bpradipt

Capability	Operations Requiring It	Key Code Locations	init only?
CAP_SYS_ADMIN	Mount kernel pseudo-filesystems (proc, sysfs, devtmpfs, tmpfs, devpts)	mount.rs: INIT_ROOTFS_MOUNTS, baremount()	Yes
CAP_SYS_ADMIN	Mount cgroup hierarchies (v1 controllers + v2 unified)	mount.rs: cgroups_mount(), CGROUPS map	Yes
CAP_SYS_ADMIN	pivot_root() — switch container rootfs	rustjail/src/mount.rs:531: pivot_rootfs()	No
CAP_SYS_ADMIN	unshare() — create new IPC, UTS, PID, NET, MNT namespaces	namespace.rs:111, rustjail/src/container.rs:520, :375	No
CAP_SYS_ADMIN	setns() — join existing namespaces	rustjail/src/container.rs:371	No
CAP_SYS_ADMIN	Bind-mount namespace files to persist them	namespace.rs:121: baremount(..., MS_BIND|MS_REC, ...)	No
CAP_SYS_ADMIN	Bind-mount /etc/resolv.conf for DNS	network.rs:77: mount::mount(..., MS_BIND, ...)	No
CAP_SYS_ADMIN	Load secco

bpradipt

Kata Containers: Shim-Agent Communication Threat Vector Analysis

• Date: 2026-03-17
• Branch: main (commit 660e3bb65)
• Scope: Shim (host-side, Go) to kata-agent (guest-side, Rust) communication
• Disclaimer: This report is generated using Claude Code and full human review is TBD. Also note than in a real deployment it's always recommended to use defense-in-depth, for example LSM, network policies etc

bpradipt

---
apiVersion: v1
kind: Pod
metadata:
  name: test
  labels:
    app: test
  annotations:
    io.katacontainers.config.agent.policy: IyBDb3B5cmlnaHQgKGMpIDIwMjMgTWljcm9zb2Z0IENvcnBvcmF0aW9uCiMKIyBTUERYLUxpY2Vuc2UtSWRlbnRpZmllcjogQXBhY2hlLTIuMAojCnBhY2thZ2UgYWdlbnRfcG9saWN5CgppbXBvcnQgZnV0dXJlLmtleXdvcmRzLmluCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCiMgRGVmYXVsdCB2YWx1ZXMsIHJldHVybmVkIGJ5IE9QQSB3aGVuIHJ1bGVzIGNhbm5vdCBiZSBldmFsdWF0ZWQgdG8gdHJ1ZS4KZGVmYXVsdCBBZGRBUlBOZWlnaGJvcnNSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBDbG9zZVN0ZGluUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENvcHlGaWxlUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBDcmVhdGVTYW5kYm94UmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IERlc3Ryb3lTYW5kYm94UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgRXhlY1Byb2Nlc3NSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgR2V0T09NRXZlbnRSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHdWVzdERldGFpbHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBMaXN0SW50ZXJmYWNlc1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBMaXN0Um91dGVzUmVxdWVzdCA6PS

bpradipt

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: shim-copy-daemonset
  namespace: confidential-containers-system
spec:
  selector:
    matchLabels:
      app: shim-copy
  template:

bpradipt

apiVersion: batch/v1
kind: Job
metadata:
  name: azure-image-creation-priv
  namespace: openshift-sandboxed-containers-operator
spec:
  parallelism: 1
  completions: 1
  backoffLimit: 1
  template:

bpradipt

#!/bin/bash

function timestamp() {
    while IFS= read -r 'LINE' ; do
	printf "%s %s\n" "$(TZ=GMT-0 date '+%Y-%m-%dT%T.%N' | cut -c1-26)" "$LINE" 1>&2
    done
}

"$@" 2>&1 | timestamp

bpradipt

#!/bin/bash
#   script: time-buildah-build.sh
#
#   All command line arguments are passed to buildah build command.
#
#   usage: ./time-buildah-build.sh
#
# Acknowledgement: https://gist.github.com/philpoore/05eca572f3aadf70f529c470ac679147

DATE_FORMAT="+%s"

bpradipt

diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml
index 5d6dfeb6c..65237c7be 100644
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@@ -1,5 +1,12 @@
 name: Cargo Crates Check Runner
-on: [pull_request]
+on:
+  pull_request:

bpradipt

FROM quay.io/confidential-containers/runtime-payload:v0

bpradipt

apiVersion: confidentialcontainers.org/v1beta1
kind: CcRuntime
metadata:
  name: ccruntime-sample
  namespace: confidential-containers-system
spec:
  # Add fields here
  runtimeName: kata
  ccNodeSelector:
    matchLabels: