Mask Linux thermal interrupt info in /proc and /sys. #49560
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vvoland
reviewed
Feb 28, 2025
| // larger to the number of CPUs currently online). The returned set may be a | ||
| // single CPU number ({0}), or a continuous range of CPU numbers ({0,1,2,3}), or | ||
| // a non-continuous range of CPU numbers ({0,1,2,3,12,13,14,15}). | ||
| func PossibleCPU() []int { |
Contributor
There was a problem hiding this comment.
Not sure if internal/platform is the best package for this.
In general we refer to "platform" in the context of an image (OS, architecture, variant, ...) instead of the running system.
Perhaps internal/system would be more appropriate? 🤔
Collaborator
Author
There was a problem hiding this comment.
Pushing back a bit: platform generally means the underlying hw environment the software is running on, so the number of CPUs falls within that category.
Having said that, if you feel strongly about it, I can create a separate internal/system package, though doing so may raise confusion since we already have a pkg/system package (where PossibleCPU() would not fit well IMO).
Member
There was a problem hiding this comment.
Given that there's only a single consumer of this function, the easy way out could be to move these files inside the oci packages, and un-export the possibleCPU() function
Collaborator
Author
There was a problem hiding this comment.
I think it fits well in internal/platform, as opposed to hiding it within the oci package (where it really does not fit, even though it's the only consumer currently).
Collaborator
Author
There was a problem hiding this comment.
Hi @thaJeztah, @vvoland, any further feedback on this PR? I would like to merge it if possible.
Contributor
There was a problem hiding this comment.
platform generally means the underlying hw environment the software is running on, so the number of CPUs falls within that category.
Right, but in our context (container runtime), platform has a more specific meaning.
How about putting it in a cpu/cpus package? We could then rename the function name to just Possible (so it would make it cpu.Possible.
Collaborator
Author
There was a problem hiding this comment.
How about putting it in a cpu/cpus package?
We could do that but notice that:
-
Package
internal/platformalready has a NumProcs() function. -
Package
internal/platformalso has anArchitecture()function which is a property of the CPU.
In other words, there's no clear difference between platform and cpu currently, so I would vote to simplify and keep it all under the platform package.
vvoland
reviewed
Feb 28, 2025
ctalledo
force-pushed
the
mask-thermal-interrupt-info
branch
from
24dd26c to
6d3a73e
Compare
temenuzhka-thede
approved these changes
Mar 10, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Signed-off-by: Cesar Talledo <[email protected]>
ctalledo
force-pushed
the
mask-thermal-interrupt-info
branch
from
6d3a73e to
a3fef5d
Compare
vvoland
added
the
kind/enhancement
vvoland
approved these changes
Mar 12, 2025
Collaborator
Author
|
@thaJeztah: could I please get your approval for this PR (assuming it's all good)? Thanks! |
thaJeztah
reviewed
Mar 13, 2025
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM
sorry, was waiting for that discussion that was happening; code looks good
This was referenced Mar 20, 2025
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
added a commit
to giuseppe/common
that referenced
this pull request
Mar 20, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Mar 24, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Mar 24, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
taylorsilva
added a commit
to concourse/concourse
that referenced
this pull request
Mar 25, 2025
This is following upstream Docker/Podman, specifically following Podman's implementation by pulling in github.com/containers/common. That repo appears to be a shared library among all their other projects. We could potentially simplify some of our container creation behaviour by leveraging more of that package in our own runtime code. For now we're pulling in the lists of masked and readonly paths that they also use for unprivileged containers. They appear to follow whatever Docker does, so this keeps us inline with what the overall container community expects for non-privileged containers. Motivation for this change came from this Docker PR: moby/moby#49560 Which was detected by our pipeline job that checks for new docker mounts in privileged and non-privileged containers. Signed-off-by: Taylor Silva <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Jul 16, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Jul 16, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Jul 16, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Jul 16, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Jul 16, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
added a commit
to saschagrunert/kubernetes
that referenced
this pull request
Jul 16, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
hswong3i
pushed a commit
to alvistack/kubernetes-kubernetes
that referenced
this pull request
Sep 10, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
hswong3i
pushed a commit
to alvistack/kubernetes-kubernetes
that referenced
this pull request
Sep 10, 2025
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle" inside containers by default. Privileged containers or containers started with --security-opt="systempaths=unconfined" are not affected. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure default masked paths don't apply to privileged containers. Refers to moby/moby#49560 Signed-off-by: Sascha Grunert <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
Mask Linux thermal interrupt info inside a container's
/procand/sys.Mitigates the use of thermal event interrupt information (available within the container via
/proc/interruptsor/sys/devices/system/cpu/<cpuX>/thermal_throttle/) to perform thermal side channel attacks.Big thanks to @zhangxin00 for reporting this issue.
- How I did it
Mask
/proc/interruptsand/sys/devices/system/cpu/<cpuX>/thermal_throttleinside containers by default. Privileged containers or containers started with--security-opt="systempaths=unconfined"are not affected.Integration test
TestCreateWithCustomMaskedPaths()was updated with the new masked paths and improved to ensure the default masked paths don't apply to privileged containers.- How to verify it
Should each return an empty file.
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)