diff options
author | Sascha Grunert <sgrunert@suse.com> | 2020-08-27 21:14:55 +0200 |
---|---|---|
committer | Sascha Grunert <sgrunert@suse.com> | 2020-08-27 21:14:59 +0200 |
commit | 98ead36531378ea22d1298235a10ce476f20391d (patch) | |
tree | 59c898ae69ab9f5d13e255f2575200f1329e003e /vendor/github.com | |
parent | 72c5b35ea5db44ca1c81a688d90f5c3aa8f8262e (diff) | |
download | podman-98ead36531378ea22d1298235a10ce476f20391d.tar.gz podman-98ead36531378ea22d1298235a10ce476f20391d.tar.bz2 podman-98ead36531378ea22d1298235a10ce476f20391d.zip |
Switch to containers/common for seccomp
The seccomp/containers-golang library is not maintained any more and we
should stick to containers/common.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Diffstat (limited to 'vendor/github.com')
43 files changed, 2586 insertions, 210 deletions
diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go index e0b5c5677..4f11e4ed2 100644 --- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go +++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go @@ -13,6 +13,7 @@ import ( "strings" "text/template" + "github.com/containers/common/pkg/apparmor/internal/supported" "github.com/containers/storage/pkg/unshare" runcaa "github.com/opencontainers/runc/libcontainer/apparmor" "github.com/pkg/errors" @@ -22,12 +23,11 @@ import ( // profileDirectory is the file store for apparmor profiles and macros. var profileDirectory = "/etc/apparmor.d" -// IsEnabled returns true if AppArmor is enabled on the host. +// IsEnabled returns true if AppArmor is enabled on the host. It also checks +// for the existence of the `apparmor_parser` binary, which will be required to +// apply profiles. func IsEnabled() bool { - if unshare.IsRootless() { - return false - } - return runcaa.IsEnabled() + return supported.NewAppArmorVerifier().IsSupported() == nil } // profileData holds information about the given profile for generation. @@ -43,7 +43,7 @@ type profileData struct { } // generateDefault creates an apparmor profile from ProfileData. -func (p *profileData) generateDefault(out io.Writer) error { +func (p *profileData) generateDefault(apparmorParserPath string, out io.Writer) error { compiled, err := template.New("apparmor_profile").Parse(defaultProfileTemplate) if err != nil { return errors.Wrap(err, "create AppArmor profile from template") @@ -59,7 +59,7 @@ func (p *profileData) generateDefault(out io.Writer) error { p.InnerImports = append(p.InnerImports, "#include <abstractions/base>") } - ver, err := getAAParserVersion() + ver, err := getAAParserVersion(apparmorParserPath) if err != nil { return errors.Wrap(err, "get AppArmor version") } @@ -85,18 +85,23 @@ func InstallDefault(name string) error { Name: name, } - cmd := exec.Command("apparmor_parser", "-Kr") + apparmorParserPath, err := supported.NewAppArmorVerifier().FindAppArmorParserBinary() + if err != nil { + return errors.Wrap(err, "find `apparmor_parser` binary") + } + + cmd := exec.Command(apparmorParserPath, "-Kr") pipe, err := cmd.StdinPipe() if err != nil { - return errors.Wrap(err, "execute apparmor_parser") + return errors.Wrapf(err, "execute %s", apparmorParserPath) } if err := cmd.Start(); err != nil { if pipeErr := pipe.Close(); pipeErr != nil { logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr) } - return errors.Wrap(err, "start apparmor_parser command") + return errors.Wrapf(err, "start %s command", apparmorParserPath) } - if err := p.generateDefault(pipe); err != nil { + if err := p.generateDefault(apparmorParserPath, pipe); err != nil { if pipeErr := pipe.Close(); pipeErr != nil { logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr) } @@ -118,11 +123,17 @@ func InstallDefault(name string) error { // generation fails. func DefaultContent(name string) ([]byte, error) { p := profileData{Name: name} - var bytes bytes.Buffer - if err := p.generateDefault(&bytes); err != nil { + buffer := &bytes.Buffer{} + + apparmorParserPath, err := supported.NewAppArmorVerifier().FindAppArmorParserBinary() + if err != nil { + return nil, errors.Wrap(err, "find `apparmor_parser` binary") + } + + if err := p.generateDefault(apparmorParserPath, buffer); err != nil { return nil, errors.Wrap(err, "generate default AppAmor profile") } - return bytes.Bytes(), nil + return buffer.Bytes(), nil } // IsLoaded checks if a profile with the given name has been loaded into the @@ -159,8 +170,8 @@ func IsLoaded(name string) (bool, error) { } // execAAParser runs `apparmor_parser` with the passed arguments. -func execAAParser(dir string, args ...string) (string, error) { - c := exec.Command("apparmor_parser", args...) +func execAAParser(apparmorParserPath, dir string, args ...string) (string, error) { + c := exec.Command(apparmorParserPath, args...) c.Dir = dir output, err := c.Output() @@ -172,8 +183,8 @@ func execAAParser(dir string, args ...string) (string, error) { } // getAAParserVersion returns the major and minor version of apparmor_parser. -func getAAParserVersion() (int, error) { - output, err := execAAParser("", "--version") +func getAAParserVersion(apparmorParserPath string) (int, error) { + output, err := execAAParser(apparmorParserPath, "", "--version") if err != nil { return -1, errors.Wrap(err, "execute apparmor_parser") } diff --git a/vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go b/vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go new file mode 100644 index 000000000..778f4e3a2 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/apparmor/internal/supported/supported.go @@ -0,0 +1,113 @@ +package supported + +import ( + "os" + "os/exec" + "path/filepath" + "sync" + + "github.com/containers/storage/pkg/unshare" + runcaa "github.com/opencontainers/runc/libcontainer/apparmor" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +) + +//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate + +// ApparmorVerifier is the global struct for verifying if AppAmor is available +// on the system. +type ApparmorVerifier struct { + impl verifierImpl + parserBinaryPath string +} + +var ( + singleton *ApparmorVerifier + once sync.Once +) + +// NewAppArmorVerifier can be used to retrieve a new ApparmorVerifier instance. +func NewAppArmorVerifier() *ApparmorVerifier { + once.Do(func() { + singleton = &ApparmorVerifier{impl: &defaultVerifier{}} + }) + return singleton +} + +// IsSupported returns nil if AppAmor is supported by the host system. +// The method will error if: +// - the process runs in rootless mode +// - AppArmor is disabled by the host system +// - the `apparmor_parser` binary is not discoverable +func (a *ApparmorVerifier) IsSupported() error { + if a.impl.UnshareIsRootless() { + return errors.New("AppAmor is not supported on rootless containers") + } + if !a.impl.RuncIsEnabled() { + return errors.New("AppArmor not supported by the host system") + } + + _, err := a.FindAppArmorParserBinary() + return err +} + +// FindAppArmorParserBinary returns the `apparmor_parser` binary either from +// `/sbin` or from `$PATH`. It returns an error if the binary could not be +// found. +func (a *ApparmorVerifier) FindAppArmorParserBinary() (string, error) { + // Use the memoized path if available + if a.parserBinaryPath != "" { + logrus.Debugf("Using %s binary", a.parserBinaryPath) + return a.parserBinaryPath, nil + } + + const ( + binary = "apparmor_parser" + sbin = "/sbin" + ) + + // `/sbin` is not always in `$PATH`, so we check it explicitly + sbinBinaryPath := filepath.Join(sbin, binary) + if _, err := a.impl.OsStat(sbinBinaryPath); err == nil { + logrus.Debugf("Found %s binary in %s", binary, sbinBinaryPath) + a.parserBinaryPath = sbinBinaryPath + return sbinBinaryPath, nil + } + + // Fallback to checking $PATH + if path, err := a.impl.ExecLookPath(binary); err == nil { + logrus.Debugf("Found %s binary in %s", binary, path) + a.parserBinaryPath = path + return path, nil + } + + return "", errors.Errorf( + "%s binary neither found in %s nor $PATH", binary, sbin, + ) +} + +//counterfeiter:generate . verifierImpl +type verifierImpl interface { + UnshareIsRootless() bool + RuncIsEnabled() bool + OsStat(name string) (os.FileInfo, error) + ExecLookPath(file string) (string, error) +} + +type defaultVerifier struct{} + +func (d *defaultVerifier) UnshareIsRootless() bool { + return unshare.IsRootless() +} + +func (d *defaultVerifier) RuncIsEnabled() bool { + return runcaa.IsEnabled() +} + +func (d *defaultVerifier) OsStat(name string) (os.FileInfo, error) { + return os.Stat(name) +} + +func (d *defaultVerifier) ExecLookPath(file string) (string, error) { + return exec.LookPath(file) +} diff --git a/vendor/github.com/containers/common/pkg/auth/auth.go b/vendor/github.com/containers/common/pkg/auth/auth.go index 91ab45f0d..21b988187 100644 --- a/vendor/github.com/containers/common/pkg/auth/auth.go +++ b/vendor/github.com/containers/common/pkg/auth/auth.go @@ -40,8 +40,8 @@ func CheckAuthFile(authfile string) error { // data with the original parameter. func systemContextWithOptions(sys *types.SystemContext, authFile, certDir string) *types.SystemContext { if sys != nil { - copy := *sys - sys = © + sysCopy := *sys + sys = &sysCopy } else { sys = &types.SystemContext{} } @@ -126,7 +126,7 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO if err = docker.CheckAuth(ctx, systemContext, username, password, server); err == nil { // Write the new credentials to the authfile - if err = config.SetAuthentication(systemContext, server, username, password); err != nil { + if err := config.SetAuthentication(systemContext, server, username, password); err != nil { return err } } @@ -156,8 +156,7 @@ func getRegistryName(server string) string { // getUserAndPass gets the username and password from STDIN if not given // using the -u and -p flags. If the username prompt is left empty, the // displayed userFromAuthFile will be used instead. -func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (string, string, error) { - var err error +func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (user, pass string, err