upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-02-03 20:40:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/pkg/securitycontext
History
Sascha Grunert c7b1b1f297
Mask Linux thermal interrupt info in /proc and /sys. 
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle"
inside containers by default. Privileged containers or containers started
with --security-opt="systempaths=unconfined" are not affected.

Mitigates potential Thermal Side-Channel Vulnerability Exploit
(https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).

Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure
default masked paths don't apply to privileged containers.

Refers to https://github.com/moby/moby/pull/49560

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2025-07-16 11:07:28 +02:00
..
accessors.go securitycontext: add support for HostUsers 2024-07-10 13:47:48 -04:00
accessors_test.go securitycontext: add support for HostUsers 2024-07-10 13:47:48 -04:00
doc.go Use Go canonical import paths 2016-07-16 13:48:21 -04:00
fake.go ProcMount validation and testing 2018-12-20 14:43:52 -05:00
util.go Mask Linux thermal interrupt info in /proc and /sys. 2025-07-16 11:07:28 +02:00
util_darwin.go Mask Linux thermal interrupt info in /proc and /sys. 2025-07-16 11:07:28 +02:00
util_linux.go Mask Linux thermal interrupt info in /proc and /sys. 2025-07-16 11:07:28 +02:00
util_test.go Mask Linux thermal interrupt info in /proc and /sys. 2025-07-16 11:07:28 +02:00
util_windows.go Mask Linux thermal interrupt info in /proc and /sys. 2025-07-16 11:07:28 +02:00