profile
viewpoint
Justin Cormack justincormack @docker Cambridge, UK https://www.cloudatomiclab.com/ Security at Docker

pull request commentdocker/app

Add a seed for better randomness

Its ok to merge this though, before I change the implementation.

rumpl

comment created time in 8 days

pull request commentdocker/app

Add a seed for better randomness

Hmm, I thought I had fixed that one too, ok will change it there.

rumpl

comment created time in 8 days

pull request commentdocker/app

Add a seed for better randomness

Please do not use math/rand in any code, just use crypto/rand

rumpl

comment created time in 8 days

MemberEvent

created repositoryparallaxsecond/parsec-book

Parsec documentation

created time in 8 days

issue commentdocker/docker-bench-security

v1.3.5 needs to be signed, tagged and published.

Hmm, Diogo no longer works at Docker. I don't actually know who has access to the signing key (there may be a copy in the safe). @konstruktoid who has done this in the past?

konstruktoid

comment created time in 9 days

delete branch docker/labs

delete branch : dependabot/maven/developer-tools/java-debugging/app/org.springframework.data-spring-data-jpa-1.11.23.RELEASE

delete time in 9 days

push eventdocker/labs

dependabot[bot]

commit sha dcd42c69fb9e810e7194ba27a55e0c25597a5e90

Bump spring-data-jpa in /developer-tools/java-debugging/app Bumps spring-data-jpa from 1.3.0.RELEASE to 1.11.23.RELEASE. Signed-off-by: dependabot[bot] <support@github.com>

view details

Justin Cormack

commit sha cf093d024b0938306abbb3042a9ea694b69fe6b1

Merge pull request #476 from docker/dependabot/maven/developer-tools/java-debugging/app/org.springframework.data-spring-data-jpa-1.11.23.RELEASE Bump spring-data-jpa from 1.3.0.RELEASE to 1.11.23.RELEASE in /developer-tools/java-debugging/app

view details

push time in 9 days

PR merged docker/labs

Bump spring-data-jpa from 1.3.0.RELEASE to 1.11.23.RELEASE in /developer-tools/java-debugging/app dependencies java

Bumps spring-data-jpa from 1.3.0.RELEASE to 1.11.23.RELEASE.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+1 -1

0 comment

1 changed file

dependabot[bot]

pr closed time in 9 days

issue commentdocker/go-p9p

No go module support

Hi, we are not currently using this code anywhere so are not maintaining it. I will probably archive it, but if there is community interest in maintaining it I could move it.

apvodney

comment created time in 9 days

push eventdocker/go-p9p

bippityboppity

commit sha 150c7a7de801e23fa8d67aea0f66eef4907967c2

Add link to the P9P protocl specification Signed-off-by: Alex Ponti <bippityboppity@users.noreply.github.com>

view details

Justin Cormack

commit sha 37d97cf40d03aece9a223d23bf1c8216c824bd90

Merge pull request #42 from bippityboppity/add-link-to-docs Add link to the P9P protocl specification

view details

push time in 9 days

PR merged docker/go-p9p

Add link to the P9P protocl specification

I thought it might be helpful to have a link directly to the spec...

+2 -0

3 comments

1 changed file

bippityboppity

pr closed time in 9 days

push eventdocker/go-p9p

Noah Evans

commit sha 47066e93e2eb6e8e1e31f53e4014139246feaa5b

fix spelling error in doc.go defering -> deferring Signed-off-by: Noah Evans <noah.evans@gmail.com>

view details

Justin Cormack

commit sha b6f041aa55d2c6ccf235c1539d0fd4dea467d2e0

Merge pull request #43 from npe9/master fix spelling error in doc.go

view details

push time in 9 days

PR merged docker/go-p9p

fix spelling error in doc.go

defering -> deferring

+1 -1

2 comments

1 changed file

npe9

pr closed time in 9 days

issue commentlinuxkit/linuxkit

Linuxkit support

Yes, I think actions may be a very good fit, especially now they support bring your own server which makes supporting arm64 etc easier. We want to be able to build and test all the containers built in a PR, then on merge push them to the main repo.

hyperized

comment created time in 10 days

issue commentmoby/qemu

QEMU issue with curl and SSL certificates on Debian

It seems that if we compile qemu-static as a 32 bit binary this fixes the issue as it uses 32 bit syscalls. I opened https://github.com/linuxkit/linuxkit/issues/3438

dubo-dubon-duponey

comment created time in 11 days

issue openedlinuxkit/linuxkit

compile qemu-static for 32 bit platforms as 32 bit binary

This fixes emulation issues with 64 bit inodes, see https://github.com/moby/qemu/issues/9 for discussion.

created time in 11 days

delete branch justincormack/notary

delete branch : distribution-up

delete time in 11 days

push eventtheupdateframework/notary

Justin Cormack

commit sha 006963f1ded582c2cc5f5eb4d48dc6089ce3229b

Update docker/distribution to 2.7.1 Signed-off-by: Justin Cormack <justin.cormack@docker.com>

view details

Justin Cormack

commit sha 83d5a312e75fa4f3efe2dc79cebc0121ca9ad201

Merge pull request #1514 from justincormack/distribution-up Update docker/distribution to 2.7.1

view details

push time in 11 days

issue closedtheupdateframework/notary

Bug: Compatible fix for API change of `github.com/docker/distribution@v2.7.1`

I'm developing a library base on notary. When I running go test, Following error raised:

# github.com/theupdateframework/notary/utils
../../../../pkg/mod/github.com/theupdateframework/notary@v0.6.1/utils/http.go:112:24: not enough arguments in call to challenge.SetHeaders
	have (http.ResponseWriter)
	want (*http.Request, http.ResponseWriter)

Currently, notary is using github.com/docker/distribution@v2.7.1, and compared to github.com/docker/distribution@v2.6.x, the function signature of challenge.SetHeaders() has changed. Looks like the vender directory is outdated.