error) { reader := bufio.NewReader(opts.Stdin) username := opts.Username if username == "" { diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index e1bd4fc27..78811b47a 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -612,11 +612,11 @@ func (c *ContainersConfig) Validate() error { } if c.LogSizeMax >= 0 && c.LogSizeMax < OCIBufSize { - return fmt.Errorf("log size max should be negative or >= %d", OCIBufSize) + return errors.Errorf("log size max should be negative or >= %d", OCIBufSize) } if _, err := units.FromHumanSize(c.ShmSize); err != nil { - return fmt.Errorf("invalid --shm-size %s, %q", c.ShmSize, err) + return errors.Errorf("invalid --shm-size %s, %q", c.ShmSize, err) } return nil @@ -759,15 +759,13 @@ func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []s // '/dev/sdc:/dev/xvdc" // '/dev/sdc:/dev/xvdc:rwm" // '/dev/sdc:rm" -func Device(device string) (string, string, string, error) { - src := "" - dst := "" - permissions := "rwm" +func Device(device string) (src, dst, permissions string, err error) { + permissions = "rwm" split := strings.Split(device, ":") switch len(split) { case 3: if !IsValidDeviceMode(split[2]) { - return "", "", "", fmt.Errorf("invalid device mode: %s", split[2]) + return "", "", "", errors.Errorf("invalid device mode: %s", split[2]) } permissions = split[2] fallthrough @@ -775,19 +773,19 @@ func Device(device string) (string, string, string, error) { if IsValidDeviceMode(split[1]) { permissions = split[1] } else { - if len(split[1]) == 0 || split[1][0] != '/' { - return "", "", "", fmt.Errorf("invalid device mode: %s", split[1]) + if split[1] == "" || split[1][0] != '/' { + return "", "", "", errors.Errorf("invalid device mode: %s", split[1]) } dst = split[1] } fallthrough case 1: if !strings.HasPrefix(split[0], "/dev/") { - return "", "", "", fmt.Errorf("invalid device mode: %s", split[0]) + return "", "", "", errors.Errorf("invalid device mode: %s", split[0]) } src = split[0] default: - return "", "", "", fmt.Errorf("invalid device specification: %s", device) + return "", "", "", errors.Errorf("invalid device specification: %s", device) } if dst == "" { @@ -908,21 +906,6 @@ func Path() string { return OverrideContainersConfig } -func customConfigFile() (string, error) { - path := os.Getenv("CONTAINERS_CONF") - if path != "" { - return path, nil - } - if unshare.IsRootless() { - path, err := rootlessConfigPath() - if err != nil { - return "", err - } - return path, nil - } - return OverrideContainersConfig, nil -} - // ReadCustomConfig reads the custom config and only generates a config based on it // If the custom config file does not exists, function will return an empty config func ReadCustomConfig() (*Config, error) { @@ -943,7 +926,7 @@ func ReadCustomConfig() (*Config, error) { newConfig := &Config{} if _, err := os.Stat(path); err == nil { - if err = readConfigFromFile(path, newConfig); err != nil { + if err := readConfigFromFile(path, newConfig); err != nil { return nil, err } } else { @@ -990,13 +973,12 @@ func Reload() (*Config, error) { return defConfig() } -func (c *Config) ActiveDestination() (string, string, error) { +func (c *Config) ActiveDestination() (uri, identity string, err error) { if uri, found := os.LookupEnv("CONTAINER_HOST"); found { - var ident string if v, found := os.LookupEnv("CONTAINER_SSHKEY"); found { - ident = v + identity = v } - return uri, ident, nil + return uri, identity, nil } switch { diff --git a/vendor/github.com/containers/common/pkg/config/config_darwin.go b/vendor/github.com/containers/common/pkg/config/config_darwin.go new file mode 100644 index 000000000..a264b1888 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/config/config_darwin.go @@ -0,0 +1,12 @@ +package config + +import ( + "os" +) + +func customConfigFile() (string, error) { + if path, found := os.LookupEnv("CONTAINERS_CONF"); found { + return path, nil + } + return rootlessConfigPath() +} diff --git a/vendor/github.com/containers/common/pkg/config/config_linux.go b/vendor/github.com/containers/common/pkg/config/config_linux.go index 17b862967..77e06105e 100644 --- a/vendor/github.com/containers/common/pkg/config/config_linux.go +++ b/vendor/github.com/containers/common/pkg/config/config_linux.go @@ -1,7 +1,26 @@ package config -import selinux "github.com/opencontainers/selinux/go-selinux" +import ( + "os" + + "github.com/containers/storage/pkg/unshare" + selinux "github.com/opencontainers/selinux/go-selinux" +) func selinuxEnabled() bool { return selinux.GetEnabled() } + +func customConfigFile() (string, error) { + if path, found := os.LookupEnv("CONTAINERS_CONF"); found { + return path, nil + } + if unshare.IsRootless() { + path, err := rootlessConfigPath() + if err != nil { + return "", err + } + return path, nil + } + return OverrideContainersConfig, nil +} diff --git a/vendor/github.com/containers/common/pkg/config/config_local.go b/vendor/github.com/containers/common/pkg/config/config_local.go index b1d1644dd..8a27c9626 100644 --- a/vendor/github.com/containers/common/pkg/config/config_local.go +++ b/vendor/github.com/containers/common/pkg/config/config_local.go @@ -3,7 +3,6 @@ package config import ( - "fmt" "os" "path/filepath" "regexp" @@ -11,6 +10,7 @@ import ( "syscall" units "github.com/docker/go-units" + "github.com/pkg/errors" ) // isDirectory tests whether the given path exists and is a directory. It @@ -43,13 +43,13 @@ func (c *EngineConfig) validatePaths() error { // shift between runs or even parts of the program. - The OCI runtime // uses a different working directory than we do, for example. if c.StaticDir != "" && !filepath.IsAbs(c.StaticDir) { - return fmt.Errorf("static directory must be an absolute path - instead got %q", c.StaticDir) + return errors.Errorf("static directory must be an absolute path - instead got %q", c.StaticDir) } if c.TmpDir != "" && !filepath.IsAbs(c.TmpDir) { - return fmt.Errorf("temporary directory must be an absolute path - instead got %q", c.TmpDir) + return errors.Errorf("temporary directory must be an absolute path - instead got %q", c.TmpDir) } if c.VolumePath != "" && !filepath.IsAbs(c.VolumePath) { - return fmt.Errorf("volume path must be an absolute path - instead got %q", c.VolumePath) + return errors.Errorf("volume path must be an absolute path - instead got %q", c.VolumePath) } return nil } @@ -68,7 +68,7 @@ func (c *ContainersConfig) validateUlimits() error { for _, u := range c.DefaultUlimits { ul, err := units.ParseUlimit(u) if err != nil { - return fmt.Errorf("unrecognized ulimit %s: %v", u, err) + return errors.Wrapf(err, "unrecognized ulimit %s", u) } _, err = ul.GetRlimit() if err != nil { @@ -96,8 +96,8 @@ func (c *ContainersConfig) validateTZ() error { } } - return fmt.Errorf( - "unable to find timezone %s in paths: %s", + return errors.Errorf( + "find timezone %s in paths: %s", c.TZ, strings.Join(lookupPaths, ", "), ) } @@ -105,7 +105,7 @@ func (c *ContainersConfig) validateTZ() error { func (c *ContainersConfig) validateUmask() error { validUmask := regexp.MustCompile(`^[0-7]{1,4}$`) if !validUmask.MatchString(c.Umask) { - return fmt.Errorf("Not a valid Umask %s", c.Umask) + return errors.Errorf("not a valid umask %s", c.Umask) } return nil } diff --git a/vendor/github.com/containers/common/pkg/config/config_windows.go b/vendor/github.com/containers/common/pkg/config/config_windows.go new file mode 100644 index 000000000..1c9806e6b --- /dev/null +++ b/vendor/github.com/containers/common/pkg/config/config_windows.go @@ -0,0 +1,10 @@ +package config + +import "os" + +func customConfigFile() (string, error) { + if path, found := os.LookupEnv("CONTAINERS_CONF"); found { + return path, nil + } + return os.Getenv("APPDATA") + "\\containers\\containers.conf", nil +} diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index ff4d99bda..5ee72e759 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -92,7 +92,7 @@ # Ulimits has limits for non privileged container engines. # # default_ulimits = [ -# "nofile"="1280:2560", +# "nofile=1280:2560", # ] # List of default DNS options to be added to /etc/resolv.conf inside of the container. diff --git a/vendor/github.com/containers/common/pkg/config/default_linux.go b/vendor/github.com/containers/common/pkg/config/default_linux.go index e49413d7a..f61d9ba54 100644 --- a/vendor/github.com/containers/common/pkg/config/default_linux.go +++ b/vendor/github.com/containers/common/pkg/config/default_linux.go @@ -32,10 +32,8 @@ func getDefaultProcessLimits() []string { defaultLimits := []string{} if err := unix.Setrlimit(unix.RLIMIT_NPROC, &rlim); err == nil { defaultLimits = append(defaultLimits, fmt.Sprintf("nproc=%d:%d", rlim.Cur, rlim.Max)) - } else { - if err := unix.Setrlimit(unix.RLIMIT_NPROC, &oldrlim); err == nil { - defaultLimits = append(defaultLimits, fmt.Sprintf("nproc=%d:%d", oldrlim.Cur, oldrlim.Max)) - } + } else if err := unix.Setrlimit(unix.RLIMIT_NPROC, &oldrlim); err == nil { + defaultLimits = append(defaultLimits, fmt.Sprintf("nproc=%d:%d", oldrlim.Cur, oldrlim.Max)) } return defaultLimits } diff --git a/vendor/github.com/containers/common/pkg/config/libpodConfig.go b/vendor/github.com/containers/common/pkg/config/libpodConfig.go index 9d04da7f5..07dd06240 100644 --- a/vendor/github.com/containers/common/pkg/config/libpodConfig.go +++ b/vendor/github.com/containers/common/pkg/config/libpodConfig.go @@ -3,7 +3,6 @@ package config /* libpodConfig.go contains deprecated functionality and should not be used any longer */ import ( - "fmt" "os" "os/exec" "path/filepath" @@ -168,7 +167,7 @@ type ConfigFromLibpod struct { // EventsLogFilePath is where the events log is stored. EventsLogFilePath string `toml:"events_logfile_path,omitempty"` - //DetachKeys is the sequence of keys used to detach a container. + // DetachKeys is the sequence of keys used to detach a container. DetachKeys string `toml:"detach_keys,omitempty"` // SDNotify tells Libpod to allow containers to notify the host systemd of @@ -247,7 +246,7 @@ func readLibpodConfigFromFile(path