dmz

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 15, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CloneBinary 

func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)

CloneBinary creates a "sealed" clone of a given binary, which can be used to thwart attempts by the container process to gain access to host binaries through procfs magic-link shenanigans. For more details on why this is necessary, see CVE-2019-5736.

func CloneSelfExe 

func CloneSelfExe(tmpDir string) (*os.File, error)

CloneSelfExe makes a clone of the current process's binary (through /proc/self/exe). This binary can then be used for "runc init" in order to make sure the container process can never resolve the original runc binary. For more details on why this is necessary, see CVE-2019-5736.

func IsCloned 

func IsCloned(exe *os.File) bool

IsCloned returns whether the given file can be guaranteed to be a safe exe.

func IsSelfExeCloned 

func IsSelfExeCloned() bool

IsSelfExeCloned returns whether /proc/self/exe is a cloned binary that can be guaranteed to be safe. This means that it must be a sealed memfd. Other types of clones cannot be completely verified as safe.

Types

type SealFunc 

type SealFunc func(**os.File) error

func Memfd 

func Memfd(comment string) (*os.File, SealFunc, error)

Memfd creates a sealable executable memfd (supported since Linux 3.17).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.