configs

Jan 17, 2022

Changes in this version

+ func KnownHookNames() []string

type Action

+ const KillProcess

+ const KillThread

+ const Notify

type Cgroup — linux/amd64

+ OwnerUID *int

+ Rootless bool

+ Systemd bool

type IntelRdt

+ ClosID string

+ type LinuxRdma struct

+ HcaHandles *uint32

+ HcaObjects *uint32

type Mount

+ RecAttr *unix.MountAttr

+ func (m *Mount) IsBind() bool

type Resources — linux/amd64

+ Rdma map[string]LinuxRdma

type Seccomp

+ ListenerMetadata string

+ ListenerPath string

Dec 14, 2021 GO-2022-0274

  GO-2022-0274: An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.

Dec 3, 2021 GO-2022-0274

  GO-2022-0274: An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.

Aug 20, 2021 GO-2022-0274

  GO-2022-0274: An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.

Changes in this version

type Resources — linux/amd64

+ SkipFreezeOnSet bool

Jul 16, 2021 GO-2022-0274

  GO-2022-0274: An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.

Jun 17, 2021

Changes in this version

+ const EXT_COPYUP

+ func NsName(ns NamespaceType) string — linux/amd64

type Action

+ const Log

+ type Capabilities struct

+ Ambient []string

+ Bounding []string

+ Effective []string

+ Inheritable []string

+ Permitted []string

type Cgroup — linux/amd64

+ SystemdProps []systemdDbus.Property

type Config

+ IntelRdt *IntelRdt

+ NoNewKeyring bool

+ RootlessCgroups bool

+ RootlessEUID bool

+ Umask *uint32

+ func (c Config) HostRootGID() (int, error)

+ func (c Config) HostRootUID() (int, error)

+ type HookList []Hook

+ func (hooks HookList) RunHooks(state *specs.State) error

+ type HookName string

+ const CreateContainer

+ const CreateRuntime

+ const Poststart

+ const Poststop

+ const Prestart

+ const StartContainer

+ type IntelRdt struct

+ L3CacheSchema string

+ MemBwSchema string

type Mount

+ Extensions int

type NamespaceType — linux/amd64

+ const NEWCGROUP

type Resources — linux/amd64

+ CpuWeight uint64

+ SkipDevices bool

+ Unified map[string]string

type Seccomp

+ DefaultErrnoRet *uint

type Syscall

+ ErrnoRet *uint

type ThrottleDevice

+ func (td *ThrottleDevice) StringName(name string) string

Sep 30, 2019 GO-2021-0087

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Apr 24, 2019 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Mar 28, 2019 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Nov 21, 2018 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Feb 27, 2018 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Aug 2, 2017 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Mar 21, 2017 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Sep 29, 2016 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Jan 22, 2020 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Jun 3, 2016 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Apr 25, 2016 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Apr 12, 2016 GO-2021-0085GO-2021-0087

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

type Command

+ Timeout *time.Duration

type HookState

+ BundlePath string

type Resources — linux/amd64

+ KernelMemoryTCP int64

Mar 10, 2016 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

+ func IsNamespaceSupported(ns NamespaceType) bool — linux/amd64

type Config

+ Labels []string

+ NoNewPrivileges bool

type Hooks

+ func (hooks *Hooks) UnmarshalJSON(b []byte) error

+ func (hooks Hooks) MarshalJSON() ([]byte, error)

type Namespaces — linux/amd64

+ func (n *Namespaces) PathOf(t NamespaceType) string

Feb 10, 2016 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

type Cgroup — linux/amd64

+ Path string

type Device

+ Allow bool

type Resources — linux/amd64

+ Devices []*Device

Jan 26, 2016 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

type Cgroup — linux/amd64

+ Paths map[string]string

+ type Resources struct — linux/amd64

+ AllowAllDevices bool

+ AllowedDevices []*Device

+ BlkioLeafWeight uint16

+ BlkioThrottleReadBpsDevice []*ThrottleDevice

+ BlkioThrottleReadIOPSDevice []*ThrottleDevice

+ BlkioThrottleWriteBpsDevice []*ThrottleDevice

+ BlkioThrottleWriteIOPSDevice []*ThrottleDevice

+ BlkioWeight uint16

+ BlkioWeightDevice []*WeightDevice

+ CpuPeriod int64

+ CpuQuota int64

+ CpuRtPeriod int64

+ CpuRtRuntime int64

+ CpuShares int64

+ CpusetCpus string

+ CpusetMems string

+ DeniedDevices []*Device

+ Freezer FreezerState

+ HugetlbLimit []*HugepageLimit

+ KernelMemory int64

+ Memory int64

+ MemoryReservation int64

+ MemorySwap int64

+ MemorySwappiness int64

+ NetClsClassid string

+ NetPrioIfpriomap []*IfPrioMap

+ OomKillDisable bool

+ PidsLimit int64

Dec 11, 2015 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

type Cgroup — linux/amd64

+ ScopePrefix string

Nov 20, 2015 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

type Action

+ const Trace

type Cgroup — linux/amd64

+ BlkioLeafWeight uint16

+ BlkioThrottleReadIOPSDevice []*ThrottleDevice

+ BlkioThrottleWriteIOPSDevice []*ThrottleDevice

type Config

+ RootPropagation int

+ Version string

type HookState

+ Version string

type Hooks

+ Poststart []Hook

type Mount

+ PropagationFlags []int

+ type Namespace struct — darwin/amd64, js/wasm

+ func (n *Namespace) Syscall() int

type Seccomp

+ Architectures []string

+ type ThrottleDevice struct

+ Rate uint64

+ func NewThrottleDevice(major, minor int64, rate uint64) *ThrottleDevice

+ func (td *ThrottleDevice) String() string

+ type WeightDevice struct

+ LeafWeight uint16

+ Weight uint16

+ func NewWeightDevice(major, minor int64, weight, leafWeight uint16) *WeightDevice

+ func (wd *WeightDevice) LeafWeightString() string

+ func (wd *WeightDevice) WeightString() string

Sep 11, 2015 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

type Action

+ const Errno

type Arg

+ ValueTwo uint64

type Command

+ func (c Command) Run(s HookState) error

+ type CommandHook struct

+ func NewCommandHook(cmd Command) CommandHook

type Config

+ Hooks *Hooks

+ OomScoreAdj int

+ type FuncHook struct

+ func NewFunctionHook(f func(HookState) error) FuncHook

+ func (f FuncHook) Run(s HookState) error

+ type Hook interface

+ Run func(HookState) error

+ type HookState struct

+ ID string

+ Pid int

+ Root string

+ type Hooks struct

+ Poststop []Hook

+ Prestart []Hook

type Operator

+ const GreaterThan

+ const GreaterThanOrEqualTo

+ const LessThanOrEqualTo

type Seccomp

+ DefaultAction Action

type Syscall

+ Name string

Aug 4, 2015 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Jul 17, 2015 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Jul 16, 2015 GO-2021-0070GO-2021-0085GO-2021-0087

  GO-2021-0070: GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

  GO-2021-0085: AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

  GO-2021-0087: A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

Changes in this version

+ const Wildcard

+ var DefaultAllowedDevices = append([]*Device{ ... }, DefaultSimpleDevices) — linux/amd64

+ var DefaultAutoCreatedDevices = append([]*Device{ ... }, DefaultSimpleDevices) — linux/amd64