string, config *ConfigFromLibpod) (*ConfigFro logrus.Debugf("Reading configuration file %q", path) _, err := toml.DecodeFile(path, config) if err != nil { - return nil, fmt.Errorf("unable to decode configuration %v: %v", path, err) + return nil, errors.Wrapf(err, "decode configuration %s", path) } return config, err diff --git a/vendor/github.com/containers/common/pkg/config/util_supported.go b/vendor/github.com/containers/common/pkg/config/util_supported.go index 2cdf54549..4595716d1 100644 --- a/vendor/github.com/containers/common/pkg/config/util_supported.go +++ b/vendor/github.com/containers/common/pkg/config/util_supported.go @@ -49,7 +49,7 @@ func getRuntimeDir() (string, error) { if runtimeDir == "" { home := os.Getenv("HOME") if home == "" { - rootlessRuntimeDirError = fmt.Errorf("neither XDG_RUNTIME_DIR nor HOME was set non-empty") + rootlessRuntimeDirError = errors.New("neither XDG_RUNTIME_DIR nor HOME was set non-empty") return } resolvedHome, err := filepath.EvalSymlinks(home) diff --git a/vendor/github.com/containers/common/pkg/retry/retry.go b/vendor/github.com/containers/common/pkg/retry/retry.go index c20f900d8..d0ac19fb6 100644 --- a/vendor/github.com/containers/common/pkg/retry/retry.go +++ b/vendor/github.com/containers/common/pkg/retry/retry.go @@ -2,6 +2,7 @@ package retry import ( "context" + "io" "math" "net" "net/url" @@ -17,7 +18,8 @@ import ( // RetryOptions defines the option to retry type RetryOptions struct { - MaxRetry int // The number of times to possibly retry + MaxRetry int // The number of times to possibly retry + Delay time.Duration // The delay to use between retries, if set } // RetryIfNecessary retries the operation in exponential backoff with the retryOptions @@ -25,6 +27,9 @@ func RetryIfNecessary(ctx context.Context, operation func() error, retryOptions err := operation() for attempt := 0; err != nil && isRetryable(err) && attempt < retryOptions.MaxRetry; attempt++ { delay := time.Duration(int(math.Pow(2, float64(attempt)))) * time.Second + if retryOptions.Delay != 0 { + delay = retryOptions.Delay + } logrus.Infof("Warning: failed, retrying in %s ... (%d/%d)", delay, attempt+1, retryOptions.MaxRetry) select { case <-time.After(delay): @@ -58,7 +63,10 @@ func isRetryable(err error) bool { return true case *net.OpError: return isRetryable(e.Err) - case *url.Error: + case *url.Error: // This includes errors returned by the net/http client. + if e.Err == io.EOF { // Happens when a server accepts a HTTP connection and sends EOF + return true + } return isRetryable(e.Err) case syscall.Errno: return e != syscall.ECONNREFUSED diff --git a/vendor/github.com/containers/common/pkg/seccomp/conversion.go b/vendor/github.com/containers/common/pkg/seccomp/conversion.go new file mode 100644 index 000000000..79a893ba3 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/conversion.go @@ -0,0 +1,32 @@ +package seccomp + +import "fmt" + +var goArchToSeccompArchMap = map[string]Arch{ + "386": ArchX86, + "amd64": ArchX86_64, + "amd64p32": ArchX32, + "arm": ArchARM, + "arm64": ArchAARCH64, + "mips": ArchMIPS, + "mips64": ArchMIPS64, + "mips64le": ArchMIPSEL64, + "mips64p32": ArchMIPS64N32, + "mips64p32le": ArchMIPSEL64N32, + "mipsle": ArchMIPSEL, + "ppc": ArchPPC, + "ppc64": ArchPPC64, + "ppc64le": ArchPPC64LE, + "s390": ArchS390, + "s390x": ArchS390X, +} + +// GoArchToSeccompArch converts a runtime.GOARCH to a seccomp `Arch`. The +// function returns an error if the architecture conversion is not supported. +func GoArchToSeccompArch(goArch string) (Arch, error) { + arch, ok := goArchToSeccompArchMap[goArch] + if !ok { + return "", fmt.Errorf("unsupported go arch provided: %s", goArch) + } + return arch, nil +} diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json new file mode 100644 index 000000000..06b39024a --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json @@ -0,0 +1,878 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "_llseek", + "_newselect", + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_gettime", + "clock_nanosleep", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futimesat", + "get_robust_list", + "get_thread_area", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "io_destroy", + "io_getevents", + "io_setup", + "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mount", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedsend", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "name_to_handle_at", + "nanosleep", + "newfstatat", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "reboot", + "recv", + "recvfrom", + "recvmmsg", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "set_robust_list", + "set_thread_area", + "set_tid_address", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "setsid", + "setsockopt", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigreturn", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "syslog", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_settime", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "umount", + "umount2", + "uname", + "unlink", + "unlinkat", + "unshare", + "utime", + "utimensat", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "ppc64le" + ] + }, + "excludes": {} + }, + { + "names": [ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "arm", + "arm64" + ] + }, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "modify_ldt" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32", + "x86" + ] + }, + "excludes": {} + }, + { + "names": [ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": {} + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "clone", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "umount", + "umount2", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "s390 