summaryrefslogtreecommitdiff
path: root/vendor/github.com
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-08-28 05:37:44 -0400
committerGitHub <noreply@github.com>2020-08-28 05:37:44 -0400
commitd6b13d8a0993aced5e227e7a516aadbf37e14dbc (patch)
tree276c3ffed36d0a12ba2ecce810edd5b831da8dec /vendor/github.com
parenta38e77bbb56983a65419be375a25a336143759a3 (diff)
parent98ead36531378ea22d1298235a10ce476f20391d (diff)
downloadpodman-d6b13d8a0993aced5e227e7a516aadbf37e14dbc.tar.gz
podman-d6b13d8a0993aced5e227e7a516aadbf37e14dbc.tar.bz2
podman-d6b13d8a0993aced5e227e7a516aadbf37e14dbc.zip
Merge pull request #7480 from openSUSE/containers-common
Switch to containers/common for seccomp
Diffstat (limited to 'vendor/github.com')
-rw-r--r--vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go47
-rw-r--r--vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go113
-rw-r--r--vendor/github.com/containers/common/pkg/auth/auth.go9
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go44
-rw-r--r--vendor/github.com/containers/common/pkg/config/config_darwin.go12
-rw-r--r--vendor/github.com/containers/common/pkg/config/config_linux.go21
-rw-r--r--vendor/github.com/containers/common/pkg/config/config_local.go16
-rw-r--r--vendor/github.com/containers/common/pkg/config/config_windows.go10
-rw-r--r--vendor/github.com/containers/common/pkg/config/containers.conf2
-rw-r--r--vendor/github.com/containers/common/pkg/config/default_linux.go6
-rw-r--r--vendor/github.com/containers/common/pkg/config/libpodConfig.go5
-rw-r--r--vendor/github.com/containers/common/pkg/config/util_supported.go2
-rw-r--r--vendor/github.com/containers/common/pkg/retry/retry.go12
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/conversion.go32
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp.json878
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go742
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go183
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go40
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/supported.go72
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/types.go110
-rw-r--r--vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go8
-rw-r--r--vendor/github.com/containers/common/version/version.go2
-rw-r--r--vendor/github.com/containers/storage/.cirrus.yml6
-rw-r--r--vendor/github.com/containers/storage/VERSION2
-rw-r--r--vendor/github.com/containers/storage/drivers/copy/copy_linux.go4
-rw-r--r--vendor/github.com/containers/storage/drivers/counter.go4
-rw-r--r--vendor/github.com/containers/storage/drivers/overlay/overlay.go24
-rw-r--r--vendor/github.com/containers/storage/go.mod6
-rw-r--r--vendor/github.com/containers/storage/go.sum4
-rw-r--r--vendor/github.com/containers/storage/store.go3
-rw-r--r--vendor/github.com/klauspost/compress/huff0/bitwriter.go13
-rw-r--r--vendor/github.com/klauspost/compress/huff0/compress.go10
-rw-r--r--vendor/github.com/klauspost/compress/huff0/decompress.go24
-rw-r--r--vendor/github.com/klauspost/compress/huff0/huff0.go3
-rw-r--r--vendor/github.com/klauspost/compress/zstd/blockenc.go8
-rw-r--r--vendor/github.com/klauspost/compress/zstd/encoder.go1
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/.travis.yml37
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md (renamed from vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES)92
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/README.md (renamed from vendor/github.com/seccomp/libseccomp-golang/README)26
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/go.mod3
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/go.sum23
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/seccomp.go84
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go53
43 files changed, 2586 insertions, 210 deletions
diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go
index e0b5c5677..4f11e4ed2 100644
--- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go
+++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go
@@ -13,6 +13,7 @@ import (
"strings"
"text/template"
+ "github.com/containers/common/pkg/apparmor/internal/supported"
"github.com/containers/storage/pkg/unshare"
runcaa "github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/pkg/errors"
@@ -22,12 +23,11 @@ import (
// profileDirectory is the file store for apparmor profiles and macros.
var profileDirectory = "/etc/apparmor.d"
-// IsEnabled returns true if AppArmor is enabled on the host.
+// IsEnabled returns true if AppArmor is enabled on the host. It also checks
+// for the existence of the `apparmor_parser` binary, which will be required to
+// apply profiles.
func IsEnabled() bool {
- if unshare.IsRootless() {
- return false
- }
- return runcaa.IsEnabled()
+ return supported.NewAppArmorVerifier().IsSupported() == nil
}
// profileData holds information about the given profile for generation.
@@ -43,7 +43,7 @@ type profileData struct {
}
// generateDefault creates an apparmor profile from ProfileData.
-func (p *profileData) generateDefault(out io.Writer) error {
+func (p *profileData) generateDefault(apparmorParserPath string, out io.Writer) error {
compiled, err := template.New("apparmor_profile").Parse(defaultProfileTemplate)
if err != nil {
return errors.Wrap(err, "create AppArmor profile from template")
@@ -59,7 +59,7 @@ func (p *profileData) generateDefault(out io.Writer) error {
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
}
- ver, err := getAAParserVersion()
+ ver, err := getAAParserVersion(apparmorParserPath)
if err != nil {
return errors.Wrap(err, "get AppArmor version")
}
@@ -85,18 +85,23 @@ func InstallDefault(name string) error {
Name: name,
}
- cmd := exec.Command("apparmor_parser", "-Kr")
+ apparmorParserPath, err := supported.NewAppArmorVerifier().FindAppArmorParserBinary()
+ if err != nil {
+ return errors.Wrap(err, "find `apparmor_parser` binary")
+ }
+
+ cmd := exec.Command(apparmorParserPath, "-Kr")
pipe, err := cmd.StdinPipe()
if err != nil {
- return errors.Wrap(err, "execute apparmor_parser")
+ return errors.Wrapf(err, "execute %s", apparmorParserPath)
}
if err := cmd.Start(); err != nil {
if pipeErr := pipe.Close(); pipeErr != nil {
logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr)
}
- return errors.Wrap(err, "start apparmor_parser command")
+ return errors.Wrapf(err, "start %s command", apparmorParserPath)
}
- if err := p.generateDefault(pipe); err != nil {
+ if err := p.generateDefault(apparmorParserPath, pipe); err != nil {
if pipeErr := pipe.Close(); pipeErr != nil {
logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr)
}
@@ -118,11 +123,17 @@ func InstallDefault(name string) error {
// generation fails.
func DefaultContent(name string) ([]byte, error) {
p := profileData{Name: name}
- var bytes bytes.Buffer
- if err := p.generateDefault(&bytes); err != nil {
+ buffer := &bytes.Buffer{}
+
+ apparmorParserPath, err := supported.NewAppArmorVerifier().FindAppArmorParserBinary()
+ if err != nil {
+ return nil, errors.Wrap(err, "find `apparmor_parser` binary")
+ }
+
+ if err := p.generateDefault(apparmorParserPath, buffer); err != nil {
return nil, errors.Wrap(err, "generate default AppAmor profile")
}
- return bytes.Bytes(), nil
+ return buffer.Bytes(), nil
}
// IsLoaded checks if a profile with the given name has been loaded into the
@@ -159,8 +170,8 @@ func IsLoaded(name string) (bool, error) {
}
// execAAParser runs `apparmor_parser` with the passed arguments.
-func execAAParser(dir string, args ...string) (string, error) {
- c := exec.Command("apparmor_parser", args...)
+func execAAParser(apparmorParserPath, dir string, args ...string) (string, error) {
+ c := exec.Command(apparmorParserPath, args...)
c.Dir = dir
output, err := c.Output()
@@ -172,8 +183,8 @@ func execAAParser(dir string, args ...string) (string, error) {
}
// getAAParserVersion returns the major and minor version of apparmor_parser.
-func getAAParserVersion() (int, error) {
- output, err := execAAParser("", "--version")
+func getAAParserVersion(apparmorParserPath string) (int, error) {
+ output, err := execAAParser(apparmorParserPath, "", "--version")
if err != nil {
return -1, errors.Wrap(err, "execute apparmor_parser")
}
diff --git a/vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go b/vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go
new file mode 100644
index 000000000..778f4e3a2
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go
@@ -0,0 +1,113 @@
+package supported
+
+import (
+ "os"
+ "os/exec"
+ "path/filepath"
+ "sync"
+
+ "github.com/containers/storage/pkg/unshare"
+ runcaa "github.com/opencontainers/runc/libcontainer/apparmor"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+)
+
+//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
+
+// ApparmorVerifier is the global struct for verifying if AppAmor is available
+// on the system.
+type ApparmorVerifier struct {
+ impl verifierImpl
+ parserBinaryPath string
+}
+
+var (
+ singleton *ApparmorVerifier
+ once sync.Once
+)
+
+// NewAppArmorVerifier can be used to retrieve a new ApparmorVerifier instance.
+func NewAppArmorVerifier() *ApparmorVerifier {
+ once.Do(func() {
+ singleton = &ApparmorVerifier{impl: &defaultVerifier{}}
+ })
+ return singleton
+}
+
+// IsSupported returns nil if AppAmor is supported by the host system.
+// The method will error if:
+// - the process runs in rootless mode
+// - AppArmor is disabled by the host system
+// - the `apparmor_parser` binary is not discoverable
+func (a *ApparmorVerifier) IsSupported() error {
+ if a.impl.UnshareIsRootless() {
+ return errors.New("AppAmor is not supported on rootless containers")
+ }
+ if !a.impl.RuncIsEnabled() {
+ return errors.New("AppArmor not supported by the host system")
+ }
+
+ _, err := a.FindAppArmorParserBinary()
+ return err
+}
+
+// FindAppArmorParserBinary returns the `apparmor_parser` binary either from
+// `/sbin` or from `$PATH`. It returns an error if the binary could not be
+// found.
+func (a *ApparmorVerifier) FindAppArmorParserBinary() (string, error) {
+ // Use the memoized path if available
+ if a.parserBinaryPath != "" {
+ logrus.Debugf("Using %s binary", a.parserBinaryPath)
+ return a.parserBinaryPath, nil
+ }
+
+ const (
+ binary = "apparmor_parser"
+ sbin = "/sbin"
+ )
+
+ // `/sbin` is not always in `$PATH`, so we check it explicitly
+ sbinBinaryPath := filepath.Join(sbin, binary)
+ if _, err := a.impl.OsStat(sbinBinaryPath); err == nil {
+ logrus.Debugf("Found %s binary in %s", binary, sbinBinaryPath)
+ a.parserBinaryPath = sbinBinaryPath
+ return sbinBinaryPath, nil
+ }
+
+ // Fallback to checking $PATH
+ if path, err := a.impl.ExecLookPath(binary); err == nil {
+ logrus.Debugf("Found %s binary in %s", binary, path)
+ a.parserBinaryPath = path
+ return path, nil
+ }
+
+ return "", errors.Errorf(
+ "%s binary neither found in %s nor $PATH", binary, sbin,
+ )
+}
+
+//counterfeiter:generate . verifierImpl
+type verifierImpl interface {
+ UnshareIsRootless() bool
+ RuncIsEnabled() bool
+ OsStat(name string) (os.FileInfo, error)
+ ExecLookPath(file string) (string, error)
+}
+
+type defaultVerifier struct{}
+
+func (d *defaultVerifier) UnshareIsRootless() bool {
+ return unshare.IsRootless()
+}
+
+func (d *defaultVerifier) RuncIsEnabled() bool {
+ return runcaa.IsEnabled()
+}
+
+func (d *defaultVerifier) OsStat(name string) (os.FileInfo, error) {
+ return os.Stat(name)
+}
+
+func (d *defaultVerifier) ExecLookPath(file string) (string, error) {
+ return exec.LookPath(file)
+}
diff --git a/vendor/github.com/containers/common/pkg/auth/auth.go b/vendor/github.com/containers/common/pkg/auth/auth.go
index 91ab45f0d..21b988187 100644
--- a/vendor/github.com/containers/common/pkg/auth/auth.go
+++ b/vendor/github.com/containers/common/pkg/auth/auth.go
@@ -40,8 +40,8 @@ func CheckAuthFile(authfile string) error {
// data with the original parameter.
func systemContextWithOptions(sys *types.SystemContext, authFile, certDir string) *types.SystemContext {
if sys != nil {
- copy := *sys
- sys = &copy
+ sysCopy := *sys
+ sys = &sysCopy
} else {
sys = &types.SystemContext{}
}
@@ -126,7 +126,7 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO
if err = docker.CheckAuth(ctx, systemContext, username, password, server); err == nil {
// Write the new credentials to the authfile
- if err = config.SetAuthentication(systemContext, server, username, password); err != nil {
+ if err := config.SetAuthentication(systemContext, server, username, password); err != nil {
return err
}
}
@@ -156,8 +156,7 @@ func getRegistryName(server string) string {
// getUserAndPass gets the username and password from STDIN if not given
// using the -u and -p flags. If the username prompt is left empty, the
// displayed userFromAuthFile will be used instead.
