Files

Sebastiaan van Stijn 267a0cf68e seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG

This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.

Relates to docker/docker#37897 "docker exposes dmesg to containers by default"

See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2020-08-24 11:57:48 +02:00

apparmor

explicitly fail apparmor when !linux

2020-06-22 12:54:09 -04:00

autocomplete

Fix zsh autocomplete script

2020-02-11 19:56:27 +08:00

aws

Move snapshotters benchmark to a separate package

2019-04-02 14:42:21 -07:00

gce

Create etcd user in cloud init.

2020-08-11 09:15:11 -07:00

nvidia

fix mis-spelling in nvidia.go

2019-08-29 23:03:09 +08:00

seccomp

seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG

2020-08-24 11:57:48 +02:00

snapshotservice

Add Cleanup to snapshot API

2020-01-07 14:59:20 -08:00

Dockerfile.test

Bump Golang 1.13.15

2020-08-08 15:07:28 +02:00

README.md

Add readme to contib

2017-09-18 11:47:27 -04:00

README.md

contrib

The contrib directory contains packages that do not belong in the core containerd packages but still contribute to overall containerd usability.

Package such as Apparmor or Selinux are placed in contrib because they are platform dependent and often require higher level tools and profiles to work.

Packaging and other built tools can be added to contrib to aid in packaging containerd for various distributions.

Testing

Code in the contrib directory may or may not have been tested in the normal test pipeline for core components.