+ var DefaultSimpleDevices = []*Device — linux/amd64

+ type Action int

+ const Allow

+ const Kill

+ const Trap

+ type Arg struct

+ Index int

+ Op Operator

+ Value uint32

+ type Cgroup struct

+ AllowAllDevices bool

+ AllowedDevices []*Device

+ BlkioThrottleReadBpsDevice string

+ BlkioThrottleReadIOpsDevice string

+ BlkioThrottleWriteBpsDevice string

+ BlkioThrottleWriteIOpsDevice string

+ BlkioWeight int64

+ BlkioWeightDevice string

+ CpuPeriod int64

+ CpuQuota int64

+ CpuRtPeriod int64

+ CpuRtRuntime int64

+ CpuShares int64

+ CpusetCpus string

+ CpusetMems string

+ DeniedDevices []*Device

+ Freezer FreezerState

+ HugetlbLimit []*HugepageLimit

+ KernelMemory int64

+ Memory int64

+ MemoryReservation int64

+ MemorySwap int64

+ MemorySwappiness int64

+ Name string

+ NetClsClassid string

+ NetPrioIfpriomap []*IfPrioMap

+ OomKillDisable bool

+ Parent string

+ Slice string

+ type Command struct

+ Args []string

+ Dir string

+ Env []string

+ Path string

+ type Config struct

+ AdditionalGroups []string

+ AppArmorProfile string

+ Capabilities []string

+ Cgroups *Cgroup

+ Devices []*Device

+ GidMappings []IDMap

+ Hostname string

+ MaskPaths []string

+ MountLabel string

+ Mounts []*Mount

+ Namespaces Namespaces

+ Networks []*Network

+ NoPivotRoot bool

+ ParentDeathSignal int

+ PivotDir string

+ Privatefs bool

+ ProcessLabel string

+ ReadonlyPaths []string

+ Readonlyfs bool

+ Rlimits []Rlimit

+ Rootfs string

+ Routes []*Route

+ Seccomp *Seccomp

+ Sysctl map[string]string

+ UidMappings []IDMap

+ func (c Config) HostGID() (int, error)

+ func (c Config) HostUID() (int, error)

+ type Device struct

+ FileMode os.FileMode

+ Gid uint32

+ Major int64

+ Minor int64

+ Path string

+ Permissions string

+ Type rune

+ Uid uint32

+ func (d *Device) CgroupString() string

+ func (d *Device) Mkdev() int

+ type FreezerState string

+ const Frozen

+ const Thawed

+ const Undefined

+ type HugepageLimit struct

+ Limit int

+ Pagesize string

+ type IDMap struct

+ ContainerID int

+ HostID int

+ Size int

+ type IfPrioMap struct

+ Interface string

+ Priority int64

+ func (i *IfPrioMap) CgroupString() string

+ type Mount struct

+ Data string

+ Destination string

+ Device string

+ Flags int

+ PostmountCmds []Command

+ PremountCmds []Command

+ Relabel string

+ Source string

+ type Namespace struct — linux/amd64, windows/amd64

+ Path string

+ Type NamespaceType

+ func (n *Namespace) GetPath(pid int) string

+ func (n *Namespace) Syscall() int

+ type NamespaceType string

+ const NEWIPC

+ const NEWNET

+ const NEWNS

+ const NEWPID

+ const NEWUSER

+ const NEWUTS

+ func NamespaceTypes() []NamespaceType

+ type Namespaces []Namespace

+ func (n *Namespaces) Add(t NamespaceType, path string)

+ func (n *Namespaces) CloneFlags() uintptr

+ func (n *Namespaces) Contains(t NamespaceType) bool

+ func (n *Namespaces) Remove(t NamespaceType) bool

+ type Network struct

+ Address string

+ Bridge string

+ Gateway string

+ HairpinMode bool

+ HostInterfaceName string

+ IPv6Address string

+ IPv6Gateway string

+ MacAddress string

+ Mtu int

+ Name string

+ TxQueueLen int

+ Type string

+ type Operator int

+ const EqualTo

+ const GreatherThan

+ const LessThan

+ const MaskEqualTo

+ const NotEqualTo

+ type Rlimit struct

+ Hard uint64

+ Soft uint64

+ Type int

+ type Route struct

+ Destination string

+ Gateway string

+ InterfaceName string

+ Source string

+ type Seccomp struct

+ Syscalls []*Syscall

+ type Syscall struct

+ Action Action

+ Args []*Arg

+ Value int