-func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (string, string, error) {
- var err error
+func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (user, pass string, err error) {
reader := bufio.NewReader(opts.Stdin)
username := opts.Username
if username == "" {
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index e1bd4fc27..78811b47a 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -612,11 +612,11 @@ func (c *ContainersConfig) Validate() error {
}
if c.LogSizeMax >= 0 && c.LogSizeMax < OCIBufSize {
- return fmt.Errorf("log size max should be negative or >= %d", OCIBufSize)
+ return errors.Errorf("log size max should be negative or >= %d", OCIBufSize)
}
if _, err := units.FromHumanSize(c.ShmSize); err != nil {
- return fmt.Errorf("invalid --shm-size %s, %q", c.ShmSize, err)
+ return errors.Errorf("invalid --shm-size %s, %q", c.ShmSize, err)
}
return nil
@@ -759,15 +759,13 @@ func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []s
// '/dev/sdc:/dev/xvdc"
// '/dev/sdc:/dev/xvdc:rwm"
// '/dev/sdc:rm"
-func Device(device string) (string, string, string, error) {
- src := ""
- dst := ""
- permissions := "rwm"
+func Device(device string) (src, dst, permissions string, err error) {
+ permissions = "rwm"
split := strings.Split(device, ":")
switch len(split) {
case 3:
if !IsValidDeviceMode(split[2]) {
- return "", "", "", fmt.Errorf("invalid device mode: %s", split[2])
+ return "", "", "", errors.Errorf("invalid device mode: %s", split[2])
}
permissions = split[2]
fallthrough
@@ -775,19 +773,19 @@ func Device(device string) (string, string, string, error) {
if IsValidDeviceMode(split[1]) {
permissions = split[1]
} else {
- if len(split[1]) == 0 || split[1][0] != '/' {
- return "", "", "", fmt.Errorf("invalid device mode: %s", split[1])
+ if split[1] == "" || split[1][0] != '/' {
+ return "", "", "", errors.Errorf("invalid device mode: %s", split[1])
}
dst = split[1]
}
fallthrough
case 1:
if !strings.HasPrefix(split[0], "/dev/") {
- return "", "", "", fmt.Errorf("invalid device mode: %s", split[0])
+ return "", "", "", errors.Errorf("invalid device mode: %s", split[0])
}
src = split[0]
default:
- return "", "", "", fmt.Errorf("invalid device specification: %s", device)
+ return "", "", "", errors.Errorf("invalid device specification: %s", device)
}
if dst == "" {
@@ -908,21 +906,6 @@ func Path() string {
return OverrideContainersConfig
}
-func customConfigFile() (string, error) {
- path := os.Getenv("CONTAINERS_CONF")
- if path != "" {
- return path, nil
- }
- if unshare.IsRootless() {
- path, err := rootlessConfigPath()
- if err != nil {
- return "", err
- }
- return path, nil
- }
- return OverrideContainersConfig, nil
-}
-
// ReadCustomConfig reads the custom config and only generates a config based on it
// If the custom config file does not exists, function will return an empty config
func ReadCustomConfig() (*Config, error) {
@@ -943,7 +926,7 @@ func ReadCustomConfig() (*Config, error) {
newConfig := &Config{}
if _, err := os.Stat(path); err == nil {
- if err = readConfigFromFile(path, newConfig); err != nil {
+ if err := readConfigFromFile(path, newConfig); err != nil {
return nil, err
}
} else {
@@ -990,13 +973,12 @@ func Reload() (*Config, error) {
return defConfig()
}
-func (c *Config) ActiveDestination() (string, string, error) {
+func (c *Config) ActiveDestination() (uri, identity string, err error) {
if uri, found := os.LookupEnv("CONTAINER_HOST"); found {
- var ident string
if v, found := os.LookupEnv("CONTAINER_SSHKEY"); found {
- ident = v
+ identity = v
}
- return uri, ident, nil
+ return uri, identity, nil
}
switch {
diff --git a/vendor/github.com/containers/common/pkg/config/config_darwin.go b/vendor/github.com/containers/common/pkg/config/config_darwin.go
new file mode 100644
index 000000000..a264b1888
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/config/config_darwin.go
@@ -0,0 +1,12 @@
+package config
+
+import (
+ "os"
+)
+
+func customConfigFile() (string, error) {
+ if path, found := os.LookupEnv("CONTAINERS_CONF"); found {
+ return path, nil
+ }
+ return rootlessConfigPath()
+}
diff --git a/vendor/github.com/containers/common/pkg/config/config_linux.go b/vendor/github.com/containers/common/pkg/config/config_linux.go
index 17b862967..77e06105e 100644
--- a/vendor/github.com/containers/common/pkg/config/config_linux.go
+++ b/vendor/github.com/containers/common/pkg/config/config_linux.go
@@ -1,7 +1,26 @@
package config
-import selinux "github.com/opencontainers/selinux/go-selinux"
+import (
+ "os"
+
+ "github.com/containers/storage/pkg/unshare"
+ selinux "github.com/opencontainers/selinux/go-selinux"
+)
func selinuxEnabled() bool {
return selinux.GetEnabled()
}
+
+func customConfigFile() (string, error) {
+ if path, found := os.LookupEnv("CONTAINERS_CONF"); found {
+ return path, nil
+ }
+ if unshare.IsRootless() {
+ path, err := rootlessConfigPath()
+ if err != nil {
+ return "", err
+ }
+ return path, nil
+ }
+ return OverrideContainersConfig, nil
+}
diff --git a/vendor/github.com/containers/common/pkg/config/config_local.go b/vendor/github.com/containers/common/pkg/config/config_local.go
index b1d1644dd..8a27c9626 100644
--- a/vendor/github.com/containers/common/pkg/config/config_local.go
+++ b/vendor/github.com/containers/common/pkg/config/config_local.go
@@ -3,7 +3,6 @@
package config
import (
- "fmt"
"os"
"path/filepath"
"regexp"
@@ -11,6 +10,7 @@ import (
"syscall"
units "github.com/docker/go-units"
+ "github.com/pkg/errors"
)
// isDirectory tests whether the given path exists and is a directory. It
@@ -43,13 +43,13 @@ func (c *EngineConfig) validatePaths() error {
// shift between runs or even parts of the program. - The OCI runtime
// uses a different working directory than we do, for example.
if c.StaticDir != "" && !filepath.IsAbs(c.StaticDir) {
- return fmt.Errorf("static directory must be an absolute path - instead got %q", c.StaticDir)
+ return errors.Errorf("static directory must be an absolute path - instead got %q", c.StaticDir)
}
if c.TmpDir != "" && !filepath.IsAbs(c.TmpDir) {
- return fmt.Errorf("temporary directory must be an absolute path - instead got %q", c.TmpDir)
+ return errors.Errorf("temporary directory must be an absolute path - instead got %q", c.TmpDir)
}
if c.VolumePath != "" && !filepath.IsAbs(c.VolumePath) {
- return fmt.Errorf("volume path must be an absolute path - instead got %q", c.VolumePath)
+ return errors.Errorf("volume path must be an absolute path - instead got %q", c.VolumePath)
}
return nil
}
@@ -68,7 +68,7 @@ func (c *ContainersConfig) validateUlimits() error {
for _, u := range c.DefaultUlimits {
ul, err := units.ParseUlimit(u)
if err != nil {
- return fmt.Errorf("unrecognized ulimit %s: %v", u, err)
+ return errors.Wrapf(err, "unrecognized ulimit %s", u)
}
_, err = ul.GetRlimit()
if err != nil {
@@ -96,8 +96,8 @@ func (c *ContainersConfig) validateTZ() error {
}
}
- return fmt.Errorf(
- "unable to find timezone %s in paths: %s",
+ return errors.Errorf(
+ "find timezone %s in paths: %s",
c.TZ, strings.Join(lookupPaths, ", "),
)
}
@@ -105,7 +105,7 @@ func (c *ContainersConfig) validateTZ() error {
func (c *ContainersConfig) validateUmask() error {
validUmask := regexp.MustCompile(`^[0-7]{1,4}$`)
if !validUmask.MatchString(c.Umask) {
- return fmt.Errorf("Not a valid Umask %s", c.Umask)
+ return errors.Errorf("not a valid umask %s", c.Umask)
}
return nil
}
diff --git a/vendor/github.com/containers/common/pkg/config/config_windows.go b/vendor/github.com/containers/common/pkg/config/config_windows.go
new file mode 100644
index 000000000..1c9806e6b
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/config/config_windows.go
@@ -0,0 +1,10 @@
+package config
+
+import "os"
+
+func customConfigFile() (string, error) {
+ if path, found := os.LookupEnv("CONTAINERS_CONF"); found {
+ return path, nil
+ }
+ return os.Getenv("APPDATA") + "\\containers\\containers.conf", nil
+}
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf
index ff4d99bda..5ee72e759 100644
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@@ -92,7 +92,7 @@
# Ulimits has limits for non privileged container engines.
#
# default_ulimits = [
-# "nofile"="1280:2560",
+# "nofile=1280:2560",
# ]
# List of default DNS options to be added to /etc/resolv.conf inside of the container.
diff --git a/vendor/github.com/containers/common/pkg/config/default_linux.go b/vendor/github.com/containers/common/pkg/config/default_linux.go
index e49413d7a..f61d9ba54 100644
--- a/vendor/github.com/containers/common/pkg/config/default_linux.go
+++ b/vendor/github.com/containers/common/pkg/config/default_linux.go
@@ -32,10 +32,8 @@ func getDefaultProcessLimits() []string {
defaultLimits := []string{}
if err := unix.Setrlimit(unix.RLIMIT_NPROC, &rlim); err == nil {
defaultLimits = append(defaultLimits, fmt.Sprintf("nproc=%d:%d", rlim.Cur, rlim.Max))
- } else {
- if err := unix.Setrlimit(unix.RLIMIT_NPROC, &oldrlim); err == nil {
- defaultLimits = append(defaultLimits, fmt.Sprintf("nproc=%d:%d", oldrlim.Cur, oldrlim.Max))
- }
+ } else if err := unix.Setrlimit(unix.RLIMIT_NPROC, &oldrlim); err == nil {
+ defaultLimits = append(defaultLimits, fmt.Sprintf("nproc=%d:%d", oldrlim.Cur, oldrlim.Max))
}
return defaultLimits
}
diff --git a/vendor/github.com/containers/common/pkg/config/libpodConfig.go b/vendor/github.com/containers/common/pkg/config/libpodConfig.go
index 9d04da7f5..07dd06240 100644
--- a/vendor/github.com/containers/common/pkg/config/libpodConfig.go
+++ b/vendor/github.com/containers/common/pkg/config/libpodConfig.go
@@ -3,7 +3,6 @@ package config
/* libpodConfig.go contains deprecated functionality and should not be used any longer */
import (
- "fmt"
"os"
"os/exec"
"path/filepath"
@@ -168,7 +167,7 @@ type ConfigFromLibpod struct {
// EventsLogFilePath is where the events log is stored.
EventsLogFilePath string `toml:"events_logfile_path,omitempty"`
- //DetachKeys is the sequence of keys used to detach a container.
+ // DetachKeys is the sequence of keys used to detach a container.