closed time in 11 days

SimonXming

startedawslabs/tough

started time in 12 days

startedheartsucker/rust-tuf

started time in 12 days

pull request commenttheupdateframework/notary

Update docker/distribution to 2.7.1

ping @HuKeping

justincormack

comment created time in 13 days

push eventjustincormack/notary

Justin Cormack

commit sha 006963f1ded582c2cc5f5eb4d48dc6089ce3229b

Update docker/distribution to 2.7.1 Signed-off-by: Justin Cormack <justin.cormack@docker.com>

view details

push time in 13 days

PR opened theupdateframework/notary

Update docker/distribution to 2.7.1

Fix #1469

+910 -97

0 comment

28 changed files

pr created time in 13 days

create barnchjustincormack/notary

branch : distribution-up

created branch time in 13 days

issue commenttheupdateframework/notary

Bug: Compatible fix for API change of `github.com/docker/distribution@v2.7.1`

Yes, we seem to have a slightly older version from master, opening a PR yo update.

SimonXming

comment created time in 13 days

push eventjustincormack/notary

Sebastiaan van Stijn

commit sha 6c41fad7e065cdb1dc5a1f11a69c8d5c3869720f

re-vendor with current version of vndr Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 388845e6aeb7049e744fce553305056d6b003a33

Cleanup vendor.conf, fix mixed tabs/spaces Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 46586c76c7d7ed9519914bca5864f155d6a237cd

bump sirupsen/logrus v1.4.1 Full diff: sirupsen/logrus@v1.3.0...v1.4.1 Fixes: - Remove dependency on golang.org/x/crypto - Fix wrong method calls Logger.Print and Logger.Warningln - Update Entry.Logf to not do string formatting unless the log level is enabled - Fix infinite recursion on unknown Level.String() - Fix race condition in getCaller - Fix Entry.WithContext method to return a copy of the initial entry New: - Add DeferExitHandler, similar to RegisterExitHandler but prepending the handler to the list of handlers (semantically like defer) - Add CallerPrettyfier to JSONFormatter and `TextFormatter` - Add Entry.WithContext() and Entry.Context, to set a context on entries to be used e.g. in hooks - Enhance TextFormatter to not print caller information when they are empty Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 82e8ab53893ecf9b1a0f804f6e61aba7e66c454f

Bump gorilla/mux to 1.7.0 This release drops support for Go < 1.7, and removes the gorilla/context dependency (which was needed for older Go versions). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 69eddfb69f60a0dcc3719f9126773f55db4520d9

bump github.com/pkg/errors v0.8.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 73b87bbecfc99fff952e00e12fb86fff20f36319

bump github.com/BurntSushi/toml v0.3.1 switch the licenses of cmd/ to be the same as the root full diff: https://github.com/BurntSushi/toml/compare/a368813c5e648fee92e5f6c30e3944ff9d5e8895...3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 3c01e955791b6017bcf08f42b01e772bb59d3ba8

bump github.com/miekg/pkcs11 553cfdd26aaafe851ca66a5e8015f0decb6b5a1e - Fix issue freeing memory on GetOperationState when NOT CK_OK - Expose login API for vendor specific login types - Move to go modules full diff: https://github.com/miekg/pkcs11/compare/6120d95c0e9576ccf4a78ba40855809dca31a9ed...553cfdd26aaafe851ca66a5e8015f0decb6b5a1e Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

HuKeping

commit sha 121a0c1df00dc6733da656905325e37400124933

Merge pull request #1445 from thaJeztah/update_dependencies Update dependencies

view details

Sebastiaan van Stijn

commit sha 69081062583a1cfbe3a1d90f76ccc4d6e84a7f2c

Add Go version to version information Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 8f87c6ce747f7cd7c627288996c988b45b7e47dc

Add --version flags Allows for printing the version without running actual commands ```bash make notary-dockerfile && docker run --rm notary sh -c 'make client && ./bin/notary --version && ./bin/notary version' || echo "version failed" > notary Version: 0.6.1, Git commit: d5b73be7, Go version: go1.12.7 > notary > Version: 0.6.1 > Git commit: d5b73be7 > Go version: go1.12.7 make server-dockerfile && docker run --rm notary-server --version || echo "--version failed" > notary-server Version: 0.6.1, Git commit: d5b73be7, Go version: go1.11.5 make signer-dockerfile && docker run --rm notary-signer --version || echo "--version failed" > notary-signer Version: 0.6.1, Git commit: d5b73be7, Go version: go1.11.5 ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Justin Cormack

commit sha 7a54e135975916e3f1f74b5c0863a832e829107e

Merge pull request #1487 from thaJeztah/add_version_info Add Golang version to version output, and add '--version' flag to binaries

view details

Sebastiaan van Stijn

commit sha fcbd20f7818586be67885aa99461dde9217b6afd

bump miekg/pkcs11 v1.0.2 full diff: https://github.com/miekg/pkcs11/compare/553cfdd26aaafe851ca66a5e8015f0decb6b5a1e...v1.0.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Justin Cormack

commit sha 59fd8aea02a76b2211de99f4f84875fce0bb49e9

Merge pull request #1488 from thaJeztah/bump_pkcs11 bump miekg/pkcs11 v1.0.2

view details

yuxiaobo

commit sha effff7596032b6b4f7cbb4269a32a908c6a3e443

Correct spelling mistakes. Signed-off-by: yuxiaobo <yuxiaobogo@163.com>

view details

HuKeping

commit sha 62258bc0beb3bdc41de1e927a57acaee06bebe4b

Merge pull request #1498 from yuxiaobo96/notary-fix2 Correct spelling mistakes

view details

Sebastiaan van Stijn

commit sha db73f4002596d4ff7997f236b471d862c2120e91

gosec: ignore G108: Profiling endpoint automatically exposed This was a false positive, as no server is started unless -debug is enabled. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

HuKeping

commit sha bd18eb9ad583965843adf6c2133ba7aa24699c97

Merge pull request #1506 from thaJeztah/fix_gosec_g108 gosec: ignore G108: Profiling endpoint automatically exposed

view details

Sebastiaan van Stijn

commit sha 5d939572d7fa28f6a95c5d4f2bdd0c6a92181976

Fix "make test" broken on Go 1.13 This fixes the tests being broken on Go 1.13 and up, which is caused by a change in Go 1.13: https://golang.org/doc/go1.13#testing > Testing flags are now registered in the new Init function, which is invoked by > the generated main function for the test. As a result, testing flags are now only > registered when running a test binary, and packages that call flag.Parse during > package initialization may cause tests to fail. Before this change: make test ok github.com/theupdateframework/notary/client/changelist (cached) flag provided but not defined: -test.testlogfile Usage of /var/folders/c_/vjh56sc12fd2b_q2n02_lt140000gn/T/go-build270388911/b229/escrow.test: -config string path to configuration file; supported formats are JSON, YAML, and TOML (default "config.toml") ... FAIL make: *** [test] Error 1 With this patch applied, the test complete succesfully Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

HuKeping

commit sha 49188000ccb4973951f607f437d936b50275f5fb

Merge pull request #1507 from thaJeztah/fix_testing_go_1.13 Fix "make test" broken on Go 1.13

view details

Sebastiaan van Stijn

commit sha 5f9bd7689d050d9342586fa3418205007587561a

Fix gosec linter results not being printed Before this, `make lint` would fail, but the output of the linter would be discarded, making it unclear what caused the failure: docker build -t notary_client . && docker run -it --rm -e NOTARY_BUILDTAGS=pkcs11 notary_client sh -c 'make lint' ... [gosec] 2019/10/16 11:11:04 Checking file: /go/src/github.com/theupdateframework/notary/utils/http.go make: *** [Makefile:106: lint] Error 1 This problem occurred, because there was an actual linting error, and the code to check for failures did so by checking the output of the csv file to be empty; test -z "$$(cat gas_output.csv | tee /dev/stderr)" In this case, it was not, and the file contained: /go/src/github.com/theupdateframework/notary/cmd/notary-server/main.go,8,Profiling endpoint is automatically exposed on /debug/pprof,HIGH,HIGH,"_ ""net/http/pprof""" In which case, the code tried to evaluated the output; "$(echo /go/src/github.com/theupdateframework/notary/cmd/notary-server/main.go,8,Profiling endpoint is automatically exposed on /debug/pprof,HIGH,HIGH,"_ ""net/http/pprof""")" bash: /go/src/github.com/theupdateframework/notary/cmd/notary-server/main.go,8,Profiling endpoint is automatically exposed on /debug/pprof,HIGH,HIGH,_ net/http/pprof: No such file or directory This patch changes the approach, and: - makes sure no csv file is in place before the test - using the exit-code of the linter as indication it failed (instead of checking for the file to be empty) - in which case, the output of the file is printed on stderr, and the script exited with a non-zero status - renames the csv-file from gas_output.csv to gosec_output.csv, to match the new name of the linter With this patch applied: docker build -t notary_client . && docker run -it --rm -e NOTARY_BUILDTAGS=pkcs11 notary_client sh -c 'make lint' ... [gosec] 2019/10/16 11:13:20 Checking file: /go/src/github.com/theupdateframework/notary/signer/api/rpc_api.go /go/src/github.com/theupdateframework/notary/cmd/notary-server/main.go,8,Profiling endpoint is automatically exposed on /debug/pprof,HIGH,HIGH,"_ ""net/http/pprof""" make: *** [Makefile:107: lint] Error 1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

push time in 13 days

pull request commentmoby/moby

Update Resources struct to support hugepages

You need to do part 3 as well, you can't just add to the data structure.

bg-chun

comment created time in 15 days

pull request commentlinuxkit/linuxkit

Fix the Scaleway provider in the metadata package

Oh somehow I missed that!

zimme

comment created time in 16 days

pull request commentlinuxkit/linuxkit

Fix the Scaleway provider in the metadata package

I think the comments must be wrong, as it would never work as the default ephemeral port range is 32768-60999, so as it does work it must be ok...

zimme

comment created time in 16 days

pull request commentlinuxkit/linuxkit

Fix the Scaleway provider in the metadata package

The linked doc says that the source port for metadata requests needs to be <1024 to force root clients. We don't seem to implement that. I am kind of surprised it works at all given that...

zimme

comment created time in 16 days

issue commentlinuxkit/linuxkit

Linuxkit support

Hi. The current situation is that there are three active maintainers, but none of us are working full time on the project at present. Avi is available for consulting work. Docker are using the project actively, as are many other organizations, but mostly people are using as is, using their own containers but not making significant core modifications that we are aware of. There are a bunch of projects that need a significant investment of time to do, which would make things way more usable, in particular reworking CI, integrating the filesystem work, and integrating containerd in the build process.

Those three PRs are things that just need finishing off, and someone can contribute them. The current system for building images is annoying though, and currently only maintainers can do it, part of the CI rework would be building containers in CI so they can be tested by anyone and then built in CI, rather than the current manual process, so that would make contribution way easier.

We are happy to add new maintainers if people want to contribute.

hyperized

comment created time in 16 days

issue commentmoby/hyperkit

Excessive CPU usage locks up Docker

hyperkit CPU usage reflects the usage of the virtual machine, that just means that you are using 2-4 cores on the guest VM, or potentially doing a lot of VM exits. It is not an indication of issues in hyperkit. If there are multiple issues open elsewhere, then opening one here does not help.

simtel12

comment created time in 17 days

issue closedmoby/hyperkit

Excessive CPU usage locks up Docker

Docker diagnostic ID: 81D7F1CE-28DA-4B33-9A1E-4AEC22C7F351/20190301231412

We run 2 docker containers on a Mac mini (Late 2014). Current OS version is 10.12.6.

One of the containers is a low-traffic daemon that watches for Amazon SQS messages. This one does not cause issues.

The other is a moderate-traffic Jenkins instance. At least once a week - but recently it's been every 2-3 days - every container within Docker will stop. If we're lucky, lightweight, static pages can still be served from Jenkins, but anything that has to go to disk for info will not respond. The com.docker.hyperkit process remains pegged at 200% CPU. Sometimes this is paired with a high fseventsd CPU, but not usually. If fseventsd is high, then eventually the container will start responding again. While the CPU is pegged, we're unable to start containers, or do something like docker exec -it -u 1000 androidjenkins bash.

At the same time, I usually observe high memory usage in either/both com.docker.osxfs and/or kernel_task. Occasionally I've observed very high memory usage in hyperkit - but usually not.

I've finally gotten approval to upload the diagnostics, so I've included the one for the latest event. Please help - we're getting close to abandoning Docker due to this.

closed time in 17 days

simtel12

issue commentmoby/hyperkit

Excessive CPU usage locks up Docker

Please report Docker issues to https://github.com/docker/for-mac/issues unless you have specifically diagnosed an issue in hyperkit that you can reproduce in a standalone way as hypervisor issues. These issues are related to file sharing which is not part of hyperkit.

simtel12

comment created time in 17 days

delete branch justincormack/cloudatomiclab

delete branch : toctou-fix

delete time in 18 days

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 1bbb3709d7d6566560798abb07e34c563cf0e8a7

Fix typo Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha de48d14ec23031f73162022534cdda6e92917549

Merge pull request #29 from justincormack/toctou-fix Fix typo

view details

push time in 18 days

PR merged justincormack/cloudatomiclab

Fix typo

Signed-off-by: Justin Cormack justin@specialbusservice.com

+2 -2

0 comment

1 changed file

justincormack

pr closed time in 18 days

PR opened justincormack/cloudatomiclab

Fix typo

Signed-off-by: Justin Cormack justin@specialbusservice.com

+2 -2

0 comment

1 changed file

pr created time in 18 days

create barnchjustincormack/cloudatomiclab

branch : toctou-fix

created branch time in 18 days

delete branch justincormack/cloudatomiclab

delete branch : toctou

delete time in 18 days

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 2e0384c9065fb693c415911875fe546054e913ad

Add toctou blog Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha 7c0330a3fffa5a620264e63251d48afa8cadc967

Merge pull request #27 from justincormack/toctou Add toctou blog

view details

push time in 18 days

PR merged justincormack/cloudatomiclab

Add toctou blog

Signed-off-by: Justin Cormack justin@specialbusservice.com

+95 -0

0 comment

2 changed files

justincormack

pr closed time in 18 days

delete branch justincormack/cloudatomiclab

delete branch : fuzz-typo

delete time in 18 days

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 701e5202971a2e5cd5aa83213184d3e8057eabe9

Remove double heading Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha de18a300a502af1426e9ecff88233cf60d21398a

Merge pull request #28 from justincormack/fuzz-typo Remove double heading

view details

push time in 18 days

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 2e0384c9065fb693c415911875fe546054e913ad

Add toctou blog Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in 18 days

PR opened justincormack/cloudatomiclab

Remove double heading

Signed-off-by: Justin Cormack justin@specialbusservice.com

+0 -2

0 comment

1 changed file

pr created time in 18 days

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha b541948b9bda38717108f917b5a24717e75cf7df

Add toctou blog Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in 18 days

create barnchjustincormack/cloudatomiclab

branch : fuzz-typo

created branch time in 18 days

PR opened justincormack/cloudatomiclab

Add toctou blog

Signed-off-by: Justin Cormack justin@specialbusservice.com

+95 -0

0 comment

2 changed files

pr created time in 18 days

create barnchjustincormack/cloudatomiclab

branch : toctou

created branch time in 18 days

Pull request review commentkubernetes/enhancements

KEP for promoting seccomp to GA

+---+title: Seccomp to GA+authors:+  - "@tallclair"+owning-sig: sig-node+participating-sigs:+  - sig-apimachinery+  - sig-auth+reviewers:+  - "@liggitt"+  - TBD+approvers:+  - TBD+editor: TBD+creation-date: 2019-07-17+status: provisional+---++# Seccomp to GA++## Table of Contents++<!-- toc -->+- [Release Signoff Checklist](#release-signoff-checklist)+- [Summary](#summary)+- [Motivation](#motivation)+  - [Goals](#goals)+  - [Non-Goals](#non-goals)+- [Proposal](#proposal)+  - [API](#api)+    - [Pod API](#pod-api)+    - [PodSecurityPolicy API](#podsecuritypolicy-api)+- [Design Details](#design-details)+  - [Version Skew Strategy](#version-skew-strategy)+    - [Pod Creation](#pod-creation)+    - [Pod Update](#pod-update)+    - [PodSecurityPolicy Creation](#podsecuritypolicy-creation)+    - [PodSecurityPolicy Update](#podsecuritypolicy-update)+    - [PodSecurityPolicy Enforcement](#podsecuritypolicy-enforcement)+    - [PodTemplates](#podtemplates)+    - [Upgrade / Downgrade](#upgrade--downgrade)+  - [Test Plan](#test-plan)+  - [Graduation Criteria](#graduation-criteria)+  - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)+- [Implementation History](#implementation-history)+- [Drawbacks](#drawbacks)+- [Alternatives](#alternatives)+- [References](#references)+<!-- /toc -->++## Release Signoff Checklist++**ACTION REQUIRED:** In order to merge code into a release, there must be an issue in [kubernetes/enhancements] referencing this KEP and targeting a release milestone **before [Enhancement Freeze](https://github.com/kubernetes/sig-release/tree/master/releases)+of the targeted release**.++For enhancements that make changes to code or processes/procedures in core Kubernetes i.e., [kubernetes/kubernetes], we require the following Release Signoff checklist to be completed.++Check these off as they are completed for the Release Team to track. These checklist items _must_ be updated for the enhancement to be released.++- [ ] kubernetes/enhancements issue in release milestone, which links to KEP (this should be a link to the KEP location in kubernetes/enhancements, not the initial KEP PR)+- [ ] KEP approvers have set the KEP status to `implementable`+- [ ] Design details are appropriately documented+- [ ] Test plan is in place, giving consideration to SIG Architecture and SIG Testing input+- [ ] Graduation criteria is in place+- [ ] "Implementation History" section is up-to-date for milestone+- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]+- [ ] Supporting documentation e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes++**Note:** Any PRs to move a KEP to `implementable` or significant changes once it is marked `implementable` should be approved by each of the KEP approvers. If any of those approvers is no longer appropriate than changes to that list should be approved by the remaining approvers and/or the owning SIG (or SIG-arch for cross cutting KEPs).++**Note:** This checklist is iterative and should be reviewed and updated every time this enhancement is being considered for a milestone.++[kubernetes.io]: https://kubernetes.io/+[kubernetes/enhancements]: https://github.com/kubernetes/enhancements/issues+[kubernetes/kubernetes]: https://github.com/kubernetes/kubernetes+[kubernetes/website]: https://github.com/kubernetes/website++## Summary++This is a proposal to upgrade the seccomp annotation on pods & pod security policies to a field, and+mark the feature as GA. This proposal aims to do the _bare minimum_ to clean up the feature, without+blocking future enhancements.++## Motivation++Docker started enforcing a default seccomp profile in v1.10. At the time, Kubernetes (in v1.2)+didn't have a way to control the seccomp profile, so the profile was disabled (set to `unconfined`)+to prevent a regression (see https://github.com/kubernetes/kubernetes/pull/21790). In Kubernetes+v1.3, annotations were added to give users some control over the profile:++```+seccomp.security.alpha.kubernetes.io/pod: {unconfined,docker/default,localhost/<path>}+container.seccomp.security.alpha.kubernetes.io/<container_name>: ...+```++The feature has been more or less unchanged ever since. Also note that the addition predates feature+gates or our modern concept of feature lifecycle. So, even though the annotations include `alpha` in+the key, this is entirely useable on any production GA cluster.++There have been multiple attempts to [change the default+profile](https://github.com/kubernetes/kubernetes/issues/39845) or [formally spec the Kubernetes+seccomp profile](https://github.com/kubernetes/kubernetes/issues/39128), but both efforts were+abandoned due to friction and lack of investment.++Despite the `alpha` label, I think this feature needs to be treated as GA, and we're doing our users+a disservice by leaving it in this weird limbo state. As much as I would like to see seccomp support+fully fleshed out, if we block GA on those enhancements we will remain stuck in the current state+indefinitely. Therefore, I'm proposing we do the absolute minimum to clean up the current+implementation all accurately declare the feature "GA". Future enhancements can follow the standard+alpha -> beta -> GA feature process.++_NOTE: AppArmor is in a very similar state, but with some subtle differences. Promoting AppArmor to+GA will be covered by a separate KEP._++### Goals++- Declare seccomp GA+- Fully document and formally spec the feature support+- Add equivalent API fields to replace seccomp annotations+- Deprecate the seccomp annotations++### Non-Goals++This KEP proposes the absolute minimum to get seccomp to GA, therefore all functional enhancements+are out of scope, including:++- Changing the default seccomp profile from `unconfined`+- Defining any standard "Kubernetes branded" seccomp profiles+- Formally speccing the seccomp profile format in Kubernetes+- Providing mechanisms for loading profiles from outside the static seccomp node directory+- Changing the semantics around seccomp support+- Windows support (seccomp is very linux-specific)++## Proposal++### API++The seccomp API will be functionally equivalent to the current alpha API. This includes the Pod API,+which specifies what profile the pod & containers run with, and the PodSecurityPolicy API which+specifies allowed profiles & a default profile.++#### Pod API++The Pod Seccomp API is immutable, except in [`PodTemplates`](#podtemplates).++```go+type PodSecurityContext struct {+    ...+    // The seccomp options to use by the containers in this pod.+    // +optional+    Seccomp  *SeccompOptions+    ...+}++type SecurityContext struct {+    ...+    // The seccomp options to use by this container. If seccomp options are+    // provided at both the pod & container level, the container options+    // override the pod options.+    // +optional+    Seccomp  *SeccompOptions+    ...+}++type SeccompOptions struct {+    // The seccomp profile to run with.+    SeccompProfile+}++// Only one profile source may be set.+// +union+type SeccompProfile struct {+    // No seccomp profile should be set.+    // +optional+    Unconfined *bool+    // Use a predefined profile defined by the runtime.+    // Most runtimes only support "default"+    // +optional+    RuntimeProfile *string+    // Load a profile defined in static file on the node.+    // The profile must be preconfigured on the node to work.+    // +optional+    LocalhostProfile *string+}+```++This API makes the options more explicit than the stringly-typed annotation values, and leaves room+for new profile sources to be added in the future (e.g. Kubernetes predefined profiles or ConfigMap+profiles). The seccomp options struct leaves room for future extensions, such as defining the+behavior when a profile cannot be set.++#### PodSecurityPolicy API++```go+type PodSecurityPolicySpec struct {+    ...+    // seccomp is the strategy that will dictate allowable and default seccomp+    // profiles for the pod.+    // +optional+    Seccomp *SeccompStrategyOptions+    ...+}++type SeccompStrategyOptions struct {+    // The default profile to set on the pod, if none is specified.+    // The default MUST be allowed by the allowedProfiles.+    // +optional+    DefaultProfile *v1.SeccompProfile++    // The set of profiles that may be set on the pod or containers.+    // If unspecified, seccomp profiles are unrestricted by this policy.+    // +optional+    AllowedProfiles *SeccompProfileSet+}++// A set of seccomp profiles. This struct should be a plural of v1.SeccompProfile.+// All values are optional, and an unspecified field excludes all profiles of+// that type from the set.+type SeccompProfileSet struct {+    // Whether the unconfined profile is included in this set.+    // +optional+    Unconfined *bool+    // The allowed runtimeProfiles. A value of '*' allows all runtimeProfiles.+    // +optional+    RuntimeProfiles []string+    // The allowed localhostProfiles. Values may end in '*' to include all+    // localhostProfiles with a prefix.+    // +optional+    LocalhostProfiles []string+}+```++## Design Details++### Version Skew Strategy++Because the API is currently represented as (mutable) annotations, care must be taken for migrating+to the API fields. The cases to consider are: pod create, pod update, PSP create, PSP update.++All API skew is resolved in the API server. New Kubelets will only use the seccomp values specified+in the fields, and ignore the annotations.++#### Pod Creation

No application should depend on a policy; a policy can be applied as a non privileged operation by any code, so if it requires it then it can just apply it.

tallclair

comment created time in 22 days

pull request commentmoby/hyperkit

Explicitly disable VMCS shadowing

Thanks!

agustingianni

comment created time in 22 days

PR merged moby/hyperkit

Explicitly disable VMCS shadowing

On macOS Catalina VM creation fails with:

vmx_set_ctlreg: cap_field: 2 bit: 14 unspecified don't care vmx_init: processor does not support desired secondary processor-based controls Unable to create VM (22)

Add the VMCS shadow control bit to the list of disabled controls.

Original patch by John Coyle https://github.com/machyve/xhyve/commit/0c3c50a971f4fdc0d25cbeb06cdecce8fbaeef92

+3 -1

7 comments

2 changed files

agustingianni

pr closed time in 22 days

push eventmoby/hyperkit

Agustin Gianni

commit sha 3b296c7477844aa1fb5b031a0755881a57aed7a9

Explicitly disable VMCS shadowing MacOSX 10.15 hypervisor framework supports VMCS shadowing. VM creation fails with: vmx_set_ctlreg: cap_field: 2 bit: 14 unspecified don't care vmx_init: processor does not support desired secondary processor-based controls Unable to create VM (22) Add the VMCS shadow control bit to the list of disabled controls. Original patch: https://github.com/machyve/xhyve/commit/0c3c50a971f4fdc0d25cbeb06cdecce8fbaeef92 Signed-off-by: Agustin Gianni <agustingianni@gmail.com>

view details

Justin Cormack

commit sha 97f091f9a65390123d96c6794a4b29190e04ce3d

Merge pull request #263 from agustingianni/master Explicitly disable VMCS shadowing

view details

push time in 22 days

pull request commentdocker-library/httpd

Add hardening flags

Yes, Alpine looks file already, with stack canary, pie etc.

justincormack

comment created time in 22 days

delete branch justincormack/httpd

delete branch : harden

delete time in 22 days

push eventjustincormack/aufs

Justin Cormack

commit sha afb181272e123eb123fff2ad6672a4ee7181d66a

Should not fail if modprobe aufs fails It could be that aufs is compiled into the kernel, or you do not have CAP_SYS_MODULE but the module is already inserted. So just return the error in case it is helpful, but only fail if it is not in the list of filesystems. Signed-off-by: Justin Cormack <justin.cormack@docker.com>

view details

push time in 23 days

push eventjustincormack/aufs

Justin Cormack

commit sha 672aa2f4dd21babb13c5d3d73a634bc390b5ac51

Should not fail if modprobe aufs fails It could be that aufs is compiled into the kernel, or you do not have CAP_SYS_MODULE but the module is already inserted. So just return the error in case it is helpful, but only fail if it is not in the list of filesystems. Signed-off-by: Justin Cormack <justin.cormack@docker.com>

view details

push time in 23 days

PR opened containerd/aufs

Should not fail if modprobe aufs fails

It could be that aufs is compiled into the kernel, or you do not have CAP_SYS_MODULE but the module is already inserted. So just return the error in case it is helpful, but only fail if it is not in the list of filesystems.

Signed-off-by: Justin Cormack justin.cormack@docker.com

+3 -2

0 comment

1 changed file

pr created time in 23 days

create barnchjustincormack/aufs

branch : no-fail-modprobe

created branch time in 23 days

fork justincormack/aufs

AUFS Snapshotter for containerd

fork in 23 days

issue commentlinuxkit/linuxkit

No getty prompt

Very confusing, I can't see what difference would make that happen need to diff more, but I think we should be using the new shim anyway, we should add in https://github.com/linuxkit/linuxkit/blob/master/pkg/containerd/Dockerfile

hyperized

comment created time in 23 days

issue commentlinuxkit/linuxkit

No getty prompt

So the file containerd-shim-runc-v2 does not exist in either case, but something about the recent init makes containerd want to use it...

hyperized

comment created time in 23 days

startedsmfrpc/smf

started time in 23 days

Pull request review commentdocker/cli

connhelper: use ssh multiplexing

 func GetCommandConnectionHelper(cmd string, flags ...string) (*ConnectionHelper, 		Host: "http://docker", 	}, nil }++func multiplexingArgs() []string {+	if v := os.Getenv("DOCKER_SSH_NO_MUX"); v != "" {+		if b, err := strconv.ParseBool(v); err == nil && b {+			return nil+		}+	}+	if err := os.MkdirAll(config.Dir(), 0700); err != nil {+		return nil+	}+	args := []string{"-o", "ControlMaster=auto", "-o", "ControlPath=" + config.Dir() + "/%r@%h:%p"}+	if v := os.Getenv("DOCKER_SSH_MUX_PERSIST"); v != "" {+		args = append(args, "-o", "ControlPersist="+v)

Is there any reason not to have a Docker config option for this as well?

tonistiigi

comment created time in 23 days

issue commentlinuxkit/linuxkit

No getty prompt

It is possible. Also possible that it is something more convoluted...

hyperized

comment created time in 23 days

issue commentlinuxkit/linuxkit

No getty prompt

Hmm, ok so containerd-shim-runc-v2 is missing apparently, but it is very strange that changing init affects it...

hyperized

comment created time in 23 days

pull request commentdocker-library/httpd

Add hardening flags

I am fairly sure that all these flags are defaults in Alpine, including pie.

justincormack

comment created time in 24 days

issue commenttheupdateframework/notary

Helm chart for Notary

I think it is better to make it production ready.

patoarvizu

comment created time in 24 days

issue commentlinuxkit/linuxkit

No getty prompt

can you just add the single console=... option that is correct for your setup? This can cause issues.

hyperized

comment created time in 24 days

pull request commentdocker/docker.github.io

Remove ptrace from blocked syscalls

It is blocked in kernel versions before 4.8 still, so maybe best to leave in with qualification. On earlier kernels you can bypass seccomp with ptrace.

pjbgf

comment created time in 24 days

delete branch justincormack/docker

delete branch : seccomp-socket-to-them

delete time in 24 days

pull request commentdocker-library/httpd

Add hardening flags

Upstream httpd no longer distribute Linux binaries (just Windows and ahem Netware), so it is hard to get a sense of what they recommend. Their rpm spec file does include -pie https://github.com/apache/httpd/blob/trunk/build/rpm/httpd.spec.in#L146

All Linux distros that ship httpd use hardening; all major distros expect Debian enable hardening by default in the gcc specfiles I believe; Debian enables for all packages (unless specifically disabled eg gcc). So there are no/few users except those of this package who are using the unhardened builds as far as I can tell.

There are not any significant use cases for disabling in production that I am aware of; there are some other C analysis tools that need it disabled for static analysis. The vast majority of all CVEs in all software are C memory errors, and it seems to be a bad idea to disable the few hardening mechanisms that exist at present.

justincormack

comment created time in 24 days

issue commenttheupdateframework/notary

Helm chart for Notary

I am not particularly keen on having a chart that is not suitable for production in this repo. It could go elsewhere, but it would really need ongoing CI as well.

patoarvizu

comment created time in 24 days

issue commentdocker/for-win

Any Plans for Docker running on Windows on ARM

Hi, planning to do some work to investigate feasibility. It would run arm64 Linux containers (we could run x86 emulation with Qemu), with WSL2. I don't believe Windows containers are feasible at this time.

cobrow

comment created time in 24 days

issue commentrancher/k3s

Add buildah/podman for managing images

@sandys "Docker is pretty much not moving on cgroups v2" is totally false. The runc project is working towards getting cgroups v2 support working; this is a community project with many groups involved, including Docker, Suse and others. You can use Docker with crun which should probably work at this point for v2, although I have not tested this yet.

rcarmo

comment created time in 24 days

issue commentlinuxkit/linuxkit

init should create /dev/net/tun with 0666

Filed an issue on https://gitlab.alpinelinux.org/alpine/aports/issues/10903 but happy to take a PR here to override the file for now.

AkihiroSuda

comment created time in a month

issue commentlinuxkit/linuxkit

init should create /dev/net/tun with 0666

Ah we should probably get Alpine to fix it upstream.

AkihiroSuda

comment created time in a month

pull request commentmoby/hyperkit

Explicitly disable VMCS shadowing

Can you rebase, we fixed the CI issue.

agustingianni

comment created time in a month

push eventmoby/hyperkit

David Scott

commit sha e3718b60c389a3f057a28028e2360180303f2e65

circleci: install opam 1 This works around a brew autoupdate bug following advice from https://discuss.circleci.com/t/brew-install-fails-while-updating/32992/3 Signed-off-by: David Scott <dave.scott@docker.com>

view details

Justin Cormack

commit sha ed9ab73104691fb24db340b58e28a7d45e177eea

Merge pull request #265 from djs55/simple-opam-fix circleci: install opam 1 (fixes the CI)

view details

push time in a month

PR merged moby/hyperkit

circleci: install opam 1 (fixes the CI)

This works around a brew autoupdate bug following advice from

https://discuss.circleci.com/t/brew-install-fails-while-updating/32992/3

Signed-off-by: David Scott dave.scott@docker.com

+2 -20

0 comment

1 changed file

djs55

pr closed time in a month

pull request commentmoby/hyperkit

Explicitly disable VMCS shadowing

Ah, my machine of that date suffered from the exploding battery issue and its still with Apple, but from the other thread looks like there is a feature missing in some older CPUs.

We are taking a look at the build errors which are unrelated.

agustingianni

comment created time in a month

pull request commentmoby/hyperkit

Explicitly disable VMCS shadowing

Thanks. Curious about your setup as we haven't had any reports of failures with Catalina, and we have tests running for it, so your environment must differ in some way (different hardware?).

agustingianni

comment created time in a month

issue closedlinuxkit/linuxkit

containerd v1.3.0

Can containerd please be bumped to v1.3.0 ?

closed time in a month

hyperized

issue commentlinuxkit/linuxkit

containerd v1.3.0

There is an open PR but it is not passing CI, so needs more work.

hyperized

comment created time in a month

issue commentlinuxkit/linuxkit

init should create /dev/net/tun with 0666

Hmm, so it is still there later with different permissions? Seems like the mysterious hotplug daemon is changing it. That is part of busybox (I do want to rewrite it in Go, or use one that is already written). Maybe there is some config for this... It is not well documented.

AkihiroSuda

comment created time in a month

issue commentcncf/sig-security

Presentation: Kamus - secrets encryption/decryption solution

Would you be able to present at one of the weekly meetings? These are at 8pm your time (I think) Wednesdays now. See https://github.com/cncf/sig-security/issues/283 for discussion of what to present.

omerlh

comment created time in a month

issue commentcncf/sig-security

[Proposal] Considering the fitment of oauth2_proxy

I think it would be helpful to provide at least an outline of some of the key points on our assessment list https://github.com/cncf/sig-security/blob/master/assessments/guide/outline.md as well as an overview of how it relates to other projects in the space (complements/alternatives).

pragashj

comment created time in a month

issue commentcncf/sig-security

[Proposal] Considering the fitment of oauth2_proxy

Hey @JoelSpeed I mentioned on the call, and we would like to schedule a presentation at a sig-security meeting.

pragashj

comment created time in a month

pull request commenttheupdateframework/notary

bump github.com/lib/pq v1.0.0

Hey can you update this to pq 1.2?

thaJeztah

comment created time in a month

push eventtheupdateframework/notary

Sebastiaan van Stijn

commit sha 6c3a23966552195e4c966dec4466d6edd7be02af

CircleCI: update image, and use BuildKit Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Justin Cormack

commit sha 4f9d5946839019336a87b6de4fd7027fb2adc9db

Merge pull request #1486 from thaJeztah/use_buildkit_in_ci CircleCI: update image, and use BuildKit

view details

push time in a month

PR merged theupdateframework/notary

CircleCI: update image, and use BuildKit

YOLO; https://discuss.circleci.com/t/default-machine-executor-image-update/29308 mentioned CircleCI now has Docker 18.09, so let's see if this works

+13 -2

5 comments

1 changed file

thaJeztah

pr closed time in a month

pull request commenttheupdateframework/notary

Add helm chart

Sorry, been travelling, will take a look soon.

patoarvizu

comment created time in a month

push eventtheupdateframework/notary

Sebastiaan van Stijn

commit sha ef3c42b60714a3fc6c501358bd76974b6a1596db

Update Golang 1.12.12 (CVE-2019-17596) Golang 1.12.12 ------------------------------- full diff: https://github.com/golang/go/compare/go1.12.11...go1.12.12 go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.12 Golang 1.12.11 (CVE-2019-17596) ------------------------------- full diff: https://github.com/golang/go/compare/go1.12.10...go1.12.11 go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.11 [security] Go 1.13.2 and Go 1.12.11 are released Hi gophers, We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.2). Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. The issue is CVE-2019-17596 and Go issue golang.org/issue/34960. Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also like to thank regilero for a previous disclosure of CVE-2019-16276. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Justin Cormack

commit sha 90a6a4b52f860135d2c10ef189d7ec84d030fe41

Merge pull request #1509 from thaJeztah/bump_golang_1.12.12 Update Golang 1.12.12 (CVE-2019-17596)

view details

push time in a month

PR merged theupdateframework/notary

Update Golang 1.12.12 (CVE-2019-17596)

Golang 1.12.12

full diff: https://github.com/golang/go/compare/go1.12.11...go1.12.12

go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.12

Golang 1.12.11 (CVE-2019-17596)

full diff: https://github.com/golang/go/compare/go1.12.10...go1.12.11

go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.11

[security] Go 1.13.2 and Go 1.12.11 are released

Hi gophers,

We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported
security issue. We recommend that all affected users update to one of these
releases (if you're not sure which, choose Go 1.13.2).

Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,
even if the certificates don't chain to a trusted root. The chain can be
delivered via a crypto/tls connection to a client, or to a server that accepts
and verifies client certificates. net/http clients can be made to crash by an
HTTPS server, while net/http servers that accept client certificates will
recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request, parsing a golang.org/x/crypto/openpgp Entity, or during a
golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client
can panic due to a malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts
a certificate with a malformed public key.

The issue is CVE-2019-17596 and Go issue golang.org/issue/34960.

Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also
like to thank regilero for a previous disclosure of CVE-2019-16276.

Signed-off-by: Sebastiaan van Stijn github@gone.nl

+7 -7

3 comments

7 changed files

thaJeztah

pr closed time in a month

issue commentlinuxkit/linuxkit

init should create /dev/net/tun with 0666

You might need to create /dev/net too. The error handling here is not great due to environment it runs in.

On Sun, 20 Oct 2019 at 06:19, Akihiro Suda notifications@github.com wrote:

diff --git a/pkg/init/cmd/rc.init/main.go b/pkg/init/cmd/rc.init/main.go index 6d65af17a..8f05f205b 100644--- a/pkg/init/cmd/rc.init/main.go+++ b/pkg/init/cmd/rc.init/main.go@@ -196,6 +196,8 @@ func doMounts() { mkchar("/dev/tty", 0666, 5, 0) mkchar("/dev/null", 0666, 1, 3) mkchar("/dev/kmsg", 0660, 1, 11)+ // allow everyone to use TUN/TAP+ mkchar("/dev/net/tun", 0666, 10, 200) // make standard symlinks symlink("/proc/self/fd", "/dev/fd") symlink("/proc/self/fd/0", "/dev/stdin")

Rebuilt docker.yml with the patch above, no success

$ docker tag linuxkit/init:1d8e0532ca588c5ad0d9ca6038349a70bb7ac626-dirty foo/bar $ docker push foo/bar $ vi docker.yml $ linuxkit build -format qcow2-bios docker.yml $ linuxkit run qemu docker.qcow2 (ns: getty) linuxkit-26740bd71677:~# ls -l /dev/net/tun crw-rw---- 1 root root 10, 200 Oct 20 13:14 /dev/net/tun

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/linuxkit/linuxkit/issues/3432?email_source=notifications&email_token=AADVYPDPYUOKX4W5DROVUITQPRLEJA5CNFSM4JCPFMH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBYJ5AY#issuecomment-544251523, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADVYPGMXU326YWSXK4FDPLQPRLEJANCNFSM4JCPFMHQ .

AkihiroSuda

comment created time in a month

more