api: add ct_linux_kernel_modules_dynamic_load api extension

Signed-off-by: Alexander Mikhalitsyn <[email protected]>
mihalicyn · Mar 22, 2024 · b21c626 · b21c626
1 parent cc93afb
commit b21c626
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
@@ -2388,3 +2388,8 @@ For more information on access control for OIDC clients, see {ref}`fine-grained-
 ## `vm_disk_io_limits`
 
 Adds the ability to limit disk I/O for virtual machines.
+
+## `ct_linux_kernel_modules_dynamic_load`
+
+Adds the `linux.kernel_modules.load` container configuration option. If the option is set to `dynamic`, the `finit_modules()` syscall is intercepted and a privileged user in the container's user namespace can load the Linux kernel modules specified in the
+allow list `linux.kernel_modules`.
diff --git a/shared/version/api.go b/shared/version/api.go
@@ -401,6 +401,7 @@ var APIExtensions = []string{
 	"container_syscall_filtering_allow_deny_syntax",
 	"access_management",
 	"vm_disk_io_limits",
+	"ct_linux_kernel_modules_dynamic_load",
 }
 
 // APIExtensionsCount returns the number of available API extensions.