aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-10-25 07:22:11 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2021-10-25 16:50:45 -0400
commita42c131c80fc8c7220687c56cf4384a224572ca0 (patch)
tree6b3907947aa49553ace7642034632b0ad8206157 /vendor/github.com/opencontainers
parentdbe770e3ce2ac2e34ffa8e28b80df57eb0182a68 (diff)
downloadpodman-a42c131c80fc8c7220687c56cf4384a224572ca0.tar.gz
podman-a42c131c80fc8c7220687c56cf4384a224572ca0.tar.bz2
podman-a42c131c80fc8c7220687c56cf4384a224572ca0.zip
Update vendor github.com/opencontainers/runtime-tools
This will change mount of /dev within container to noexec, making containers slightly more secure. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com/opencontainers')
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/generate.go81
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go14
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/validate/validate.go2
3 files changed, 84 insertions, 13 deletions
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
index 6d3268902..70b175362 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
@@ -29,6 +29,9 @@ var (
type Generator struct {
Config *rspec.Spec
HostSpecific bool
+ // This is used to keep a cache of the ENVs added to improve
+ // performance when adding a huge number of ENV variables
+ envMap map[string]int
}
// ExportOptions have toggles for exporting only certain parts of the specification
@@ -179,7 +182,7 @@ func New(os string) (generator Generator, err error) {
Destination: "/dev",
Type: "tmpfs",
Source: "tmpfs",
- Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
+ Options: []string{"nosuid", "noexec", "strictatime", "mode=755", "size=65536k"},
},
{
Destination: "/dev/pts",
@@ -236,7 +239,12 @@ func New(os string) (generator Generator, err error) {
}
}
- return Generator{Config: &config}, nil
+ envCache := map[string]int{}
+ if config.Process != nil {
+ envCache = createEnvCacheMap(config.Process.Env)
+ }
+
+ return Generator{Config: &config, envMap: envCache}, nil
}
// NewFromSpec creates a configuration Generator from a given
@@ -246,8 +254,14 @@ func New(os string) (generator Generator, err error) {
//
// generator := Generator{Config: config}
func NewFromSpec(config *rspec.Spec) Generator {
+ envCache := map[string]int{}
+ if config != nil && config.Process != nil {
+ envCache = createEnvCacheMap(config.Process.Env)
+ }
+
return Generator{
Config: config,
+ envMap: envCache,
}
}
@@ -273,11 +287,27 @@ func NewFromTemplate(r io.Reader) (Generator, error) {
if err := json.NewDecoder(r).Decode(&config); err != nil {
return Generator{}, err
}
+
+ envCache := map[string]int{}
+ if config.Process != nil {
+ envCache = createEnvCacheMap(config.Process.Env)
+ }
+
return Generator{
Config: &config,
+ envMap: envCache,
}, nil
}
+// createEnvCacheMap creates a hash map with the ENV variables given by the config
+func createEnvCacheMap(env []string) map[string]int {
+ envMap := make(map[string]int, len(env))
+ for i, val := range env {
+ envMap[val] = i
+ }
+ return envMap
+}
+
// SetSpec sets the configuration in the Generator g.
//
// Deprecated: Replace with:
@@ -414,6 +444,13 @@ func (g *Generator) SetProcessUsername(username string) {
g.Config.Process.User.Username = username
}
+// SetProcessUmask sets g.Config.Process.User.Umask.
+func (g *Generator) SetProcessUmask(umask uint32) {
+ g.initConfigProcess()
+ u := umask
+ g.Config.Process.User.Umask = &u
+}
+
// SetProcessGID sets g.Config.Process.User.GID.
func (g *Generator) SetProcessGID(gid uint32) {
g.initConfigProcess()
@@ -456,21 +493,44 @@ func (g *Generator) ClearProcessEnv() {
return
}
g.Config.Process.Env = []string{}
+ // Clear out the env cache map as well
+ g.envMap = map[string]int{}
}
// AddProcessEnv adds name=value into g.Config.Process.Env, or replaces an
// existing entry with the given name.
func (g *Generator) AddProcessEnv(name, value string) {
+ if name == "" {
+ return
+ }
+
g.initConfigProcess()
+ g.addEnv(fmt.Sprintf("%s=%s", name, value), name)
+}
- env := fmt.Sprintf("%s=%s", name, value)
- for idx := range g.Config.Process.Env {
- if strings.HasPrefix(g.Config.Process.Env[idx], name+"=") {
- g.Config.Process.Env[idx] = env
- return
- }
+// AddMultipleProcessEnv adds multiple name=value into g.Config.Process.Env, or replaces
+// existing entries with the given name.
+func (g *Generator) AddMultipleProcessEnv(envs []string) {
+ g.initConfigProcess()
+
+ for _, val := range envs {
+ split := strings.SplitN(val, "=", 2)
+ g.addEnv(val, split[0])
+ }
+}
+
+// addEnv looks through adds ENV to the Process and checks envMap for
+// any duplicates
+// This is called by both AddMultipleProcessEnv and AddProcessEnv
+func (g *Generator) addEnv(env, key string) {
+ if idx, ok := g.envMap[key]; ok {
+ // The ENV exists in the cache, so change its value in g.Config.Process.Env
+ g.Config.Process.Env[idx] = env
+ } else {
+ // else the env doesn't exist, so add it and add it's index to g.envMap
+ g.Config.Process.Env = append(g.Config.Process.Env, env)
+ g.envMap[key] = len(g.Config.Process.Env) - 1
}
- g.Config.Process.Env = append(g.Config.Process.Env, env)
}
// AddProcessRlimits adds rlimit into g.Config.Process.Rlimits.
@@ -1442,9 +1502,6 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) {
g.Config.Linux.Devices[i] = device
return
}
- if dev.Type == device.Type && dev.Major == device.Major && dev.Minor == device.Minor {
- fmt.Fprintln(os.Stderr, "WARNING: The same type, major and minor should not be used for multiple devices.")
- }
}
g.Config.Linux.Devices = append(g.Config.Linux.Devices, device)
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
index 5fee5a3b2..8a8dc3970 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
@@ -566,6 +566,20 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
},
}...)
/* Flags parameter of the clone syscall is the 2nd on s390 */
+ syscalls = append(syscalls, []rspec.LinuxSyscall{
+ {
+ Names: []string{"clone"},
+ Action: rspec.ActAllow,
+ Args: []rspec.LinuxSeccompArg{
+ {
+ Index: 1,
+ Value: 2080505856,
+ ValueTwo: 0,
+ Op: rspec.OpMaskedEqual,
+ },
+ },
+ },
+ }...)
}
return &rspec.LinuxSeccomp{
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
index e2e820979..9c3710529 100644
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
@@ -144,7 +144,7 @@ func JSONSchemaURL(version string) (url string, err error) {
func (v *Validator) CheckJSONSchema() (errs error) {
logrus.Debugf("check JSON schema")
- url, err := JSONSchemaURL(v.spec.Version)
+ url, err := JSONSchemaURL(strings.TrimSuffix(v.spec.Version, "-dev"))
if err != nil {
errs = multierror.Append(errs, err)
return errs