package dmz

import "github.com/opencontainers/runc/libcontainer/dmz"

Index ¶

• func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)
• func CloneSelfExe(tmpDir string) (*os.File, error)
• func IsCloned(exe *os.File) bool
• func IsSelfExeCloned() bool
• type SealFunc
• func Memfd(comment string) (*os.File, SealFunc, error)

Functions ¶

func CloneBinary ¶

func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)

CloneBinary creates a "sealed" clone of a given binary, which can be used to thwart attempts by the container process to gain access to host binaries through procfs magic-link shenanigans. For more details on why this is necessary, see CVE-2019-5736.

func CloneSelfExe ¶

func CloneSelfExe(tmpDir string) (*os.File, error)

CloneSelfExe makes a clone of the current process's binary (through /proc/self/exe). This binary can then be used for "runc init" in order to make sure the container process can never resolve the original runc binary. For more details on why this is necessary, see CVE-2019-5736.

func IsCloned ¶

func IsCloned(exe *os.File) bool

IsCloned returns whether the given file can be guaranteed to be a safe exe.

func IsSelfExeCloned ¶

func IsSelfExeCloned() bool

IsSelfExeCloned returns whether /proc/self/exe is a cloned binary that can be guaranteed to be safe. This means that it must be a sealed memfd. Other types of clones cannot be completely verified as safe.

Types ¶

type SealFunc ¶

type SealFunc func(**os.File) error

func Memfd ¶

func Memfd(comment string) (*os.File, SealFunc, error)

Memfd creates a sealable executable memfd (supported since Linux 3.17).

Source Files ¶

cloned_binary_linux.go overlayfs_linux.go