dmz

package

v1.2.0-rc.3 Latest Latest Go to latest Published: Sep 3, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/opencontainers/runc

README ¶

Runc-dmz

runc-dmz is a small and very simple binary used to execute the container's entrypoint.

Making it small

To make it small we use the Linux kernel's nolibc include files, so we don't use the libc.

A full cp of it is here in nolibc/, but removing the Makefile that is GPL. DO NOT FORGET to remove the GPL code if updating the nolibc/ directory.

The current version in that folder is from Linux 6.6-rc3 tag (556fb7131e03b0283672fb40f6dc2d151752aaa7).

It also support all the architectures we support in runc.

If the GOARCH we use for compiling doesn't support nolibc, it fallbacks to using the C stdlib.

Documentation ¶

Rendered for

Index ¶

Variables
func Binary(tmpDir string) (*os.File, error)
func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)
func CloneSelfExe(tmpDir string) (*os.File, error)
func IsCloned(exe *os.File) bool
func IsSelfExeCloned() bool
type SealFunc
- func Memfd(comment string) (*os.File, SealFunc, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNoDmzBinary = errors.New("runc-dmz binary not embedded in this program")

ErrNoDmzBinary is returned by Binary when there is no runc-dmz binary embedded in the runc program.

Functions ¶

func Binary ¶

func Binary(tmpDir string) (*os.File, error)

Binary returns a cloned copy (see CloneBinary) of a very minimal C program that just does an execve() of its arguments. This is used in the final execution step of the container execution as an intermediate process before the container process is execve'd. This allows for protection against CVE-2019-5736 without requiring a complete copy of the runc binary. Each call to Binary will return a new copy.

If the runc-dmz binary is not embedded into the runc binary, Binary will return ErrNoDmzBinary as the error.

func CloneBinary ¶

func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)

CloneBinary creates a "sealed" clone of a given binary, which can be used to thwart attempts by the container process to gain access to host binaries through procfs magic-link shenanigans. For more details on why this is necessary, see CVE-2019-5736.

func CloneSelfExe ¶

func CloneSelfExe(tmpDir string) (*os.File, error)

CloneSelfExe makes a clone of the current process's binary (through /proc/self/exe). This binary can then be used for "runc init" in order to make sure the container process can never resolve the original runc binary. For more details on why this is necessary, see CVE-2019-5736.

func IsCloned ¶

func IsCloned(exe *os.File) bool

IsCloned returns whether the given file can be guaranteed to be a safe exe.

func IsSelfExeCloned ¶

func IsSelfExeCloned() bool

IsSelfExeCloned returns whether /proc/self/exe is a cloned binary that can be guaranteed to be safe. This means that it must be a sealed memfd. Other types of clones cannot be completely verified as safe.

Types ¶

type SealFunc ¶

type SealFunc func(**os.File) error

func Memfd ¶

func Memfd(comment string) (*os.File, SealFunc, error)

Memfd creates a sealable executable memfd (supported since Linux 3.17).

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL