You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
libct/exeseal: add annotation to choose runc binary protection mechanism
Introduce the org.opencontainers.runc.clone-self-exe annotation to let
users explicitly choose how runc protects the host runc binary against
tampering by the container. Previously, runc attempted sealed overlayfs
and silently fell back to the clone-binary path on failure, with no way
for users to express a preference.
Recognized values:
- independent-data-copy: use the clone-binary path only (memfd, with
an internal fallback to a classic unlinked
tmpfile on older kernels).
- ro-shared-page: use sealed overlayfs only.
When the annotation is absent, runc's existing default behavior is
preserved unchanged (sealed overlayfs, then clone-binary fallback).
The annotation is registered in PotentiallyUnsafeConfigAnnotations
because it configures runc's own execution path.
Signed-off-by: Mohammed Aminu Futa <mohammedfuta2000@gmail.com>
0 commit comments