config: mask thermal interrupt info paths by giuseppe · Pull Request #2375 · containers/common

giuseppe · 2025-03-20T10:37:17Z

On Linux, mask "/proc/interrupts" and
"/sys/devices/system/cpu/*/thermal_throttle" inside containers by default.

It is the equivalent of moby/moby#49560 for Moby.

Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).

openshift-ci · 2025-03-20T10:37:22Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Closes: podman-container-tools#6073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor the following dependencies: - containers/common#2375 - podman-container-tools/buildah#6074 Closes: podman-container-tools#25634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: podman-container-tools#6073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor the following dependencies: - containers/common#2375 - podman-container-tools/buildah#6074 Closes: podman-container-tools#25634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: podman-container-tools#6073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

vendor the following dependencies: - containers/common#2375 - podman-container-tools/buildah#6074 Closes: podman-container-tools#25634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe · 2025-03-20T16:28:45Z

thanks, fixed now

On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/*/thermal_throttle" inside containers by default. It is the equivalent of moby/moby#49560 for Moby. Mitigates potential Thermal Side-Channel Vulnerability Exploit (https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm). Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

rhatdan · 2025-03-20T19:41:58Z

LGTM

mheon · 2025-03-20T21:46:33Z

/lgtm

vendor the following dependencies: - containers/common#2375 - podman-container-tools/buildah#6074 Closes: podman-container-tools#25634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

openshift-ci Bot added the do-not-merge/work-in-progress label Mar 20, 2025

openshift-ci Bot added the approved label Mar 20, 2025

giuseppe added a commit to giuseppe/buildah that referenced this pull request Mar 20, 2025

vendor: test containers/common#2375

573f694

Closes: podman-container-tools#6073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe force-pushed the mask-thermal-paths branch from 7caf5cd to 3236d58 Compare March 20, 2025 10:55

Luap99 reviewed Mar 20, 2025

View reviewed changes

Comment thread pkg/config/default.go

giuseppe force-pushed the mask-thermal-paths branch 4 times, most recently from fbc0a6d to d1bf3f3 Compare March 20, 2025 11:23

giuseppe added a commit to giuseppe/buildah that referenced this pull request Mar 20, 2025

vendor: test containers/common#2375

a12de1e

Closes: podman-container-tools#6073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe mentioned this pull request Mar 20, 2025

Mask thermal paths podman-container-tools/podman#25635

Merged

giuseppe marked this pull request as ready for review March 20, 2025 13:26

openshift-ci Bot removed the do-not-merge/work-in-progress label Mar 20, 2025

giuseppe added a commit to giuseppe/buildah that referenced this pull request Mar 20, 2025

vendor: test containers/common#2375

3262ba0

Closes: podman-container-tools#6073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Luap99 reviewed Mar 20, 2025

View reviewed changes

Comment thread pkg/config/default_test.go Outdated

Comment thread pkg/config/default_test.go Outdated

Comment thread pkg/config/default_test.go Outdated

giuseppe force-pushed the mask-thermal-paths branch 2 times, most recently from e6b97c2 to d0e98eb Compare March 20, 2025 16:27

giuseppe force-pushed the mask-thermal-paths branch from d0e98eb to 4c30da0 Compare March 20, 2025 18:22

openshift-ci Bot assigned mheon Mar 20, 2025

openshift-ci Bot added the lgtm label Mar 20, 2025

openshift-merge-bot Bot merged commit fa53559 into containers:main Mar 20, 2025

lsm5 mentioned this pull request Mar 21, 2025

Mask thermal paths podman-container-tools/buildah#6074

Merged

nalind mentioned this pull request Mar 27, 2025

Allow containers to mask parts of their /proc containers/container-selinux#367

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

config: mask thermal interrupt info paths#2375

config: mask thermal interrupt info paths#2375
openshift-merge-bot[bot] merged 1 commit into
containers:mainfrom
giuseppe:mask-thermal-paths

giuseppe commented Mar 20, 2025

Uh oh!

openshift-ci Bot commented Mar 20, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

giuseppe commented Mar 20, 2025

Uh oh!

rhatdan commented Mar 20, 2025

Uh oh!

mheon commented Mar 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

giuseppe commented Mar 20, 2025

Uh oh!

openshift-ci Bot commented Mar 20, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

giuseppe commented Mar 20, 2025

Uh oh!

rhatdan commented Mar 20, 2025

Uh oh!

mheon commented Mar 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants