk '// { print $2 }')
n=$(linuxkit pkg show-tag pkg/$i)
./scripts/update-component-sha.sh "$o" "$n"
done
git commit --amend projects
This updates any projects which were using components with the same hash as the
top-level linuxkit.yml.
Signed-off-by: Ian Campbell <ijc@docker.com>
Landlock LSM
Landlock is a Linux Security Module currently under development by Mickaël Salaün (@l0kod). Landlock is based on eBPF, extended Berkeley Packet filters (see ebpf project), to attach small programs to hooks in the kernel.
These eBPF programs provide context that can allow for very robust decision-making when integrated with LSM hooks. In particular, this lends itself very nicely to container-based environments. One such example is that Landlock could be used to write policies to restrict containers from accessing file descriptors they do not own, acting as a last line of defense to restrict container escapes,
Landlock is stackable on top of other LSMs, like SELinux and Apparmor.
Roadmap
Near-term:
- We will carry the Landlock patches in a
kernel-landlockimage for people to test, and update them continuously - Draft and include a simple Landlock policy that can be demonstrated with the current patch-set, to show an example
- Offer design and code review help on Landlock, using Moby as a test-bed
Long-term:
- Develop a robust container-minded Landlock policy, and include it in LinuxKit by default