Bjorn Neergaard 4b242784ca oci/defaults: deny /sys/devices/virtual/powercap ... The ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. This was originally [CVE-2020-8694][1], which was fixed in [949dd0104c496fa7c14991a23c03c62e44637e71][2] by restricting read access to root. However, since many containers run as root, this is not sufficient for our use case. While untrusted code should ideally never be run, we can add some defense in depth here by masking out the device class by default. [Other mechanisms][3] to access this hardware exist, but they should not be accessible to a container due to other safeguards in the kernel/container stack (e.g. capabilities, perf paranoia). [1]: https://nvd.nist.gov/vuln/detail/CVE-2020-8694 [2]: 949dd0104c [3]: https://web.eece.maine.edu/~vweaver/projects/rapl/ Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> (cherry picked from commit 83cac3c3e3) Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>		2023-09-18 16:46:09 -06:00
..
caps	Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE	2020-10-16 17:52:27 +02:00
fixtures	Fix permissions on oci fixtures files	2020-11-27 10:29:47 +07:00
defaults.go	oci/defaults: deny /sys/devices/virtual/powercap	2023-09-18 16:46:09 -06:00
devices_linux.go	vendor runc 67169a9d43456ff0d5ae12b967acb8e366e2f181	2020-07-30 16:16:11 +00:00
devices_unsupported.go	Update to Go 1.17.0, and gofmt with Go 1.17	2022-04-07 23:27:50 +02:00
namespaces.go	goimports: fix imports	2019-09-18 12:56:54 +02:00
oci.go	gofmt GoDoc comments with go1.19	2023-02-24 17:05:41 -05:00
oci_test.go	Fix daemon panic when starting container with invalid device cgroup rule	2021-02-17 21:16:01 +01:00
seccomp_test.go	refactor: move from io/ioutil to io and os package	2023-02-24 16:11:55 -05:00