Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

restrictedsession

package

v1.2.3-fred.12 Latest Latest Go to latest Published: Nov 1, 2022 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Index ¶

func ParseIPSpec(cidr string) (*net.IPNet, error)
type Config
- func (c *Config) CheckAndSetDefaults() error
type Manager
- func New(config *Config, wc RestrictionsWatcherClient) (Manager, error)
type NOP
type NetworkRestrictions
type RestrictionsWatcherClient

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ParseIPSpec ¶

func ParseIPSpec(cidr string) (*net.IPNet, error)

ParseIPSpec takes in either a CIDR format (e.g. 192.168.1.2/16 or fe::/8) or a single IP address (e.g. 10.1.2.3 or fe::1) and returns *net.IPNet. In case of a single IP address, the associated network length is either /32 for IPv4 or /128 for IPv6.

Types ¶

type Config ¶

type Config struct {
	// Enabled if this service will try and install BPF programs on this system.
	Enabled bool

	// EventsBufferSize is the size (in pages) of the perf buffer for events.
	EventsBufferSize *int
}

Config holds configuration for the RestrictedSession service.

func (*Config) CheckAndSetDefaults ¶

func (c *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks BPF configuration.

type Manager ¶

type Manager interface {
	// OpenSession starts enforcing restrictions for a cgroup with cgroupID
	OpenSession(ctx *bpf.SessionContext, cgroupID uint64)
	// CloseSession stops enforcing restrictions for a cgroup with cgroupID
	CloseSession(ctx *bpf.SessionContext, cgroupID uint64)
	// Close stops the manager, cleaning up any resources
	Close()
}

Manager starts and stop enforcing restrictions for a given session.

func New ¶

func New(config *Config, wc RestrictionsWatcherClient) (Manager, error)

New returns a new NOP service. Note this function does nothing.

type NOP ¶

type NOP struct{}

Stubbed out Manager interface for cases where the real thing is not used.

func (NOP) Close ¶

func (NOP) Close()

func (NOP) CloseSession ¶

func (NOP) CloseSession(ctx *bpf.SessionContext, cgroupID uint64)

func (NOP) OpenSession ¶

func (NOP) OpenSession(ctx *bpf.SessionContext, cgroupID uint64)

func (NOP) UpdateNetworkRestrictions ¶

func (NOP) UpdateNetworkRestrictions(r *NetworkRestrictions) error

type NetworkRestrictions ¶

type NetworkRestrictions struct {
	// Enabled controls if restrictions are enforced.
	Enabled bool

	// Allow holds a list of IPs (with masks) to allow, overriding deny list
	Allow []net.IPNet

	// Deny holds a list of IPs (with masks) to deny (block)
	Deny []net.IPNet
}

NetworkRestrictions specifies which addresses should be blocked.

type RestrictionsWatcherClient ¶

type RestrictionsWatcherClient interface {
	services.Restrictions
	types.Events
}

RestrictionsWatcherClient is used by changeset to fetch a list of proxies and subscribe to updates

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL