8d868dadb7
Fixes https://github.com/containerd/containerd/issues/7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks. Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com> |
||
|---|---|---|
| .. | ||
| ansible | ||
| apparmor | ||
| autocomplete | ||
| aws | ||
| Dockerfile.test.d/cri-in-userns | ||
| fuzz | ||
| gce | ||
| nvidia | ||
| seccomp | ||
| snapshotservice | ||
| Dockerfile.test | ||
| README.md | ||
contrib
The contrib directory contains packages that do not belong in the core containerd packages but still contribute to overall containerd usability.
Package such as Apparmor or Selinux are placed in contrib because they are platform dependent and often require higher level tools and profiles to work.
Packaging and other built tools can be added to contrib to aid in packaging containerd for various distributions.
Testing
Code in the contrib directory may or may not have been tested in the normal test pipeline for core components.