parameter ordering for clone is different", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "reboot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_BOOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "delete_module", + "init_module", + "finit_module", + "query_module" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "excludes": {} + }, + { + "names": [ + "get_mempolicy", + "mbind", + "name_to_handle_at", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": {} + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "excludes": {} + }, + { + "names": [ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "excludes": {} + }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "excludes": {} + }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "excludes": {} + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "excludes": {} + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ERRNO", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + }, + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "errnoRet": 22 + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "excludes": {} + } + ] +}
\ No newline at end of file diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go new file mode 100644 index 000000000..f12cf02c9 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp_default_linux.go @@ -0,0 +1,742 @@ +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + +package seccomp + +import ( + "syscall" + + "golang.org/x/sys/unix" +) + +func arches() []Architecture { + return []Architecture{ + { + Arch: ArchX86_64, + SubArches: []Arch{ArchX86, ArchX32}, + }, + { + Arch: ArchAARCH64, + SubArches: []Arch{ArchARM}, + }, + { + Arch: ArchMIPS64, + SubArches: []Arch{ArchMIPS, ArchMIPS64N32}, + }, + { + Arch: ArchMIPS64N32, + SubArches: []Arch{ArchMIPS, ArchMIPS64}, + }, + { + Arch: ArchMIPSEL64, + SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64N32}, + }, + { + Arch: ArchMIPSEL64N32, + SubArches: []Arch{ArchMIPSEL, ArchMIPSEL64}, + }, + { + Arch: ArchS390X, + SubArches: []Arch{ArchS390}, + }, + } +} + +// DefaultProfile defines the allowlist for the default seccomp profile. +func DefaultProfile() *Seccomp { + einval := uint(syscall.EINVAL) + + syscalls := []*Syscall{ + { + Names: []string{ + "_llseek", + "_newselect", + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_gettime", + "clock_nanosleep", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futimesat", + "get_robust_list", + "get_thread_area", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "io_destroy", + "io_getevents", + "io_setup", + "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mount", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedsend", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "name_to_handle_at", + "nanosleep", + "newfstatat", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "reboot", + "recv", + "recvfrom", + "recvmmsg", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "set_robust_list", + "set_thread_area", + "set_tid_address", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "setsid", + "setsockopt", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigreturn", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "syslog", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_settime", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "umount", + "umount2", + "uname", + "unlink", + "unlinkat", + "unshare", + "utime", + "utimensat", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev", + }, + Action: ActAllow, + Args: []*Arg{}, + }, + { + Names: []string{"personality"}, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: 0x0, + Op: OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: 0x0008, + Op: OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: 0x20000, + Op: OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: 0x20008, + Op: OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: 0xffffffff, + Op: OpEqualTo, + }, + }, + }, + { + Names: []string{ + "sync_file_range2", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Arches: []string{"ppc64le"}, + }, + }, + { + Names: []string{ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Arches: []string{"arm", "arm64"}, + }, + }, + { + Names: []string{ + "arch_prctl", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Arches: []string{"amd64", "x32"}, + }, + }, + { + Names: []string{ + "modify_ldt", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Arches: []string{"amd64", "x32", "x86"}, + }, + }, + { + Names: []string{ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Arches: []string{"s390", "s390x"}, + }, + }, + { + Names: []string{ + "open_by_handle_at", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_DAC_READ_SEARCH"}, + }, + }, + { + Names: []string{ + "bpf", + "clone", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "umount", + "umount2", + "unshare", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, + }, + { + Names: []string{ + "clone", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, + ValueTwo: 0, + Op: OpMaskedEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + Arches: []string{"s390", "s390x"}, + }, + }, + { + Names: []string{ + "clone", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 1, + Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, + ValueTwo: 0, + Op: OpMaskedEqual, + }, + }, + Comment: "s390 parameter ordering for clone is different", + Includes: Filter{ + Arches: []string{"s390", "s390x"}, + }, + Excludes: Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, + }, + { + Names: []string{ + "reboot", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_BOOT"}, + }, + }, + { + Names: []string{ + "chroot", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_CHROOT"}, + }, + }, + { + Names: []string{ + "delete_module", + "init_module", + "finit_module", + "query_module", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_MODULE"}, + }, + }, + { + Names: []string{ + "get_mempolicy", + "mbind", + "name_to_handle_at", + "set_mempolicy", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_NICE"}, + }, + }, + { + Names: []string{ + "acct", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_PACCT"}, + }, + }, + { + Names: []string{ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_PTRACE"}, + }, + }, + { + Names: []string{ + "iopl", + "ioperm", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_RAWIO"}, + }, + }, + { + Names: []string{ + "settimeofday", + "stime", + "clock_settime", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_TIME"}, + }, + }, + { + Names: []string{ + "vhangup", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_TTY_CONFIG"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActErrno, + ErrnoRet: &einval, + Args: []*Arg{ + { + Index: 0, + Value: syscall.AF_NETLINK, + Op: OpEqualTo, + }, + { + Index: 2, + Value: syscall.NETLINK_AUDIT, + Op: OpEqualTo, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 2, + Value: syscall.NETLINK_AUDIT, + Op: OpNotEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 0, + Value: syscall.AF_NETLINK, + Op: OpNotEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Args: []*Arg{ + { + Index: 2, + Value: syscall.NETLINK_AUDIT, + Op: OpNotEqual, + }, + }, + Excludes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + { + Names: []string{ + "socket", + }, + Action: ActAllow, + Includes: Filter{ + Caps: []string{"CAP_AUDIT_WRITE"}, + }, + }, + } + + return &Seccomp{ + DefaultAction: ActErrno, + ArchMap: arches(), + Syscalls: syscalls, + } +} diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go b/vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go new file mode 100644 index 000000000..5655a7572 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp_linux.go @@ -0,0 +1,183 @@ +// +build seccomp + +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + +package seccomp + +import ( + "encoding/json" + "errors" + "fmt" + + "github.com/opencontainers/runtime-spec/specs-go" + libseccomp "github.com/seccomp/libseccomp-golang" +) + +//go:generate go run -tags 'seccomp' generate.go + +// GetDefaultProfile returns the default seccomp profile. +func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return setupSeccomp(DefaultProfile(), rs) +} + +// LoadProfile takes a json string and decodes the seccomp profile. +func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + var config Seccomp + if err := json.Unmarshal([]byte(body), &config); err != nil { + return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) + } + return setupSeccomp(&config, rs) +} + +// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile. +func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + config := &Seccomp{} + if err := json.Unmarshal(body, config); err != nil { + return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) + } + return setupSeccomp(config, rs) +} + +// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp +func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) { + return setupSeccomp(config, specgen) +} + +var nativeToSeccomp = map[string]Arch{ + "amd64": ArchX86_64, + "arm64": ArchAARCH64, + "mips64": ArchMIPS64, + "mips64n32": ArchMIPS64N32, + "mipsel64": ArchMIPSEL64, + "mipsel64n32": ArchMIPSEL64N32, + "s390x": ArchS390X, +} + +// inSlice tests whether a string is contained in a slice of