Bjorn Neergaard 164a1a0f14 oci/defaults: deny /sys/devices/virtual/powercap ... The ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. This was originally [CVE-2020-8694][1], which was fixed in [949dd0104c496fa7c14991a23c03c62e44637e71][2] by restricting read access to root. However, since many containers run as root, this is not sufficient for our use case. While untrusted code should ideally never be run, we can add some defense in depth here by masking out the device class by default. [Other mechanisms][3] to access this hardware exist, but they should not be accessible to a container due to other safeguards in the kernel/container stack (e.g. capabilities, perf paranoia). [1]: https://nvd.nist.gov/vuln/detail/CVE-2020-8694 [2]: 949dd0104c [3]: https://web.eece.maine.edu/~vweaver/projects/rapl/ Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> (cherry picked from commit 83cac3c3e3) Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>		2023-09-18 16:43:34 -06:00
..
caps	oci/caps: limit available capabilities to current environment	2021-10-15 16:12:26 +02:00
fixtures	Fix permissions on oci fixtures files	2020-11-27 10:29:47 +07:00
defaults.go	oci/defaults: deny /sys/devices/virtual/powercap	2023-09-18 16:43:34 -06:00
devices_linux.go	oci: use filepath.WalkDir instead of filepath.Walk	2022-10-09 17:21:04 +02:00
fuzz_test.go	testing: move fuzzers over from OSS-Fuzz	2022-11-30 17:31:03 +01:00
namespaces.go	daemon: ensure OCI options play nicely together	2023-06-21 22:16:28 +02:00
oci.go	Do not drop effective&permitted set	2023-08-13 22:26:45 +02:00
oci_test.go	Fix daemon panic when starting container with invalid device cgroup rule	2021-01-22 16:02:19 +01:00
seccomp_test.go	refactor: move from io/ioutil to io and os package	2021-08-27 14:56:57 +08:00