Kenta Tada
Kenta Tada
The feature of addfd[1][2] allows the supervisor to install file descriptors into the intercepted task. By implementing this feature via seccomp the supervisor effectively instructs the supervisee to install a...
This commit adds definitions for Linux debug related MAGIC to confirm if the filesystem for debug is mounted using statfs. Reference commit: https://github.com/rust-lang/libc/pull/1943 Signed-off-by: Kenta Tada
This commit adjusts the file mode to use the latest golang style In addition to that, I changed those modes from 0700 to 0600 as same as #2636 Related to...
In https://github.com/opencontainers/runc/issues/2430#issuecomment-633763854, I considered disabling IBPB/STIBP to improve the performance impact on bytecode interpreters. This commit adds the flag which disables IBPB/STIBP mitigation for container. Signed-off-by: Kenta Tada
The time namespace is a new kernel feature available in 5.6+ to isolate the system monotonic and boot-time clocks. I'm sorry I mistook and closed the existing request https://github.com/opencontainers/runtime-spec/pull/1062 Signed-off-by:...
It disables speculative execution mitigations in the container. For more information about that, please refer to: https://github.com/opencontainers/runc/issues/2430 Signed-off-by: Kenta Tada
All clone flags should be denied as default profile. Also x/sys should be used instead of syscall. Signed-off-by: Kenta Tada
Kubernetes 1.25 brings cgroup v2 to GA. cgroup v2 needs some additional kernel configs. For example, you need to enable `CONFIG_CGROUP_BPF` if you want to use the the device controller....