DetachKeys string `toml:"detach_keys,omitempty"`
// SDNotify tells Libpod to allow containers to notify the host systemd of
@@ -247,7 +246,7 @@ func readLibpodConfigFromFile(path string, config *ConfigFromLibpod) (*ConfigFro
logrus.Debugf("Reading configuration file %q", path)
_, err := toml.DecodeFile(path, config)
if err != nil {
- return nil, fmt.Errorf("unable to decode configuration %v: %v", path, err)
+ return nil, errors.Wrapf(err, "decode configuration %s", path)
}
return config, err
diff --git a/vendor/github.com/containers/common/pkg/config/util_supported.go b/vendor/github.com/containers/common/pkg/config/util_supported.go
index 2cdf54549..4595716d1 100644
--- a/vendor/github.com/containers/common/pkg/config/util_supported.go
+++ b/vendor/github.com/containers/common/pkg/config/util_supported.go
@@ -49,7 +49,7 @@ func getRuntimeDir() (string, error) {
if runtimeDir == "" {
home := os.Getenv("HOME")
if home == "" {
- rootlessRuntimeDirError = fmt.Errorf("neither XDG_RUNTIME_DIR nor HOME was set non-empty")
+ rootlessRuntimeDirError = errors.New("neither XDG_RUNTIME_DIR nor HOME was set non-empty")
return
}
resolvedHome, err := filepath.EvalSymlinks(home)
diff --git a/vendor/github.com/containers/common/pkg/retry/retry.go b/vendor/github.com/containers/common/pkg/retry/retry.go
index c20f900d8..d0ac19fb6 100644
--- a/vendor/github.com/containers/common/pkg/retry/retry.go
+++ b/vendor/github.com/containers/common/pkg/retry/retry.go
@@ -2,6 +2,7 @@ package retry
import (
"context"
+ "io"
"math"
"net"
"net/url"
@@ -17,7 +18,8 @@ import (
// RetryOptions defines the option to retry
type RetryOptions struct {
- MaxRetry int // The number of times to possibly retry
+ MaxRetry int // The number of times to possibly retry
+ Delay time.Duration // The delay to use between retries, if set
}
// RetryIfNecessary retries the operation in exponential backoff with the retryOptions
@@ -25,6 +27,9 @@ func RetryIfNecessary(ctx context.Context, operation func() error, retryOptions
err := operation()
for attempt := 0; err != nil && isRetryable(err) && attempt < retryOptions.MaxRetry; attempt++ {
delay := time.Duration(int(math.Pow(2, float64(attempt)))) * time.Second
+ if retryOptions.Delay != 0 {
+ delay = retryOptions.Delay
+ }
logrus.Infof("Warning: failed, retrying in %s ... (%d/%d)", delay, attempt+1, retryOptions.MaxRetry)
select {
case <-time.After(delay):
@@ -58,7 +63,10 @@ func isRetryable(err error) bool {
return true
case *net.OpError:
return isRetryable(e.Err)
- case *url.Error:
+ case *url.Error: // This includes errors returned by the net/http client.
+ if e.Err == io.EOF { // Happens when a server accepts a HTTP connection and sends EOF
+ return true
+ }
return isRetryable(e.Err)
case syscall.Errno:
return e != syscall.ECONNREFUSED
diff --git a/vendor/github.com/containers/common/pkg/seccomp/conversion.go b/vendor/github.com/containers/common/pkg/seccomp/conversion.go
new file mode 100644
index 000000000..79a893ba3
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/conversion.go
@@ -0,0 +1,32 @@
+package seccomp
+
+import "fmt"
+
+var goArchToSeccompArchMap = map[string]Arch{
+ "386": ArchX86,
+ "amd64": ArchX86_64,
+ "amd64p32": ArchX32,
+ "arm": ArchARM,
+ "arm64": ArchAARCH64,
+ "mips": ArchMIPS,
+ "mips64": ArchMIPS64,
+ "mips64le": ArchMIPSEL64,
+ "mips64p32": ArchMIPS64N32,
+ "mips64p32le": ArchMIPSEL64N32,
+ "mipsle": ArchMIPSEL,
+ "ppc": ArchPPC,
+ "ppc64": ArchPPC64,
+ "ppc64le": ArchPPC64LE,
+ "s390": ArchS390,
+ "s390x": ArchS390X,
+}
+
+// GoArchToSeccompArch converts a runtime.GOARCH to a seccomp `Arch`. The
+// function returns an error if the architecture conversion is not supported.
+func GoArchToSeccompArch(goArch string) (Arch, error) {
+ arch, ok := goArchToSeccompArchMap[goArch]
+ if !ok {
+ return "", fmt.Errorf("unsupported go arch provided: %s", goArch)
+ }
+ return arch, nil
+}
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
new file mode 100644
index 000000000..06b39024a
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
@@ -0,0 +1,878 @@
+{
+ "defaultAction": "SCMP_ACT_ERRNO",
+ "archMap": [
+ {
+ "architecture": "SCMP_ARCH_X86_64",
+ "subArchitectures": [
+ "SCMP_ARCH_X86",
+ "SCMP_ARCH_X32"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_AARCH64",
+ "subArchitectures": [
+ "SCMP_ARCH_ARM"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPS64",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPS",
+ "SCMP_ARCH_MIPS64N32"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPS64N32",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPS",
+ "SCMP_ARCH_MIPS64"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPSEL64",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPSEL",
+ "SCMP_ARCH_MIPSEL64N32"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPSEL64N32",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPSEL",
+ "SCMP_ARCH_MIPSEL64"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_S390X",
+ "subArchitectures": [
+ "SCMP_ARCH_S390"
+ ]
+ }
+ ],
+ "syscalls": [
+ {
+ "names": [
+ "_llseek",
+ "_newselect",
+ "accept",
+ "accept4",
+ "access",
+ "adjtimex",
+ "alarm",
+ "bind",
+ "brk",
+ "capget",
+ "capset",
+ "chdir",
+ "chmod",
+ "chown",
+ "chown32",
+ "clock_getres",
+ "clock_gettime",
+ "clock_nanosleep",
+ "close",
+ "connect",
+ "copy_file_range",
+ "creat",
+ "dup",
+ "dup2",
+ "dup3",
+ "epoll_create",
+ "epoll_create1",
+ "epoll_ctl",
+ "epoll_ctl_old",
+ "epoll_pwait",
+ "epoll_wait",
+ "epoll_wait_old",
+ "eventfd",
+ "eventfd2",
+ "execve",
+ "execveat",
+ "exit",
+ "exit_group",
+ "faccessat",
+ "fadvise64",
+ "fadvise64_64",
+ "fallocate",
+ "fanotify_mark",
+ "fchdir",
+ "fchmod",
+ "fchmodat",
+ "fchown",
+ "fchown32",
+ "fchownat",
+ "fcntl",
+ "fcntl64",
+ "fdatasync",
+ "fgetxattr",
+ "flistxattr",
+ "flock",
+ "fork",
+ "fremovexattr",
+ "fsetxattr",
+ "fstat",
+ "fstat64",
+ "fstatat64",
+ "fstatfs",
+ "fstatfs64",
+ "fsync",
+ "ftruncate",
+ "ftruncate64",
+ "futex",
+ "futimesat",
+ "get_robust_list",
+ "get_thread_area",
+ "getcpu",
+ "getcwd",
+ "getdents",
+ "getdents64",
+ "getegid",
+ "getegid32",
+ "geteuid",
+ "geteuid32",
+ "getgid",
+ "getgid32",
+ "getgroups",
+ "getgroups32",
+ "getitimer",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+ "getpid",
+ "getppid",
+ "getpriority",
+ "getrandom",
+ "getresgid",
+ "getresgid32",
+ "getresuid",
+ "getresuid32",
+ "getrlimit",
+ "getrusage",
+ "getsid",
+ "getsockname",
+ "getsockopt",
+ "gettid",
+ "gettimeofday",
+ "getuid",
+ "getuid32",
+ "getxattr",
+ "inotify_add_watch",
+ "inotify_init",
+ "inotify_init1",
+ "inotify_rm_watch",
+ "io_cancel",
+ "io_destroy",
+ "io_getevents",
+ "io_setup",
+ "io_submit",
+ "ioctl",
+ "ioprio_get",
+ "ioprio_set",
+ "ipc",
+ "kill",
+ "lchown",
+ "lchown32",
+ "lgetxattr",
+ "link",
+ "linkat",
+ "listen",
+ "listxattr",
+ "llistxattr",
+ "lremovexattr",
+ "lseek",
+ "lsetxattr",
+ "lstat",
+ "lstat64",
+ "madvise",
+ "memfd_create",
+ "mincore",
+ "mkdir",
+ "mkdirat",
+ "mknod",
+ "mknodat",
+ "mlock",
+ "mlock2",
+ "mlockall",
+ "mmap",
+ "mmap2",
+ "mount",
+ "mprotect",
+ "mq_getsetattr",
+ "mq_notify",
+ "mq_open",
+ "mq_timedreceive",
+ "mq_timedsend",
+ "mq_unlink",
+ "mremap",
+ "msgctl",
+ "msgget",
+ "msgrcv",
+ "msgsnd",
+ "msync",
+ "munlock",
+ "munlockall",
+ "munmap",
+ "name_to_handle_at",
+ "nanosleep",
+ "newfstatat",
+ "open",
+ "openat",
+ "pause",
+ "pipe",
+ "pipe2",
+ "poll",
+ "ppoll",
+ "prctl",
+ "pread64",
+ "preadv",
+ "preadv2",
+ "prlimit64",
+ "pselect6",
+ "pwrite64",
+ "pwritev",
+ "pwritev2",
+ "read",
+ "readahead",
+ "readlink",
+ "readlinkat",
+ "readv",
+ "reboot",
+ "recv",
+ "recvfrom",
+ "recvmmsg",
+ "recvmsg",
+ "remap_file_pages",
+ "removexattr",
+ "rename",
+ "renameat",
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
+ "rt_sigqueueinfo",
+ "rt_sigreturn",
+ "rt_sigsuspend",
+ "rt_sigtimedwait",
+ "rt_tgsigqueueinfo",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
+ "sched_getaffinity",
+ "sched_getattr",
+ "sched_getparam",
+ "sched_getscheduler",
+ "sched_rr_get_interval",
+ "sched_setaffinity",
+ "sched_setattr",
+ "sched_setparam",
+ "sched_setscheduler",
+ "sched_yield",
+ "seccomp",
+ "select",
+ "semctl",
+ "semget",
+ "semop",
+ "semtimedop",
+ "send",
+ "sendfile",
+ "sendfile64",
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
+ "setfsgid",
+ "setfsgid32",
+ "setfsuid",
+ "setfsuid32",
+ "setgid",
+ "setgid32",
+ "setgroups",
+ "setgroups32",
+ "setitimer",
+ "setpgid",
+ "setpriority",
+ "setregid",
+ "setregid32",
+ "setresgid",
+ "setresgid32",
+ "setresuid",
+ "setresuid32",
+ "setreuid",
+ "setreuid32",
+ "setrlimit",
+ "setsid",
+ "setsockopt",
+ "setuid",
+ "setuid32",
+ "setxattr",
+ "shmat",
+ "shmctl",
+ "shmdt",
+ "shmget",
+ "shutdown",
+ "sigaltstack",
+ "signalfd",
+ "signalfd4",
+ "sigreturn",
+ "socketcall",
+ "socketpair",
+ "splice",
+ "stat",
+ "stat64",
+ "statfs",
+ "statfs64",
+ "statx",
+ "symlink",
+ "symlinkat",
+ "sync",
+ "sync_file_range",
+ "syncfs",
+ "sysinfo",
+ "syslog",
+ "tee",
+ "tgkill",
+ "time",
+ "timer_create",
+ "timer_delete",
+ "timer_getoverrun",
+ "timer_gettime",
+ "timer_settime",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
+ "times",
+ "tkill",
+ "truncate",
+ "truncate64",
+ "ugetrlimit",
+ "umask",
+ "umount",
+ "umount2",
+ "uname",
+ "unlink",
+ "unlinkat",
+ "unshare",
+ "utime",
+ "utimensat",
+ "utimes",
+ "vfork",
+ "vmsplice",
+ "wait4",
+ "waitid",
+ "waitpid",
+ "write",
+ "writev"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 0,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 8,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 131072,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 131080,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 4294967295,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "sync_file_range2"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "ppc64le"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "arm_fadvise64_64",
+ "arm_sync_file_range",
+ "sync_file_range2",
+ "breakpoint",
+ "cacheflush",
+ "set_tls"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "arm",
+ "arm64"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "arch_prctl"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "amd64",
+ "x32"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "modify_ldt"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "amd64",
+ "x32",
+ "x86"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "s390_pci_mmio_read",
+ "s390_pci_mmio_write",
+ "s390_runtime_instr"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "s390",
+ "s390x"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "open_by_handle_at"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_DAC_READ_SEARCH"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "bpf",
+ "clone",
+ "fanotify_init",
+ "lookup_dcookie",
+ "mount",
+ "name_to_handle_at",
+ "perf_event_open",
+ "quotactl",
+ "setdomainname",
+ "sethostname",
+ "setns",
+ "umount",
+ "umount2",
+ "unshare"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "clone"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 2080505856,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_MASKED_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ],
+ "arches": [
+ "s390",
+ "s390x"
+ ]
+ }
+ },
+ {
+ "names": [
+ "clone"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 1,
+ "value": 2080505856,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_MASKED_EQ"
+ }
+ ],
+ "comment": "s390 parameter ordering for clone is different",
+ "includes": {
+ "arches": [
+ "s390",
+ "s390x"
+ ]
+ },
+ "excludes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ]
+ }
+ },
+ {
+ "names": [
+ "reboot"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_BOOT"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "chroot"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_CHROOT"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "delete_module",
+ "init_module",
+ "finit_module",
+ "query_module"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_MODULE"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "get_mempolicy",
+ "mbind",
+ "name_to_handle_at",
+ "set_mempolicy"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_NICE"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "acct"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_PACCT"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "kcmp",
+ "process_vm_readv",
+ "process_vm_writev",
+ "ptrace"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_PTRACE"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "iopl",
+ "ioperm"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_RAWIO"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "settimeofday",
+ "stime",
+ "clock_settime"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_TIME"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "vhangup"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_TTY_CONFIG"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [
+ {
+ "index": 0,
+ "value": 16,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ },
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ },
+ "errnoRet": 22
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 16,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": null,
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ },
+ "excludes": {}
+ }
+ ]
+} \ No newline at end of file
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go
new file mode 100644
index 000000000..f12cf02c9
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go
@@ -0,0 +1,742 @@
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
+package seccomp
+
+import (
+ "syscall"
+
+ "golang.org/x/sys/unix"
+)
+
+func arches() []Architecture {
+ return []Architecture{
+ {
+ Arch: ArchX86_64,
+ SubArches: []Arch{ArchX86, ArchX32},
+ },
+ {
+ Arch: ArchAARCH64,
+ SubArches: []Arch{ArchARM},
+ },
+ {
+ Arch: ArchMIPS64,
+ SubArches: []Arch{ArchMIPS, ArchMIPS64N32},
+ },
+ {
+ Arch: ArchMIPS64N32,
+ SubArches: []Arch{ArchMIPS, ArchMIPS64},
+ },
+ {
+ Arch: ArchMIPSEL64,
+ SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32},
+ },
+ {
+ Arch: ArchMIPSEL64N32,
+ SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64},
+ },
+ {
+ Arch: ArchS390X,
+ SubArches: []Arch{ArchS390},
+ },
+ }
+}
+
+// DefaultProfile defines the allowlist for the default seccomp profile.
+func DefaultProfile() *Seccomp {
+ einval := uint(syscall.EINVAL)
+
+ syscalls := []*Syscall{
+ {
+ Names: []string{
+ "_llseek",
+ "_newselect",
+ "accept",
+ "accept4",
+ "access",
+ "adjtimex",
+ "alarm",
+ "bind",
+ "brk",
+ "capget",
+ "capset",
+ "chdir",
+ "chmod",
+ "chown",
+ "chown32",
+ "clock_getres",
+ "clock_gettime",
+ "clock_nanosleep",
+ "close",
+ "connect",
+ "copy_file_range",
+ "creat",
+ "dup",
+ "dup2",
+ "dup3",
+ "epoll_create",
+ "epoll_create1",
+ "epoll_ctl",
+ "epoll_ctl_old",
+ "epoll_pwait",
+ "epoll_wait",
+ "epoll_wait_old",
+ "eventfd",
+ "eventfd2",
+ "execve",
+ "execveat",
+ "exit",
+ "exit_group",
+ "faccessat",
+ "fadvise64",
+ "fadvise64_64",
+ "fallocate",
+ "fanotify_mark",
+ "fchdir",
+ "fchmod",
+ "fchmodat",
+ "fchown",
+ "fchown32",
+ "fchownat",
+ "fcntl",
+ "fcntl64",
+ "fdatasync",
+ "fgetxattr",
+ "flistxattr",
+ "flock",
+ "fork",
+ "fremovexattr",
+ "fsetxattr",
+ "fstat",
+ "fstat64",
+ "fstatat64",
+ "fstatfs",
+ "fstatfs64",
+ "fsync",
+ "ftruncate",
+ "ftruncate64",
+ "futex",
+ "futimesat",
+ "get_robust_list",
+ "get_thread_area",
+ "getcpu",
+ "getcwd",
+ "getdents",
+ "getdents64",
+ "getegid",
+ "getegid32",
+ "geteuid",
+ "geteuid32",
+ "getgid",
+ "getgid32",
+ "getgroups",
+ "getgroups32",
+ "getitimer",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+ "getpid",
+ "getppid",
+ "getpriority",
+ "getrandom",
+ "getresgid",
+ "getresgid32",
+ "getresuid",
+ "getresuid32",
+ "getrlimit",
+ "getrusage",
+ "getsid",
+ "getsockname",
+ "getsockopt",
+ "gettid",
+ "gettimeofday",
+ "getuid",
+ "getuid32",
+ "getxattr",
+ "inotify_add_watch",
+ "inotify_init",
+ "inotify_init1",
+ "inotify_rm_watch",
+ "io_cancel",
+ "io_destroy",
+ "io_getevents",
+ "io_setup",
+ "io_submit",
+ "ioctl",
+ "ioprio_get",
+ "ioprio_set",
+ "ipc",
+ "kill",
+ "lchown",
+ "lchown32",
+ "lgetxattr",
+ "link",
+ "linkat",
+ "listen",
+ "listxattr",
+ "llistxattr",
+ "lremovexattr",
+ "lseek",
+ "lsetxattr",
+ "lstat",
+ "lstat64",
+ "madvise",
+ "memfd_create",
+ "mincore",
+ "mkdir",
+ "mkdirat",
+ "mknod",
+ "mknodat",
+ "mlock",
+ "mlock2",
+ "mlockall",
+ "mmap",
+ "mmap2",
+ "mount",
+ "mprotect",
+ "mq_getsetattr",
+ "mq_notify",
+ "mq_open",
+ "mq_timedreceive",
+ "mq_timedsend",
+ "mq_unlink",
+ "mremap",
+ "msgctl",
+ "msgget",
+ "msgrcv",
+ "msgsnd",
+ "msync",
+ "munlock",
+ "munlockall",
+ "munmap",
+ "name_to_handle_at",
+ "nanosleep",
+ "newfstatat",
+ "open",
+ "openat",
+ "pause",
+ "pipe",
+ "pipe2",
+ "poll",
+ "ppoll",
+ "prctl",
+ "pread64",
+ "preadv",
+ "preadv2",
+ "prlimit64",
+ "pselect6",
+ "pwrite64",
+ "pwritev",
+ "pwritev2",
+ "read",
+ "readahead",
+ "readlink",
+ "readlinkat",
+ "readv",
+ "reboot",
+ "recv",
+ "recvfrom",
+ "recvmmsg",
+ "recvmsg",
+ "remap_file_pages",
+ "removexattr",
+ "rename",
+ "renameat",
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
+ "rt_sigqueueinfo",
+ "rt_sigreturn",
+ "rt_sigsuspend",
+ "rt_sigtimedwait",
+ "rt_tgsigqueueinfo",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
+ "sched_getaffinity",
+ "sched_getattr",
+ "sched_getparam",
+ "sched_getscheduler",
+ "sched_rr_get_interval",
+ "sched_setaffinity",
+ "sched_setattr",
+ "sched_setparam",
+ "sched_setscheduler",
+ "sched_yield",
+ "seccomp",
+ "select",
+ "semctl",
+ "semget",
+ "semop",
+ "semtimedop",
+ "send",
+ "sendfile",
+ "sendfile64",
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
+ "setfsgid",
+ "setfsgid32",
+ "setfsuid",
+ "setfsuid32",
+ "setgid",
+ "setgid32",
+ "setgroups",
+ "setgroups32",
+ "setitimer",
+ "setpgid",
+ "setpriority",
+ "setregid",
+ "setregid32",
+ "setresgid",
+ "setresgid32",
+ "setresuid",
+ "setresuid32",
+ "setreuid",
+ "setreuid32",
+ "setrlimit",
+ "setsid",
+ "setsockopt",
+ "setuid",
+ "setuid32",
+ "setxattr",
+ "shmat",
+ "shmctl",
+ "shmdt",
+ "shmget",
+ "shutdown",
+ "sigaltstack",
+ "signalfd",
+ "signalfd4",
+ "sigreturn",
+ "socketcall",
+ "socketpair",
+ "splice",
+ "stat",
+ "stat64",
+ "statfs",
+ "statfs64",
+ "statx",
+ "symlink",
+ "symlinkat",
+ "sync",
+ "sync_file_range",
+ "syncfs",
+ "sysinfo",
+ "syslog",
+ "tee",
+ "tgkill",
+ "time",
+ "timer_create",
+ "timer_delete",
+ "timer_getoverrun",
+ "timer_gettime",
+ "timer_settime",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
+ "times",
+ "tkill",
+ "truncate",
+ "truncate64",
+ "ugetrlimit",
+ "umask",
+ "umount",
+ "umount2",
+ "uname",
+ "unlink",
+ "unlinkat",
+ "unshare",
+ "utime",
+ "utimensat",
+ "utimes",
+ "vfork",
+ "vmsplice",
+ "wait4",
+ "waitid",
+ "waitpid",
+ "write",
+ "writev",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x0,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x0008,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x20000,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0x20008,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{"personality"},
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: 0xffffffff,
+ Op: OpEqualTo,
+ },
+ },
+ },
+ {
+ Names: []string{
+ "sync_file_range2",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"ppc64le"},
+ },
+ },
+ {
+ Names: []string{
+ "arm_fadvise64_64",
+ "arm_sync_file_range",
+ "sync_file_range2",
+ "breakpoint",
+ "cacheflush",
+ "set_tls",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"arm", "arm64"},
+ },
+ },
+ {
+ Names: []string{
+ "arch_prctl",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"amd64", "x32"},
+ },
+ },
+ {
+ Names: []string{
+ "modify_ldt",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"amd64", "x32", "x86"},
+ },
+ },
+ {
+ Names: []string{
+ "s390_pci_mmio_read",
+ "s390_pci_mmio_write",
+ "s390_runtime_instr",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Arches: []string{"s390", "s390x"},
+ },
+ },
+ {
+ Names: []string{
+ "open_by_handle_at",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_DAC_READ_SEARCH"},
+ },
+ },
+ {
+ Names: []string{
+ "bpf",
+ "clone",
+ "fanotify_init",
+ "lookup_dcookie",
+ "mount",
+ "name_to_handle_at",
+ "perf_event_open",
+ "quotactl",
+ "setdomainname",
+ "sethostname",
+ "setns",
+ "umount",
+ "umount2",
+ "unshare",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
+ {
+ Names: []string{
+ "clone",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+ ValueTwo: 0,
+ Op: OpMaskedEqual,
+ },
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ Arches: []string{"s390", "s390x"},
+ },
+ },
+ {
+ Names: []string{
+ "clone",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 1,
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+ ValueTwo: 0,
+ Op: OpMaskedEqual,
+ },
+ },
+ Comment: "s390 parameter ordering for clone is different",
+ Includes: Filter{
+ Arches: []string{"s390", "s390x"},
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
+ {
+ Names: []string{
+ "reboot",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_BOOT"},
+ },
+ },
+ {
+ Names: []string{
+ "chroot",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_CHROOT"},
+ },
+ },
+ {
+ Names: []string{
+ "delete_module",
+ "init_module",
+ "finit_module",
+ "query_module",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_MODULE"},
+ },
+ },
+ {
+ Names: []string{
+ "get_mempolicy",
+ "mbind",
+ "name_to_handle_at",
+ "set_mempolicy",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_NICE"},
+ },
+ },
+ {
+ Names: []string{
+ "acct",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_PACCT"},
+ },
+ },
+ {
+ Names: []string{
+ "kcmp",
+ "process_vm_readv",
+ "process_vm_writev",
+ "ptrace",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_PTRACE"},
+ },
+ },
+ {
+ Names: []string{
+ "iopl",
+ "ioperm",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_RAWIO"},
+ },
+ },
+ {
+ Names: []string{
+ "settimeofday",
+ "stime",
+ "clock_settime",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_TIME"},
+ },
+ },
+ {
+ Names: []string{
+ "vhangup",
+ },
+ Action: ActAllow,
+ Args: []*Arg{},
+ Includes: Filter{
+ Caps: []string{"CAP_SYS_TTY_CONFIG"},
+ },
+ },
+ {
+ Names: []string{
+ "socket",
+ },
+ Action: ActErrno,
+ ErrnoRet: &einval,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: syscall.AF_NETLINK,
+ Op: OpEqualTo,
+ },
+ {
+ Index: 2,
+ Value: syscall.NETLINK_AUDIT,
+ Op: OpEqualTo,
+ },
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_AUDIT_WRITE"},
+ },
+ },
+ {
+ Names: []string{
+ "socket",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 2,
+ Value: syscall.NETLINK_AUDIT,
+ Op: OpNotEqual,
+ },
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_AUDIT_WRITE"},
+ },
+ },
+ {
+ Names: []string{
+ "socket",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 0,
+ Value: syscall.AF_NETLINK,
+ Op: OpNotEqual,
+ },
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_AUDIT_WRITE"},
+ },
+ },
+ {
+ Names: []string{
+ "socket",
+ },
+ Action: ActAllow,
+ Args: []*Arg{
+ {
+ Index: 2,
+ Value: syscall.NETLINK_AUDIT,
+ Op: OpNotEqual,
+ },
+ },
+ Excludes: Filter{
+ Caps: []string{"CAP_AUDIT_WRITE"},
+ },
+ },
+ {
+ Names: []string{
+ "socket",
+ },
+ Action: ActAllow,
+ Includes: Filter{
+ Caps: []string{"CAP_AUDIT_WRITE"},
+ },
+ },
+ }
+
+ return &Seccomp{
+ DefaultAction: ActErrno,
+ ArchMap: arches(),
+ Syscalls: syscalls,
+ }
+}
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go b/vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go
new file mode 100644
index 000000000..5655a7572
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go
@@ -0,0 +1,183 @@
+// +build seccomp
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
+package seccomp
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
+ libseccomp "github.com/seccomp/libseccomp-golang"
+)
+
+//go:generate go run -tags 'seccomp' generate.go
+
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return setupSeccomp(DefaultProfile(), rs)
+}
+
+// LoadProfile takes a json string and decodes the seccomp profile.
