package dmz

import "github.com/opencontainers/runc/libcontainer/dmz"

Index ¶

• Variables
• func Binary(tmpDir string) (*os.File, error)
• func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)
• func CloneSelfExe(tmpDir string) (*os.File, error)
• func IsCloned(exe *os.File) bool
• func IsSelfExeCloned() bool
• type SealFunc
• func Memfd(comment string) (*os.File, SealFunc, error)

Variables ¶

var ErrNoDmzBinary = errors.New("runc-dmz binary not embedded in this program")

ErrNoDmzBinary is returned by Binary when there is no runc-dmz binary embedded in the runc program.

Functions ¶

func Binary ¶

func Binary(tmpDir string) (*os.File, error)

Binary returns a cloned copy (see CloneBinary) of a very minimal C program that just does an execve() of its arguments. This is used in the final execution step of the container execution as an intermediate process before the container process is execve'd. This allows for protection against CVE-2019-5736 without requiring a complete copy of the runc binary. Each call to Binary will return a new copy.

If the runc-dmz binary is not embedded into the runc binary, Binary will return ErrNoDmzBinary as the error.

func CloneBinary ¶

func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)

CloneBinary creates a "sealed" clone of a given binary, which can be used to thwart attempts by the container process to gain access to host binaries through procfs magic-link shenanigans. For more details on why this is necessary, see CVE-2019-5736.

func CloneSelfExe ¶

func CloneSelfExe(tmpDir string) (*os.File, error)

CloneSelfExe makes a clone of the current process's binary (through /proc/self/exe). This binary can then be used for "runc init" in order to make sure the container process can never resolve the original runc binary. For more details on why this is necessary, see CVE-2019-5736.

func IsCloned ¶

func IsCloned(exe *os.File) bool

IsCloned returns whether the given file can be guaranteed to be a safe exe.

func IsSelfExeCloned ¶

func IsSelfExeCloned() bool

IsSelfExeCloned returns whether /proc/self/exe is a cloned binary that can be guaranteed to be safe. This means that it must be a sealed memfd. Other types of clones cannot be completely verified as safe.

Types ¶

type SealFunc ¶

type SealFunc func(**os.File) error

func Memfd ¶

func Memfd(comment string) (*os.File, SealFunc, error)

Memfd creates a sealable executable memfd (supported since Linux 3.17).

Source Files ¶

cloned_binary_linux.go dmz.go dmz_fallback_linux.go dmz_linux.go