Skip to content

config: mask thermal interrupt info paths #2375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Mar 20, 2025
Merged

config: mask thermal interrupt info paths #2375

openshift-merge-bot merged 1 commit into from
Mar 20, 2025

Conversation

@giuseppe
Copy link
Member

@giuseppe giuseppe commented Mar 20, 2025

On Linux, mask "/proc/interrupts" and
"/sys/devices/system/cpu/*/thermal_throttle" inside containers by default.

It is the equivalent of moby/moby#49560 for Moby.

Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

giuseppe added a commit to giuseppe/buildah that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test containers/common#2375
573f694 
Closes: containers#6073

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe force-pushed the mask-thermal-paths branch from 7caf5cd to 3236d58 Compare March 20, 2025 10:55
giuseppe added a commit to giuseppe/libpod that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test new common and buildah
1447a50 
vendor the following dependencies:

- containers/common#2375
- containers/buildah#6074

Closes: containers#25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Luap99
Luap99 reviewed Mar 20, 2025
View reviewed changes
@giuseppe giuseppe force-pushed the mask-thermal-paths branch 4 times, most recently from fbc0a6d to d1bf3f3 Compare March 20, 2025 11:23
giuseppe added a commit to giuseppe/buildah that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test containers/common#2375
a12de1e 
Closes: containers#6073

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe added a commit to giuseppe/libpod that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test new common and buildah
9d63675 
vendor the following dependencies:

- containers/common#2375
- containers/buildah#6074

Closes: containers#25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this pull request Mar 20, 2025
Merged
@giuseppe giuseppe marked this pull request as ready for review March 20, 2025 13:26
giuseppe added a commit to giuseppe/buildah that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test containers/common#2375
3262ba0 
Closes: containers#6073

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe added a commit to giuseppe/libpod that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test new common and buildah
c281e69 
vendor the following dependencies:

- containers/common#2375
- containers/buildah#6074

Closes: containers#25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe added a commit to giuseppe/libpod that referenced this pull request Mar 20, 2025
@giuseppe
vendor: test new common and buildah
6305eaf 
vendor the following dependencies:

- containers/common#2375
- containers/buildah#6074

Closes: containers#25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Luap99
Luap99 reviewed Mar 20, 2025
View reviewed changes
@giuseppe giuseppe force-pushed the mask-thermal-paths branch 2 times, most recently from e6b97c2 to d0e98eb Compare March 20, 2025 16:27
@giuseppe
Copy link
Member Author

giuseppe commented Mar 20, 2025

thanks, fixed now

@giuseppe
config: mask thermal interrupt info paths
4c30da0 
On Linux, mask "/proc/interrupts" and
"/sys/devices/system/cpu/*/thermal_throttle" inside containers by
default.

It is the equivalent of moby/moby#49560 for Moby.

Mitigates potential Thermal Side-Channel Vulnerability
Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe force-pushed the mask-thermal-paths branch from d0e98eb to 4c30da0 Compare March 20, 2025 18:22
@rhatdan
Copy link
Member

rhatdan commented Mar 20, 2025

LGTM

@mheon
Copy link
Member

mheon commented Mar 20, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 20, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit fa53559 into containers:main Mar 20, 2025
13 of 15 checks passed
@lsm5 lsm5 mentioned this pull request Mar 21, 2025
Merged
giuseppe added a commit to giuseppe/libpod that referenced this pull request Mar 21, 2025
@giuseppe
vendor: update common and buildah
5bbcafa 
vendor the following dependencies:

- containers/common#2375
- containers/buildah#6074

Closes: containers#25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe added a commit to giuseppe/libpod that referenced this pull request Mar 21, 2025
@giuseppe
vendor: update common and buildah
260035d 
vendor the following dependencies:

- containers/common#2375
- containers/buildah#6074

Closes: containers#25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@nalind nalind mentioned this pull request Mar 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Luap99 Luap99 Luap99 left review comments

Assignees

@mheon mheon

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@giuseppe @rhatdan @mheon @Luap99