+func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ var config Seccomp
+ if err := json.Unmarshal([]byte(body), &config); err != nil {
+ return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
+ }
+ return setupSeccomp(&config, rs)
+}
+
+// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
+func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ config := &Seccomp{}
+ if err := json.Unmarshal(body, config); err != nil {
+ return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
+ }
+ return setupSeccomp(config, rs)
+}
+
+// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp
+func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return setupSeccomp(config, specgen)
+}
+
+var nativeToSeccomp = map[string]Arch{
+ "amd64": ArchX86_64,
+ "arm64": ArchAARCH64,
+ "mips64": ArchMIPS64,
+ "mips64n32": ArchMIPS64N32,
+ "mipsel64": ArchMIPSEL64,
+ "mipsel64n32": ArchMIPSEL64N32,
+ "s390x": ArchS390X,
+}
+
+// inSlice tests whether a string is contained in a slice of strings or not.
+// Comparison is case sensitive
+func inSlice(slice []string, s string) bool {
+ for _, ss := range slice {
+ if s == ss {
+ return true
+ }
+ }
+ return false
+}
+
+func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ if config == nil {
+ return nil, nil
+ }
+
+ // No default action specified, no syscalls listed, assume seccomp disabled
+ if config.DefaultAction == "" && len(config.Syscalls) == 0 {
+ return nil, nil
+ }
+
+ newConfig := &specs.LinuxSeccomp{}
+
+ var arch string
+ var native, err = libseccomp.GetNativeArch()
+ if err == nil {
+ arch = native.String()
+ }
+
+ if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
+ return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
+ }
+
+ // if config.Architectures == 0 then libseccomp will figure out the architecture to use
+ if len(config.Architectures) != 0 {
+ for _, a := range config.Architectures {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
+ }
+ }
+
+ if len(config.ArchMap) != 0 {
+ for _, a := range config.ArchMap {
+ seccompArch, ok := nativeToSeccomp[arch]
+ if ok {
+ if a.Arch == seccompArch {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
+ for _, sa := range a.SubArches {
+ newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
+ }
+ break
+ }
+ }
+ }
+ }
+
+ newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+
+Loop:
+ // Loop through all syscall blocks and convert them to libcontainer format after filtering them
+ for _, call := range config.Syscalls {
+ if len(call.Excludes.Arches) > 0 {
+ if inSlice(call.Excludes.Arches, arch) {
+ continue Loop
+ }
+ }
+ if len(call.Excludes.Caps) > 0 {
+ for _, c := range call.Excludes.Caps {
+ if inSlice(rs.Process.Capabilities.Bounding, c) {
+ continue Loop
+ }
+ }
+ }
+ if len(call.Includes.Arches) > 0 {
+ if !inSlice(call.Includes.Arches, arch) {
+ continue Loop
+ }
+ }
+ if len(call.Includes.Caps) > 0 {
+ for _, c := range call.Includes.Caps {
+ if !inSlice(rs.Process.Capabilities.Bounding, c) {
+ continue Loop
+ }
+ }
+ }
+
+ if call.Name != "" && len(call.Names) != 0 {
+ return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
+ }
+
+ if call.Name != "" {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args, call.ErrnoRet))
+ }
+
+ if len(call.Names) > 0 {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args, call.ErrnoRet))
+ }
+ }
+
+ return newConfig, nil
+}
+
+func createSpecsSyscall(names []string, action Action, args []*Arg, errnoRet *uint) specs.LinuxSyscall {
+ newCall := specs.LinuxSyscall{
+ Names: names,
+ Action: specs.LinuxSeccompAction(action),
+ ErrnoRet: errnoRet,
+ }
+
+ // Loop through all the arguments of the syscall and convert them
+ for _, arg := range args {
+ newArg := specs.LinuxSeccompArg{
+ Index: arg.Index,
+ Value: arg.Value,
+ ValueTwo: arg.ValueTwo,
+ Op: specs.LinuxSeccompOperator(arg.Op),
+ }
+
+ newCall.Args = append(newCall.Args, newArg)
+ }
+ return newCall
+}
+
+// IsEnabled returns true if seccomp is enabled for the host.
+func IsEnabled() bool {
+ return IsSupported()
+}
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go b/vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go
new file mode 100644
index 000000000..84a4c6ed5
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go
@@ -0,0 +1,40 @@
+// +build !seccomp
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
+package seccomp
+
+import (
+ "errors"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+var errNotSupported = errors.New("seccomp not enabled in this build")
+
+// LoadProfile returns an error on unsuppored systems
+func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, errNotSupported
+}
+
+// GetDefaultProfile returns an error on unsuppored systems
+func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, errNotSupported
+}
+
+// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
+func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, errNotSupported
+}
+
+// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp
+func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, errNotSupported
+}
+
+// IsEnabled returns true if seccomp is enabled for the host.
+func IsEnabled() bool {
+ return false
+}
diff --git a/vendor/github.com/containers/common/pkg/seccomp/supported.go b/vendor/github.com/containers/common/pkg/seccomp/supported.go
new file mode 100644
index 000000000..ab2a94a73
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/supported.go
@@ -0,0 +1,72 @@
+package seccomp
+
+import (
+ "bufio"
+ "errors"
+ "os"
+ "strings"
+
+ perrors "github.com/pkg/errors"
+ "golang.org/x/sys/unix"
+)
+
+const statusFilePath = "/proc/self/status"
+
+// IsSupported returns true if the system has been configured to support
+// seccomp.
+func IsSupported() bool {
+ // Since Linux 3.8, the Seccomp field of the /proc/[pid]/status file
+ // provides a method of obtaining the same information, without the risk
+ // that the process is killed; see proc(5).
+ status, err := parseStatusFile(statusFilePath)
+ if err == nil {
+ _, ok := status["Seccomp"]
+ return ok
+ }
+
+ // PR_GET_SECCOMP (since Linux 2.6.23)
+ // Return (as the function result) the secure computing mode of the calling
+ // thread. If the caller is not in secure computing mode, this operation
+ // returns 0; if the caller is in strict secure computing mode, then the
+ // prctl() call will cause a SIGKILL signal to be sent to the process. If
+ // the caller is in filter mode, and this system call is allowed by the
+ // seccomp filters, it returns 2; otherwise, the process is killed with a
+ // SIGKILL signal. This operation is available only if the kernel is
+ // configured with CONFIG_SECCOMP enabled.
+ if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); !errors.Is(err, unix.EINVAL) {
+ // Make sure the kernel has CONFIG_SECCOMP_FILTER.
+ if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); !errors.Is(err, unix.EINVAL) {
+ return true
+ }
+ }
+
+ return false
+}
+
+// parseStatusFile reads the provided `file` into a map of strings.
+func parseStatusFile(file string) (map[string]string, error) {
+ f, err := os.Open(file)
+ if err != nil {
+ return nil, perrors.Wrapf(err, "open status file %s", file)
+ }
+ defer f.Close()
+
+ status := make(map[string]string)
+ scanner := bufio.NewScanner(f)
+ for scanner.Scan() {
+ text := scanner.Text()
+ parts := strings.SplitN(text, ":", 2)
+
+ if len(parts) <= 1 {
+ continue
+ }
+
+ status[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
+ }
+
+ if err := scanner.Err(); err != nil {
+ return nil, perrors.Wrapf(err, "scan status file %s", file)
+ }
+
+ return status, nil
+}
diff --git a/vendor/github.com/containers/common/pkg/seccomp/types.go b/vendor/github.com/containers/common/pkg/seccomp/types.go
new file mode 100644
index 000000000..7b0436dfc
--- /dev/null
+++ b/vendor/github.com/containers/common/pkg/seccomp/types.go
@@ -0,0 +1,110 @@
+package seccomp
+
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
+// Seccomp represents the config for a seccomp profile for syscall restriction.
+type Seccomp struct {
+ DefaultAction Action `json:"defaultAction"`
+ // Architectures is kept to maintain backward compatibility with the old
+ // seccomp profile.
+ Architectures []Arch `json:"architectures,omitempty"`
+ ArchMap []Architecture `json:"archMap,omitempty"`
+ Syscalls []*Syscall `json:"syscalls"`
+}
+
+// Architecture is used to represent a specific architecture
+// and its sub-architectures
+type Architecture struct {
+ Arch Arch `json:"architecture"`
+ SubArches []Arch `json:"subArchitectures"`
+}
+
+// Arch used for architectures
+type Arch string
+
+// Additional architectures permitted to be used for system calls
+// By default only the native architecture of the kernel is permitted
+const (
+ ArchNative Arch = "SCMP_ARCH_NATIVE"
+ ArchX86 Arch = "SCMP_ARCH_X86"
+ ArchX86_64 Arch = "SCMP_ARCH_X86_64"
+ ArchX32 Arch = "SCMP_ARCH_X32"
+ ArchARM Arch = "SCMP_ARCH_ARM"
+ ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
+ ArchMIPS Arch = "SCMP_ARCH_MIPS"
+ ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
+ ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
+ ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
+ ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
+ ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
+ ArchPPC Arch = "SCMP_ARCH_PPC"
+ ArchPPC64 Arch = "SCMP_ARCH_PPC64"
+ ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
+ ArchS390 Arch = "SCMP_ARCH_S390"
+ ArchS390X Arch = "SCMP_ARCH_S390X"
+ ArchPARISC Arch = "SCMP_ARCH_PARISC"
+ ArchPARISC64 Arch = "SCMP_ARCH_PARISC64"
+ ArchRISCV64 Arch = "SCMP_ARCH_RISCV64"
+)
+
+// Action taken upon Seccomp rule match
+type Action string
+
+// Define actions for Seccomp rules
+const (
+ // ActKill results in termination of the thread that made the system call.
+ ActKill Action = "SCMP_ACT_KILL"
+ // ActKillProcess results in termination of the entire process.
+ ActKillProcess Action = "SCMP_ACT_KILL_PROCESS"
+ // ActKillThread kills the thread that violated the rule. It is the same as
+ // ActKill. All other threads from the same thread group will continue to
+ // execute.
+ ActKillThread Action = "SCMP_ACT_KILL_THREAD"
+ ActTrap Action = "SCMP_ACT_TRAP"
+ ActErrno Action = "SCMP_ACT_ERRNO"
+ ActTrace Action = "SCMP_ACT_TRACE"
+ ActAllow Action = "SCMP_ACT_ALLOW"
+ ActLog Action = "SCMP_ACT_LOG"
+)
+
+// Operator used to match syscall arguments in Seccomp
+type Operator string
+
+// Define operators for syscall arguments in Seccomp
+const (
+ OpNotEqual Operator = "SCMP_CMP_NE"
+ OpLessThan Operator = "SCMP_CMP_LT"
+ OpLessEqual Operator = "SCMP_CMP_LE"
+ OpEqualTo Operator = "SCMP_CMP_EQ"
+ OpGreaterEqual Operator = "SCMP_CMP_GE"
+ OpGreaterThan Operator = "SCMP_CMP_GT"
+ OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
+)
+
+// Arg used for matching specific syscall arguments in Seccomp
+type Arg struct {
+ Index uint `json:"index"`
+ Value uint64 `json:"value"`
+ ValueTwo uint64 `json:"valueTwo"`
+ Op Operator `json:"op"`
+}
+
+// Filter is used to conditionally apply Seccomp rules
+type Filter struct {
+ Caps []string `json:"caps,omitempty"`
+ Arches []string `json:"arches,omitempty"`
+}
+
+// Syscall is used to match a group of syscalls in Seccomp
+type Syscall struct {
+ Name string `json:"name,omitempty"`
+ Names []string `json:"names,omitempty"`
+ Action Action `json:"action"`
+ Args []*Arg `json:"args"`
+ Comment string `json:"comment"`
+ Includes Filter `json:"includes"`
+ Excludes Filter `json:"excludes"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
+}
diff --git a/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go b/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go
index fcb3cab72..1935d71f1 100644
--- a/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go
+++ b/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go
@@ -1,7 +1,6 @@
package sysinfo
import (
- "fmt"
"io/ioutil"
"os"
"path"
@@ -9,6 +8,7 @@ import (
"github.com/containers/common/pkg/cgroupv2"
"github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -16,7 +16,7 @@ import (
func findCgroupMountpoints() (map[string]string, error) {
cgMounts, err := cgroups.GetCgroupMounts(false)
if err != nil {
- return nil, fmt.Errorf("failed to parse cgroup information: %v", err)
+ return nil, errors.Wrap(err, "parse cgroup information")
}
mps := make(map[string]string)
for _, m := range cgMounts {
@@ -253,8 +253,8 @@ func cgroupEnabled(mountPoint, name string) bool {
return err == nil
}
-func readProcBool(path string) bool {
- val, err := ioutil.ReadFile(path)
+func readProcBool(file string) bool {
+ val, err := ioutil.ReadFile(file)
if err != nil {
return false
}
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 536e88076..ef9a947f0 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.20.3"
+const Version = "0.20.4-dev"
diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
index fe611f085..6ba46ebbb 100644
--- a/vendor/github.com/containers/storage/.cirrus.yml
+++ b/vendor/github.com/containers/storage/.cirrus.yml
@@ -106,7 +106,7 @@ lint_task:
env:
CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
container:
- image: golang:1.13
+ image: golang:1.15
modules_cache:
fingerprint_script: cat go.sum
folder: $GOPATH/pkg/mod
@@ -142,7 +142,7 @@ meta_task:
vendor_task:
container:
- image: golang:1.14
+ image: golang:1.15
modules_cache:
fingerprint_script: cat go.sum
folder: $GOPATH/pkg/mod
@@ -157,6 +157,6 @@ success_task:
- meta
- vendor
container:
- image: golang:1.14
+ image: golang:1.15
clone_script: 'mkdir -p "$CIRRUS_WORKING_DIR"' # Source code not needed
script: /bin/true
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
index 4d1e5d262..14bee92c9 100644
--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
@@ -1 +1 @@
-1.23.1-dev
+1.23.2
diff --git a/vendor/github.com/containers/storage/drivers/copy/copy_linux.go b/vendor/github.com/containers/storage/drivers/copy/copy_linux.go
index c00b9e47d..1e380a5ac 100644
--- a/vendor/github.com/containers/storage/drivers/copy/copy_linux.go
+++ b/vendor/github.com/containers/storage/drivers/copy/copy_linux.go
@@ -143,10 +143,6 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error {
}
dstPath := filepath.Join(dstDir, relPath)
- if err != nil {
- return err
- }
-
stat, ok := f.Sys().(*syscall.Stat_t)
if !ok {
return fmt.Errorf("Unable to get raw syscall.Stat_t data for %s", srcPath)
diff --git a/vendor/github.com/containers/storage/drivers/counter.go b/vendor/github.com/containers/storage/drivers/counter.go
index 72551a38d..3fc45495b 100644
--- a/vendor/github.com/containers/storage/drivers/counter.go
+++ b/vendor/github.com/containers/storage/drivers/counter.go
@@ -51,6 +51,10 @@ func (c *RefCounter) incdec(path string, infoOp func(minfo *minfo)) int {
if c.checker.IsMounted(path) {
m.count++
}
+ } else if !c.checker.IsMounted(path) {
+ // if the unmount was performed outside of this process (e.g. conmon cleanup)
+ //the ref counter would lose track of it. Check if it is still mounted.
+ m.count = 0
}
infoOp(m)
count := m.count
diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
index fc7010645..1de771bb0 100644
--- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go
+++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
@@ -274,22 +274,28 @@ func parseOptions(options []string) (*overlayOptions, error) {
if err != nil {
return nil, err
}
- key = strings.ToLower(key)
- switch key {
- case ".override_kernel_check", "overlay.override_kernel_check", "overlay2.override_kernel_check":
+ trimkey := strings.ToLower(key)
+ trimkey = strings.TrimPrefix(trimkey, "overlay.")
+ trimkey = strings.TrimPrefix(trimkey, "overlay2.")
+ trimkey = strings.TrimPrefix(trimkey, ".")
+ switch trimkey {
+ case "override_kernel_check":
logrus.Warnf("overlay: override_kernel_check option was specified, but is no longer necessary")
- case ".mountopt", "overlay.mountopt", "overlay2.mountopt":
+ case "mountopt":
o.mountOptions = val
- case ".size", "overlay.size", "overlay2.size":
+ case "size":
logrus.Debugf("overlay: size=%s", val)
size, err := units.RAMInBytes(val)
if err != nil {
return nil, err
}
o.quota.Size = uint64(size)
- case ".imagestore", "overlay.imagestore", "overlay2.imagestore":
+ case "imagestore", "additionalimagestore":
logrus.Debugf("overlay: imagestore=%s", val)
// Additional read only image stores to use for lower paths
+ if val == "" {
+ continue
+ }
for _, store := range strings.Split(val, ",") {
store = filepath.Clean(store)
if !filepath.IsAbs(store) {
@@ -304,17 +310,17 @@ func parseOptions(options []string) (*overlayOptions, error) {
}
o.imageStores = append(o.imageStores, store)
}
- case ".mount_program", "overlay.mount_program", "overlay2.mount_program":
+ case "mount_program":
logrus.Debugf("overlay: mount_program=%s", val)
_, err := os.Stat(val)
if err != nil {
return nil, fmt.Errorf("overlay: can't stat program %s: %v", val, err)
}
o.mountProgram = val
- case "overlay2.skip_mount_home", "overlay.skip_mount_home", ".skip_mount_home":
+ case "skip_mount_home":
logrus.Debugf("overlay: skip_mount_home=%s", val)
o.skipMountHome, err = strconv.ParseBool(val)
- case ".ignore_chown_errors", "overlay2.ignore_chown_errors", "overlay.ignore_chown_errors":
+ case "ignore_chown_errors":
logrus.Debugf("overlay: ignore_chown_errors=%s", val)
o.ignoreChownErrors, err = strconv.ParseBool(val)
if err != nil {
diff --git a/vendor/github.com/containers/storage/go.mod b/vendor/github.com/containers/storage/go.mod
index 36101194e..77eef7598 100644
--- a/vendor/github.com/containers/storage/go.mod
+++ b/vendor/github.com/containers/storage/go.mod
@@ -1,3 +1,5 @@
+go 1.15
+
module github.com/containers/storage
require (
@@ -6,7 +8,7 @@ require (
github.com/Microsoft/hcsshim v0.8.9
github.com/docker/go-units v0.4.0
github.com/hashicorp/go-multierror v1.1.0
- github.com/klauspost/compress v1.10.10
+ github.com/klauspost/compress v1.10.11
github.com/klauspost/pgzip v1.2.4
github.com/mattn/go-shellwords v1.0.10
github.com/mistifyio/go-zfs v2.1.1+incompatible
@@ -25,5 +27,3 @@ require (
golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775
gotest.tools v2.2.0+incompatible
)
-
-go 1.13
diff --git a/vendor/github.com/containers/storage/go.sum b/vendor/github.com/containers/storage/go.sum
index d9b0d6396..04d48eb4f 100644
--- a/vendor/github.com/containers/storage/go.sum
+++ b/vendor/github.com/containers/storage/go.sum
@@ -62,8 +62,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
-github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/klauspost/compress v1.10.11 h1:K9z59aO18Aywg2b/WSgBaUX99mHy2BES18Cr5lBKZHk=
+github.com/klauspost/compress v1.10.11/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/pgzip v1.2.4 h1:TQ7CNpYKovDOmqzRHKxJh0BeaBI7UdQZYc6p7pMQh1A=
github.com/klauspost/pgzip v1.2.4/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go
index 937bf8c3a..2a34c84cc 100644
--- a/vendor/github.com/containers/storage/store.go
+++ b/vendor/github.com/containers/storage/store.go
@@ -2630,6 +2630,9 @@ func (s *store) mount(id string, options drivers.MountOpts) (string, error) {
if err != nil {
return "", err
}
+
+ s.graphLock.Lock()
+ defer s.graphLock.Unlock()
rlstore.Lock()
defer rlstore.Unlock()
if modified, err := rlstore.Modified(); modified || err != nil {
diff --git a/vendor/github.com/klauspost/compress/huff0/bitwriter.go b/vendor/github.com/klauspost/compress/huff0/bitwriter.go
index bda4021ef..6bce4e87d 100644
--- a/vendor/github.com/klauspost/compress/huff0/bitwriter.go
+++ b/vendor/github.com/klauspost/compress/huff0/bitwriter.go
@@ -43,6 +43,11 @@ func (b *bitWriter) addBits16Clean(value uint16, bits uint8) {
func (b *bitWriter) encSymbol(ct cTable, symbol byte) {
enc := ct[symbol]
b.bitContainer |= uint64(enc.val) << (b.nBits & 63)
+ if false {
+ if enc.nBits == 0 {
+ panic("nbits 0")
+ }
+ }
b.nBits += enc.nBits
}
@@ -54,6 +59,14 @@ func (b *bitWriter) encTwoSymbols(ct cTable, av, bv byte) {
sh := b.nBits & 63
combined := uint64(encA.val) | (uint64(encB.val) << (encA.nBits & 63))
b.bitContainer |= combined << sh
+ if false {
+ if encA.nBits == 0 {
+ panic("nbitsA 0")
+ }
+ if encB.nBits == 0 {
+ panic("nbitsB 0")
+ }
+ }
b.nBits += encA.nBits + encB.nBits
}
diff --git a/vendor/github.com/klauspost/compress/huff0/compress.go b/vendor/github.com/klauspost/compress/huff0/compress.go
index 0843cb014..f9ed5f830 100644
--- a/vendor/github.com/klauspost/compress/huff0/compress.go
+++ b/vendor/github.com/klauspost/compress/huff0/compress.go
@@ -77,8 +77,11 @@ func compress(in []byte, s *Scratch, compressor func(src []byte) ([]byte, error)
// Each symbol present maximum once or too well distributed.
return nil, false, ErrIncompressible
}
-
- if s.Reuse == ReusePolicyPrefer && canReuse {
+ if s.Reuse == ReusePolicyMust && !canReuse {
+ // We must reuse, but we can't.
+ return nil, false, ErrIncompressible
+ }
+ if (s.Reuse == ReusePolicyPrefer || s.Reuse == ReusePolicyMust) && canReuse {
keepTable := s.cTable
keepTL := s.actualTableLog
s.cTable = s.prevTable
@@ -90,6 +93,9 @@ func compress(in []byte, s *Scratch, compressor func(src []byte) ([]byte, error)
s.OutData = s.Out
return s.Out, true, nil
}
+ if s.Reuse == ReusePolicyMust {
+ return nil, false, ErrIncompressible
+ }
// Do not attempt to re-use later.
s.prevTable = s.prevTable[:0]
}
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress.go b/vendor/github.com/klauspost/compress/huff0/decompress.go
index a03b2634a..41703bba4 100644
--- a/vendor/github.com/klauspost/compress/huff0/decompress.go
+++ b/vendor/github.com/klauspost/compress/huff0/decompress.go
@@ -32,7 +32,7 @@ const use8BitTables = true
// The size of the input may be larger than the table definition.
// Any content remaining after the table definition will be returned.
// If no Scratch is provided a new one is allocated.
-// The returned Scratch can be used for decoding input using this table.
+// The returned Scratch can be used for encoding or decoding input using this table.
func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) {
s, err = s.prepare(in)
if err != nil {
@@ -58,8 +58,8 @@ func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) {
s.symbolLen = uint16(oSize)
in = in[iSize:]
} else {
- if len(in) <= int(iSize) {
- return s, nil, errors.New("input too small for table")
+ if len(in) < int(iSize) {
+ return s, nil, fmt.Errorf("input too small for table, want %d bytes, have %d", iSize, len(in))
}
// FSE compressed weights
s.fse.DecompressLimit = 255
@@ -138,15 +138,33 @@ func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) {
if len(s.dt.single) != tSize {
s.dt.single = make([]dEntrySingle, tSize)
}
+ cTable := s.prevTable
+ if cap(cTable) < maxSymbolValue+1 {
+ cTable = make([]cTableEntry, 0, maxSymbolValue+1)
+ }
+ cTable = cTable[:maxSymbolValue+1]
+ s.prevTable = cTable[:s.symbolLen]
+ s.prevTableLog = s.actualTableLog
+
for n, w := range s.huffWeight[:s.symbolLen] {
if w == 0 {
+ cTable[n] = cTableEntry{
+ val: 0,
+ nBits: 0,
+ }
continue
}
length := (uint32(1) << w) >> 1
d := dEntrySingle{
entry: uint16(s.actualTableLog+1-w) | (uint16(n) << 8),
}
+
rank := &rankStats[w]
+ cTable[n] = cTableEntry{
+ val: uint16(*rank >> (w - 1)),
+ nBits: uint8(d.entry),
+ }
+
single := s.dt.single[*rank : *rank+length]
for i := range single {
single[i] = d
diff --git a/vendor/github.com/klauspost/compress/huff0/huff0.go b/vendor/github.com/klauspost/compress/huff0/huff0.go
index 177d6c4ea..5dd66854b 100644
--- a/vendor/github.com/klauspost/compress/huff0/huff0.go
+++ b/vendor/github.com/klauspost/compress/huff0/huff0.go
@@ -55,6 +55,9 @@ const (
// ReusePolicyNone will disable re-use of tables.
// This is slightly faster than ReusePolicyAllow but may produce larger output.
ReusePolicyNone
+
+ // ReusePolicyMust must allow reuse and produce smaller output.
+ ReusePolicyMust
)
type Scratch struct {
diff --git a/vendor/github.com/klauspost/compress/zstd/blockenc.go b/vendor/github.com/klauspost/compress/zstd/blockenc.go
index c584f6aab..be718afd4 100644
--- a/vendor/github.com/klauspost/compress/zstd/blockenc.go
+++ b/vendor/github.com/klauspost/compress/zstd/blockenc.go
@@ -295,7 +295,7 @@ func (b *blockEnc) encodeRaw(a []byte) {
b.output = bh.appendTo(b.output[:0])
b.output = append(b.output, a...)
if debug {
- println("Adding RAW block, length", len(a))
+ println("Adding RAW block, length", len(a), "last:", b.last)
}
}
@@ -308,7 +308,7 @@ func (b *blockEnc) encodeRawTo(dst, src []byte) []byte {
dst = bh.appendTo(dst)
dst = append(dst, src...)
if debug {
- println("Adding RAW block, length", len(src))
+ println("Adding RAW block, length", len(src), "last:", b.last)
}
return dst
}
@@ -322,7 +322,7 @@ func (b *blockEnc) encodeLits(raw bool) error {
// Don't compress extremely small blocks
if len(b.literals) < 32 || raw {
if debug {
- println("Adding RAW block, length", len(b.literals))
+ println("Adding RAW block, length", len(b.literals), "last:", b.last)
}
bh.setType(blockTypeRaw)
b.output = bh.appendTo(b.output)
@@ -349,7 +349,7 @@ func (b *blockEnc) encodeLits(raw bool) error {
switch err {
case huff0.ErrIncompressible:
if debug {
- println("Adding RAW block, length", len(b.literals))
+ println("Adding RAW block, length", len(b.literals), "last:", b.last)
}
bh.setType(blockTypeRaw)
b.output = bh.appendTo(b.output)
diff --git a/vendor/github.com/klauspost/compress/zstd/encoder.go b/vendor/github.com/klauspost/compress/zstd/encoder.go
index c56d2241f..95ebc3d84 100644
--- a/vendor/github.com/klauspost/compress/zstd/encoder.go
+++ b/vendor/github.com/klauspost/compress/zstd/encoder.go
@@ -190,6 +190,7 @@ func (e *Encoder) nextBlock(final bool) error {
s.filling = s.filling[:0]
s.headerWritten = true
s.fullFrameWritten = true
+ s.eofWritten = true
return nil
}
diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
new file mode 100644
index 000000000..feef144d1
--- /dev/null
+++ b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
@@ -0,0 +1,37 @@
+# Travis CI configuration for libseccomp-golang
+
+# https://docs.travis-ci.com/user/reference/bionic
+# https://wiki.ubuntu.com/Releases
+
+dist: bionic
+sudo: false
+
+notifications:
+ email:
+ on_success: always
+ on_failure: always
+
+arch:
+ - amd64
+
+os:
+ - linux
+
+language: go
+
+addons:
+ apt:
+ packages:
+ - build-essential
+ # TODO: use the main libseccomp git repo instead of a distro package
+ - libseccomp2
+ - libseccomp-dev
+
+install:
+ - go get -u golang.org/x/lint/golint
+
+# run all of the tests independently, fail if any of the tests error
+script:
+ - make check-syntax
+ - make lint
+ - make check
diff --git a/vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES b/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md
index 744e5cd64..d6862cbd5 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES
+++ b/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md
@@ -8,11 +8,11 @@ to the rules described here, but by following the instructions below you
should have a much easier time getting your work merged with the upstream
project.
-* Test Your Code
+## Test Your Code Using Existing Tests
-There are two possible tests you can run to verify your code. The first test
-is used to check the formatting and coding style of your changes, you can run
-the test with the following command:
+There are two possible tests you can run to verify your code. The first
+test is used to check the formatting and coding style of your changes, you
+can run the test with the following command:
# make check-syntax
@@ -27,30 +27,13 @@ with the following command:
... if there are any faults or errors they will be displayed.
-* Generate the Patch(es)
+## Add New Tests for New Functionality
-Depending on how you decided to work with the libseccomp code base and what
-tools you are using there are different ways to generate your patch(es).
-However, regardless of what tools you use, you should always generate your
-patches using the "unified" diff/patch format and the patches should always
-apply to the libseccomp source tree using the following command from the top
-directory of the libseccomp sources:
+Any submissions which add functionality, or significantly change the existing
+code, should include additional tests to verify the proper operation of the
+proposed changes.
- # patch -p1 < changes.patch
-
-If you are not using git, stacked git (stgit), or some other tool which can
-generate patch files for you automatically, you may find the following command
-helpful in generating patches, where "libseccomp.orig/" is the unmodified
-source code directory and "libseccomp/" is the source code directory with your
-changes:
-
- # diff -purN libseccomp-golang.orig/ libseccomp-golang/
-
-When in doubt please generate your patch and try applying it to an unmodified
-copy of the libseccomp sources; if it fails for you, it will fail for the rest
-of us.
-
-* Explain Your Work
+## Explain Your Work
At the top of every patch you should include a description of the problem you
are trying to solve, how you solved it, and why you chose the solution you
@@ -59,7 +42,7 @@ if you can describe/include a reproducer for the problem in the description as
well as instructions on how to test for the bug and verify that it has been
fixed.
-* Sign Your Work
+## Sign Your Work
The sign-off is a simple line at the end of the patch description, which
certifies that you wrote it or otherwise have the right to pass it on as an
@@ -97,16 +80,49 @@ your real name, saying:
Signed-off-by: Random J Developer <random@developer.example.org>
-* Email Your Patch(es)
+You can add this to your commit description in `git` with `git commit -s`
+
+## Post Your Patches Upstream
+
+The libseccomp project accepts both GitHub pull requests and patches sent via
+the mailing list. GitHub pull requests are preferred. This sections below
+explain how to contribute via either method. Please read each step and perform
+all steps that apply to your chosen contribution method.
+
+### Submitting via Email
+
+Depending on how you decided to work with the libseccomp code base and what
+tools you are using there are different ways to generate your patch(es).
+However, regardless of what tools you use, you should always generate your
+patches using the "unified" diff/patch format and the patches should always
+apply to the libseccomp source tree using the following command from the top
+directory of the libseccomp sources:
+
+ # patch -p1 < changes.patch
+
+If you are not using git, stacked git (stgit), or some other tool which can
+generate patch files for you automatically, you may find the following command
+helpful in generating patches, where "libseccomp.orig/" is the unmodified
+source code directory and "libseccomp/" is the source code directory with your
+changes:
+
+ # diff -purN libseccomp.orig/ libseccomp/
+
+When in doubt please generate your patch and try applying it to an unmodified
+copy of the libseccomp sources; if it fails for you, it will fail for the rest
+of us.
Finally, you will need to email your patches to the mailing list so they can
-be reviewed and potentially merged into the main libseccomp-golang repository.
-When sending patches to the mailing list it is important to send your email in
-text form, no HTML mail please, and ensure that your email client does not
-mangle your patches. It should be possible to save your raw email to disk and
-apply it directly to the libseccomp source code; if that fails then you likely
-have a problem with your email client. When in doubt try a test first by
-sending yourself an email with your patch and attempting to apply the emailed
-patch to the libseccomp-golang repository; if it fails for you, it will fail
-for the rest of us trying to test your patch and include it in the main
-libseccomp-golang repository.
+be reviewed and potentially merged into the main libseccomp repository. When
+sending patches to the mailing list it is important to send your email in text
+form, no HTML mail please, and ensure that your email client does not mangle
+your patches. It should be possible to save your raw email to disk and apply
+it directly to the libseccomp source code; if that fails then you likely have
+a problem with your email client. When in doubt try a test first by sending
+yourself an email with your patch and attempting to apply the emailed patch to
+the libseccomp repository; if it fails for you, it will fail for the rest of
+us trying to test your patch and include it in the main libseccomp repository.
+
+### Submitting via GitHub
+
+See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before.
diff --git a/vendor/github.com/seccomp/libseccomp-golang/README b/vendor/github.com/seccomp/libseccomp-golang/README.md
index 66839a466..27423f2d9 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/README
+++ b/vendor/github.com/seccomp/libseccomp-golang/README.md
@@ -1,7 +1,8 @@
-libseccomp-golang: Go Language Bindings for the libseccomp Project
+![libseccomp Golang Bindings](https://github.com/seccomp/libseccomp-artwork/blob/main/logo/libseccomp-color_text.png)
===============================================================================
https://github.com/seccomp/libseccomp-golang
-https://github.com/seccomp/libseccomp
+
+[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/master.svg)](https://travis-ci.org/seccomp/libseccomp-golang)
The libseccomp library provides an easy to use, platform independent, interface
to the Linux Kernel's syscall filtering mechanism. The libseccomp API is
@@ -12,40 +13,39 @@ be familiar to, and easily adopted by, application developers.
The libseccomp-golang library provides a Go based interface to the libseccomp
library.
-* Online Resources
+## Online Resources
The library source repository currently lives on GitHub at the following URLs:
- -> https://github.com/seccomp/libseccomp-golang
- -> https://github.com/seccomp/libseccomp
+* https://github.com/seccomp/libseccomp-golang
+* https://github.com/seccomp/libseccomp
The project mailing list is currently hosted on Google Groups at the URL below,
please note that a Google account is not required to subscribe to the mailing
list.
- -> https://groups.google.com/d/forum/libseccomp
+* https://groups.google.com/d/forum/libseccomp
Documentation is also available at:
- -> https://godoc.org/github.com/seccomp/libseccomp-golang
+* https://godoc.org/github.com/seccomp/libseccomp-golang
-* Installing the package
+## Installing the package
The libseccomp-golang bindings require at least Go v1.2.1 and GCC v4.8.4;
earlier versions may yield unpredictable results. If you meet these
requirements you can install this package using the command below:
- $ go get github.com/seccomp/libseccomp-golang
+ # go get github.com/seccomp/libseccomp-golang
-* Testing the Library
+## Testing the Library
A number of tests and lint related recipes are provided in the Makefile, if
you want to run the standard regression tests, you can excute the following:
- $ make check
+ # make check
In order to execute the 'make lint' recipe the 'golint' tool is needed, it
can be found at:
- -> https://github.com/golang/lint
-
+* https://github.com/golang/lint
diff --git a/vendor/github.com/seccomp/libseccomp-golang/go.mod b/vendor/github.com/seccomp/libseccomp-golang/go.mod
new file mode 100644
index 000000000..6384b3769
--- /dev/null
+++ b/vendor/github.com/seccomp/libseccomp-golang/go.mod
@@ -0,0 +1,3 @@
+module github.com/seccomp/libseccomp-golang
+
+go 1.14
diff --git a/vendor/github.com/seccomp/libseccomp-golang/go.sum b/vendor/github.com/seccomp/libseccomp-golang/go.sum
new file mode 100644
index 000000000..72ae16111
--- /dev/null
+++ b/vendor/github.com/seccomp/libseccomp-golang/go.sum
@@ -0,0 +1,23 @@
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7 h1:EBZoQjiKKPaLbPrbpssUfuHtwM6KV/vb4U85g/cigFY=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200313205530-4303120df7d8 h1:gkI/wGGwpcG5W4hLCzZNGxA4wzWBGGDStRI1MrjDl2Q=
+golang.org/x/tools v0.0.0-20200313205530-4303120df7d8/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
index a3cc53822..e489b9ebd 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
@@ -125,7 +125,8 @@ const (
// ActInvalid is a placeholder to ensure uninitialized ScmpAction
// variables are invalid
ActInvalid ScmpAction = iota
- // ActKill kills the process
+ // ActKill kills the thread that violated the rule. It is the same as ActKillThread.
+ // All other threads from the same thread group will continue to execute.
ActKill ScmpAction = iota
// ActTrap throws SIGSYS
ActTrap ScmpAction = iota
@@ -141,6 +142,14 @@ const (
// This action is only usable when libseccomp API level 3 or higher is
// supported.
ActLog ScmpAction = iota
+ // ActKillThread kills the thread that violated the rule. It is the same as ActKill.
+ // All other threads from the same thread group will continue to execute.
+ ActKillThread ScmpAction = iota
+ // ActKillProcess kills the process that violated the rule.
+ // All threads in the thread group are also terminated.
+ // This action is only usable when libseccomp API level 3 or higher is
+ // supported.
+ ActKillProcess ScmpAction = iota
)
const (
@@ -290,8 +299,10 @@ func (a ScmpCompareOp) String() string {
// String returns a string representation of a seccomp match action
func (a ScmpAction) String() string {
switch a & 0xFFFF {
- case ActKill:
- return "Action: Kill Process"
+ case ActKill, ActKillThread:
+ return "Action: Kill thread"
+ case ActKillProcess:
+ return "Action: Kill process"
case ActTrap:
return "Action: Send SIGSYS"
case ActErrno:
@@ -334,23 +345,23 @@ func GetLibraryVersion() (major, minor, micro uint) {
return verMajor, verMinor, verMicro
}
-// GetApi returns the API level supported by the system.
+// GetAPI returns the API level supported by the system.
// Returns a positive int containing the API level, or 0 with an error if the
// API level could not be detected due to the library being older than v2.4.0.
// See the seccomp_api_get(3) man page for details on available API levels:
// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
-func GetApi() (uint, error) {
- return getApi()
+func GetAPI() (uint, error) {
+ return getAPI()
}
-// SetApi forcibly sets the API level. General use of this function is strongly
+// SetAPI forcibly sets the API level. General use of this function is strongly
// discouraged.
// Returns an error if the API level could not be set. An error is always
// returned if the library is older than v2.4.0
// See the seccomp_api_get(3) man page for details on available API levels:
// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
-func SetApi(api uint) error {
- return setApi(api)
+func SetAPI(api uint) error {
+ return setAPI(api)
}
// Syscall functions
@@ -552,9 +563,8 @@ func (f *ScmpFilter) Reset(defaultAction ScmpAction) error {
return errBadFilter
}
- retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative())
- if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative()); retCode != 0 {
+ return errRc(retCode)
}
return nil
@@ -600,11 +610,12 @@ func (f *ScmpFilter) Merge(src *ScmpFilter) error {
}
// Merge the filters
- retCode := C.seccomp_merge(f.filterCtx, src.filterCtx)
- if syscall.Errno(-1*retCode) == syscall.EINVAL {
- return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter")
- } else if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_merge(f.filterCtx, src.filterCtx); retCode != 0 {
+ e := errRc(retCode)
+ if e == syscall.EINVAL {
+ return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter")
+ }
+ return e
}
src.valid = false
@@ -633,12 +644,13 @@ func (f *ScmpFilter) IsArchPresent(arch ScmpArch) (bool, error) {
return false, errBadFilter
}
- retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative())
- if syscall.Errno(-1*retCode) == syscall.EEXIST {
- // -EEXIST is "arch not present"
- return false, nil
- } else if retCode != 0 {
- return false, syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative()); retCode != 0 {
+ e := errRc(retCode)
+ if e == syscall.EEXIST {
+ // -EEXIST is "arch not present"
+ return false, nil
+ }
+ return false, e
}
return true, nil
@@ -661,9 +673,10 @@ func (f *ScmpFilter) AddArch(arch ScmpArch) error {
// Libseccomp returns -EEXIST if the specified architecture is already
// present. Succeed silently in this case, as it's not fatal, and the
// architecture is present already.
- retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative())
- if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative()); retCode != 0 {
+ if e := errRc(retCode); e != syscall.EEXIST {
+ return e
+ }
}
return nil
@@ -686,9 +699,10 @@ func (f *ScmpFilter) RemoveArch(arch ScmpArch) error {
// Similar to AddArch, -EEXIST is returned if the arch is not present
// Succeed silently in that case, this is not fatal and the architecture
// is not present in the filter after RemoveArch
- retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative())
- if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative()); retCode != 0 {
+ if e := errRc(retCode); e != syscall.EEXIST {
+ return e
+ }
}
return nil
@@ -705,7 +719,7 @@ func (f *ScmpFilter) Load() error {
}
if retCode := C.seccomp_load(f.filterCtx); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -764,7 +778,7 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
func (f *ScmpFilter) GetLogBit() (bool, error) {
log, err := f.getFilterAttr(filterAttrLog)
if err != nil {
- api, apiErr := getApi()
+ api, apiErr := getAPI()
if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
}
@@ -818,7 +832,7 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
err := f.setFilterAttr(filterAttrLog, toSet)
if err != nil {
- api, apiErr := getApi()
+ api, apiErr := getAPI()
if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
}
@@ -842,7 +856,7 @@ func (f *ScmpFilter) SetSyscallPriority(call ScmpSyscall, priority uint8) error
if retCode := C.seccomp_syscall_priority(f.filterCtx, C.int(call),
C.uint8_t(priority)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -907,7 +921,7 @@ func (f *ScmpFilter) ExportPFC(file *os.File) error {
}
if retCode := C.seccomp_export_pfc(f.filterCtx, C.int(fd)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -928,7 +942,7 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error {
}
if retCode := C.seccomp_export_bpf(f.filterCtx, C.int(fd)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
index 4e36b27ae..0982e930f 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
@@ -72,7 +72,17 @@ const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X;
#define SCMP_ACT_LOG 0x7ffc0000U
#endif
+#ifndef SCMP_ACT_KILL_PROCESS
+#define SCMP_ACT_KILL_PROCESS 0x80000000U
+#endif
+
+#ifndef SCMP_ACT_KILL_THREAD
+#define SCMP_ACT_KILL_THREAD 0x00000000U
+#endif
+
const uint32_t C_ACT_KILL = SCMP_ACT_KILL;
+const uint32_t C_ACT_KILL_PROCESS = SCMP_ACT_KILL_PROCESS;
+const uint32_t C_ACT_KILL_THREAD = SCMP_ACT_KILL_THREAD;
const uint32_t C_ACT_TRAP = SCMP_ACT_TRAP;
const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0);
const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0);
@@ -203,7 +213,7 @@ const (
archEnd ScmpArch = ArchS390X
// Comparison boundaries to check for action validity
actionStart ScmpAction = ActKill
- actionEnd ScmpAction = ActLog
+ actionEnd ScmpAction = ActKillProcess
// Comparison boundaries to check for comparison operator validity
compareOpStart ScmpCompareOp = CompareNotEqual
compareOpEnd ScmpCompareOp = CompareMaskedEqual
@@ -236,7 +246,7 @@ func ensureSupportedVersion() error {
}
// Get the API level
-func getApi() (uint, error) {
+func getAPI() (uint, error) {
api := C.seccomp_api_get()
if api == 0 {
return 0, fmt.Errorf("API level operations are not supported")
@@ -246,9 +256,9 @@ func getApi() (uint, error) {
}
// Set the API level
-func setApi(api uint) error {
+func setAPI(api uint) error {
if retCode := C.seccomp_api_set(C.uint(api)); retCode != 0 {
- if syscall.Errno(-1*retCode) == syscall.EOPNOTSUPP {
+ if errRc(retCode) == syscall.EOPNOTSUPP {
return fmt.Errorf("API level operations are not supported")
}
@@ -265,6 +275,10 @@ func filterFinalizer(f *ScmpFilter) {
f.Release()
}
+func errRc(rc C.int) error {
+ return syscall.Errno(-1 * rc)
+}
+
// Get a raw filter attribute
func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
f.lock.Lock()
@@ -278,7 +292,7 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute)
if retCode != 0 {
- return 0x0, syscall.Errno(-1 * retCode)
+ return 0x0, errRc(retCode)
}
return attribute, nil
@@ -295,7 +309,7 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)
if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -316,14 +330,17 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b
retCode = C.seccomp_rule_add_array(f.filterCtx, action.toNative(), C.int(call), length, cond)
}
- if syscall.Errno(-1*retCode) == syscall.EFAULT {
- return fmt.Errorf("unrecognized syscall %#x", int32(call))
- } else if syscall.Errno(-1*retCode) == syscall.EPERM {
- return fmt.Errorf("requested action matches default action of filter")
- } else if syscall.Errno(-1*retCode) == syscall.EINVAL {
- return fmt.Errorf("two checks on same syscall argument")
- } else if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ if retCode != 0 {
+ switch e := errRc(retCode); e {
+ case syscall.EFAULT:
+ return fmt.Errorf("unrecognized syscall %#x", int32(call))
+ case syscall.EPERM:
+ return fmt.Errorf("requested action matches default action of filter")
+ case syscall.EINVAL:
+ return fmt.Errorf("two checks on same syscall argument")
+ default:
+ return e
+ }
}
return nil
@@ -517,6 +534,10 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
switch a & 0xFFFF0000 {
case C.C_ACT_KILL:
return ActKill, nil
+ case C.C_ACT_KILL_PROCESS:
+ return ActKillProcess, nil
+ case C.C_ACT_KILL_THREAD:
+ return ActKillThread, nil
case C.C_ACT_TRAP:
return ActTrap, nil
case C.C_ACT_ERRNO:
@@ -537,6 +558,10 @@ func (a ScmpAction) toNative() C.uint32_t {
switch a & 0xFFFF {
case ActKill:
return C.C_ACT_KILL
+ case ActKillProcess:
+ return C.C_ACT_KILL_PROCESS
+ case ActKillThread:
+ return C.C_ACT_KILL_THREAD
case ActTrap:
return C.C_ACT_TRAP
case ActErrno: