Affected by GO-2022-1000 and 3 other vulnerabilities

GO-2022-1000: KubeVirt vulnerable to arbitrary file read on host in kubevirt.io/kubevirt

GO-2024-2688: KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt

GO-2024-2756: Privilege Escalation in kubevirt in kubevirt.io/kubevirt

GO-2024-2816: kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt

isolation

package

v0.26.0 Latest Latest Go to latest Published: Feb 5, 2020 License: Apache-2.0 Imports: 20 Imported by: 2

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubevirt/kubevirt

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetImageInfo(imagePath string, context *IsolationResult) (*containerdisk.DiskInfo, error)
type IsolationResult
- func NewIsolationResult(pid int, slice string, controller []string) *IsolationResult
- func NodeIsolationResult() *IsolationResult
type MockPodIsolationDetector
- func NewMockPodIsolationDetector(ctrl *gomock.Controller) *MockPodIsolationDetector
type MountInfo
type PodIsolationDetector
- func NewSocketBasedIsolationDetector(socketDir string) PodIsolationDetector

Constants ¶

View Source

const (
	QEMUIMGPath = "/usr/bin/qemu-img"
)

Variables ¶

This section is empty.

Functions ¶

func GetImageInfo ¶ added in v0.20.0

func GetImageInfo(imagePath string, context *IsolationResult) (*containerdisk.DiskInfo, error)

Types ¶

type IsolationResult ¶

type IsolationResult struct {
	// contains filtered or unexported fields
}

func NewIsolationResult ¶

func NewIsolationResult(pid int, slice string, controller []string) *IsolationResult

func NodeIsolationResult ¶

func NodeIsolationResult() *IsolationResult

func (*IsolationResult) Controller ¶

func (r *IsolationResult) Controller() []string

func (*IsolationResult) IsMounted ¶ added in v0.20.0

func (r *IsolationResult) IsMounted(mountPoint string) (bool, error)

IsMounted checks if a path in the mount namespace of a given process isolation result is a mount point. Works with symlinks.

func (*IsolationResult) MountInfoRoot ¶ added in v0.20.0

func (r *IsolationResult) MountInfoRoot() (*MountInfo, error)

MountInfoRoot returns information about the root entry in /proc/mountinfo

func (*IsolationResult) MountNamespace ¶ added in v0.20.0

func (r *IsolationResult) MountNamespace() string

func (*IsolationResult) MountRoot ¶

func (r *IsolationResult) MountRoot() string

func (*IsolationResult) NetNamespace ¶

func (r *IsolationResult) NetNamespace() string

func (*IsolationResult) PIDNamespace ¶

func (r *IsolationResult) PIDNamespace() string

func (*IsolationResult) ParentMountInfoFor ¶ added in v0.20.0

func (r *IsolationResult) ParentMountInfoFor(mountInfo *MountInfo) (*MountInfo, error)

ParentMountInfoFor takes the mount info from a container, and looks the corresponding entry in /proc/mountinfo of the isolation result of the given process.

func (*IsolationResult) Pid ¶

func (r *IsolationResult) Pid() int

func (*IsolationResult) Slice ¶

func (r *IsolationResult) Slice() string

type MockPodIsolationDetector ¶

type MockPodIsolationDetector struct {
	// contains filtered or unexported fields
}

Mock of PodIsolationDetector interface

func NewMockPodIsolationDetector ¶

func NewMockPodIsolationDetector(ctrl *gomock.Controller) *MockPodIsolationDetector

func (*MockPodIsolationDetector) AdjustResources ¶ added in v0.21.0

func (_m *MockPodIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error

func (*MockPodIsolationDetector) Detect ¶

func (_m *MockPodIsolationDetector) Detect(vm *v1.VirtualMachineInstance) (*IsolationResult, error)

func (*MockPodIsolationDetector) DetectForSocket ¶ added in v0.20.0

func (_m *MockPodIsolationDetector) DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (*IsolationResult, error)

func (*MockPodIsolationDetector) EXPECT ¶

func (_m *MockPodIsolationDetector) EXPECT() *_MockPodIsolationDetectorRecorder

func (*MockPodIsolationDetector) Whitelist ¶

func (_m *MockPodIsolationDetector) Whitelist(controller []string) PodIsolationDetector

type MountInfo ¶ added in v0.20.0

type MountInfo struct {
	DeviceContainingFile string
	Root                 string
	MountPoint           string
}

type PodIsolationDetector ¶

type PodIsolationDetector interface {
	// Detect takes a vm, looks up a socket based the VM and detects pid, cgroups and namespaces of the owner of that socket.
	// It returns an IsolationResult containing all isolation information
	Detect(vm *v1.VirtualMachineInstance) (*IsolationResult, error)

	DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (*IsolationResult, error)

	// Whitelist allows specifying cgroup controller which should be considered to detect the cgroup slice
	// It returns a PodIsolationDetector to allow configuring the PodIsolationDetector via the builder pattern.
	Whitelist(controller []string) PodIsolationDetector

	// Adjust system resources to run the passed VM
	AdjustResources(vm *v1.VirtualMachineInstance) error
}

PodIsolationDetector helps detecting cgroups, namespaces and PIDs of Pods from outside of them. Different strategies may be applied to do that.

func NewSocketBasedIsolationDetector ¶

func NewSocketBasedIsolationDetector(socketDir string) PodIsolationDetector

NewSocketBasedIsolationDetector takes socketDir and creates a socket based IsolationDetector It returns a PodIsolationDetector which detects pid, cgroups and namespaces of the socket owner.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL