From b21c6269446ba27a6553ea368c1d28e1c29fa61c Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Thu, 14 Mar 2024 16:37:44 +0100 Subject: [PATCH] api: add ct_linux_kernel_modules_dynamic_load api extension Signed-off-by: Alexander Mikhalitsyn --- doc/api-extensions.md | 5 +++++ shared/version/api.go | 1 + 2 files changed, 6 insertions(+) diff --git a/doc/api-extensions.md b/doc/api-extensions.md index b063634727e2..ca77aa0a6aad 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -2388,3 +2388,8 @@ For more information on access control for OIDC clients, see {ref}`fine-grained- ## `vm_disk_io_limits` Adds the ability to limit disk I/O for virtual machines. + +## `ct_linux_kernel_modules_dynamic_load` + +Adds the `linux.kernel_modules.load` container configuration option. If the option is set to `dynamic`, the `finit_modules()` syscall is intercepted and a privileged user in the container's user namespace can load the Linux kernel modules specified in the +allow list `linux.kernel_modules`. diff --git a/shared/version/api.go b/shared/version/api.go index 4aeadc9fb39c..0f64e8b3d9e1 100644 --- a/shared/version/api.go +++ b/shared/version/api.go @@ -401,6 +401,7 @@ var APIExtensions = []string{ "container_syscall_filtering_allow_deny_syntax", "access_management", "vm_disk_io_limits", + "ct_linux_kernel_modules_dynamic_load", } // APIExtensionsCount returns the number of available API extensions.