Affected by GO-2022-0985 and 10 other vulnerabilities

GO-2022-0985: Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions in github.com/docker/docker

GO-2022-1107: Container build can leak any path on the host into the container in github.com/docker/docker

GO-2023-1699: Docker Swarm encrypted overlay network may be unauthenticated in github.com/docker/docker

GO-2023-1700: Docker Swarm encrypted overlay network traffic may be unencrypted in github.com/docker/docker

GO-2023-1701: Docker Swarm encrypted overlay network with a single endpoint is unauthenticated in github.com/docker/docker

GO-2025-3829: Moby firewalld reload removes bridge network isolation in github.com/docker/docker

GO-2026-4883: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker

GO-2026-4887: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker

GO-2026-5617: Docker: Race condition in docker cp allows bind mount redirection to host path in github.com/docker/docker

GO-2026-5668: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap in github.com/docker/docker

GO-2026-5746: Docker: `PUT /containers/{id}/archive` executes container binary on the host in github.com/docker/docker

overlayutils

package

v20.10.14+incompatible Latest Latest Go to latest Published: Mar 24, 2022 License: Apache-2.0 Imports: 17 Imported by: 352

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/docker

Links

Documentation ¶

Index ¶

func ErrDTypeNotSupported(driver, backingFs string) error
func GenerateID(l int, logger *logrus.Entry) string
func NeedsUserXAttr(d string) (bool, error)
func SupportsOverlay(d string, checkMultipleLowers bool) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ErrDTypeNotSupported ¶

func ErrDTypeNotSupported(driver, backingFs string) error

ErrDTypeNotSupported denotes that the backing filesystem doesn't support d_type.

func GenerateID ¶

func GenerateID(l int, logger *logrus.Entry) string

GenerateID creates a new random string identifier with the given length

func NeedsUserXAttr ¶

func NeedsUserXAttr(d string) (bool, error)

NeedsUserXAttr returns whether overlayfs should be mounted with the "userxattr" mount option.

The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11.

The "userxattr" option is NOT needed for the initial user namespace (aka "the host").

Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option.

The corresponding kernel commit: https://github.com/torvalds/linux/commit/2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 > ovl: user xattr > > Optionally allow using "user.overlay." namespace instead of "trusted.overlay." > ... > Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the > "user.overlay.redirect" or "user.overlay.metacopy" xattrs. > ...

The "userxattr" support is not exposed in "/sys/module/overlay/parameters".

func SupportsOverlay ¶

func SupportsOverlay(d string, checkMultipleLowers bool) error

SupportsOverlay checks if the system supports overlay filesystem by performing an actual overlay mount.

checkMultipleLowers parameter enables check for multiple lowerdirs, which is required for the overlay2 driver.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL