github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
1deaedd38a
containerd/contrib
History
Juan Hoyos e224f77eb7 Add process_vm read and write calls to default seccomp profile 
Follow up to 94faa70df4. The commit referenced allowed `ptrace` calls in the default seccomp profile following the usual tracing security checks in for Kernels newer than 4.8. Kernels prior to this version are susceptible to [CVE-2019-2054](https://github.com/advisories/GHSA-qgfr-27qf-f323).  Moby's default had allowed for `ptrace` for kernels newer than 4.8 at the time the commit was created. The current [seccomp default](https://github.com/moby/moby/blob/master/profiles/seccomp/default_linux.go#L405-L417) has been updated to include `process_vm_read` and `process_vm_write`. Mirror that policy to complete the classic ptrace set of APIs.

Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com>
2022-11-18 10:51:45 -05:00
..
ansible migrate from k8s.gcr.io to registry.k8s.io 2022-08-24 13:46:46 +08:00
apparmor replace strings.Split(N) for strings.Cut() or alternatives 2022-11-07 10:02:25 +01:00
autocomplete Fix zsh autocomplete script 2020-02-11 19:56:27 +08:00
aws Move snapshotters benchmark to a separate package 2019-04-02 14:42:21 -07:00
Dockerfile.test.d/cri-in-userns Dockerfile.test: add "cri-in-userns" (aka rootless) test stage 2021-07-09 14:50:04 +09:00
fuzz Remove uses of deprecated go-digest.NewDigestFromHex, go-digest.Digest.Hex 2022-11-08 14:47:05 +01:00
gce adds support for using env file for systemd boot 2022-07-20 12:52:10 -05:00
nvidia replace uses of os/exec with golang.org/x/sys/execabs 2021-08-25 18:11:09 +02:00
seccomp Add process_vm read and write calls to default seccomp profile 2022-11-18 10:51:45 -05:00
snapshotservice Rename Size_ to Size 2022-04-22 15:31:53 +00:00
Dockerfile.test Bump go version to 1.19.3 2022-11-02 19:54:42 +00:00
README.md Add readme to contib 2017-09-18 11:47:27 -04:00

README.md

contrib

The contrib directory contains packages that do not belong in the core containerd packages but still contribute to overall containerd usability.

Package such as Apparmor or Selinux are placed in contrib because they are platform dependent and often require higher level tools and profiles to work.

Packaging and other built tools can be added to contrib to aid in packaging containerd for various distributions.

Testing

Code in the contrib directory may or may not have been tested in the normal test pipeline for core components.