strings or not. +// Comparison is case sensitive +func inSlice(slice []string, s string) bool { + for _, ss := range slice { + if s == ss { + return true + } + } + return false +} + +func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + if config == nil { + return nil, nil + } + + // No default action specified, no syscalls listed, assume seccomp disabled + if config.DefaultAction == "" && len(config.Syscalls) == 0 { + return nil, nil + } + + newConfig := &specs.LinuxSeccomp{} + + var arch string + var native, err = libseccomp.GetNativeArch() + if err == nil { + arch = native.String() + } + + if len(config.Architectures) != 0 && len(config.ArchMap) != 0 { + return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'") + } + + // if config.Architectures == 0 then libseccomp will figure out the architecture to use + if len(config.Architectures) != 0 { + for _, a := range config.Architectures { + newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a)) + } + } + + if len(config.ArchMap) != 0 { + for _, a := range config.ArchMap { + seccompArch, ok := nativeToSeccomp[arch] + if ok { + if a.Arch == seccompArch { + newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch)) + for _, sa := range a.SubArches { + newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa)) + } + break + } + } + } + } + + newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) + +Loop: + // Loop through all syscall blocks and convert them to libcontainer format after filtering them + for _, call := range config.Syscalls { + if len(call.Excludes.Arches) > 0 { + if inSlice(call.Excludes.Arches, arch) { + continue Loop + } + } + if len(call.Excludes.Caps) > 0 { + for _, c := range call.Excludes.Caps { + if inSlice(rs.Process.Capabilities.Bounding, c) { + continue Loop + } + } + } + if len(call.Includes.Arches) > 0 { + if !inSlice(call.Includes.Arches, arch) { + continue Loop + } + } + if len(call.Includes.Caps) > 0 { + for _, c := range call.Includes.Caps { + if !inSlice(rs.Process.Capabilities.Bounding, c) { + continue Loop + } + } + } + + if call.Name != "" && len(call.Names) != 0 { + return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") + } + + if call.Name != "" { + newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args, call.ErrnoRet)) + } + + if len(call.Names) > 0 { + newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args, call.ErrnoRet)) + } + } + + return newConfig, nil +} + +func createSpecsSyscall(names []string, action Action, args []*Arg, errnoRet *uint) specs.LinuxSyscall { + newCall := specs.LinuxSyscall{ + Names: names, + Action: specs.LinuxSeccompAction(action), + ErrnoRet: errnoRet, + } + + // Loop through all the arguments of the syscall and convert them + for _, arg := range args { + newArg := specs.LinuxSeccompArg{ + Index: arg.Index, + Value: arg.Value, + ValueTwo: arg.ValueTwo, + Op: specs.LinuxSeccompOperator(arg.Op), + } + + newCall.Args = append(newCall.Args, newArg) + } + return newCall +} + +// IsEnabled returns true if seccomp is enabled for the host. +func IsEnabled() bool { + return IsSupported() +} diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go b/vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go new file mode 100644 index 000000000..84a4c6ed5 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go @@ -0,0 +1,40 @@ +// +build !seccomp + +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + +package seccomp + +import ( + "errors" + + "github.com/opencontainers/runtime-spec/specs-go" +) + +var errNotSupported = errors.New("seccomp not enabled in this build") + +// LoadProfile returns an error on unsuppored systems +func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return nil, errNotSupported +} + +// GetDefaultProfile returns an error on unsuppored systems +func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return nil, errNotSupported +} + +// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile. +func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return nil, errNotSupported +} + +// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp +func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) { + return nil, errNotSupported +} + +// IsEnabled returns true if seccomp is enabled for the host. +func IsEnabled() bool { + return false +} diff --git a/vendor/github.com/containers/common/pkg/seccomp/supported.go b/vendor/github.com/containers/common/pkg/seccomp/supported.go new file mode 100644 index 000000000..ab2a94a73 --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/supported.go @@ -0,0 +1,72 @@ +package seccomp + +import ( + "bufio" + "errors" + "os" + "strings" + + perrors "github.com/pkg/errors" + "golang.org/x/sys/unix" +) + +const statusFilePath = "/proc/self/status" + +// IsSupported returns true if the system has been configured to support +// seccomp. +func IsSupported() bool { + // Since Linux 3.8, the Seccomp field of the /proc/[pid]/status file + // provides a method of obtaining the same information, without the risk + // that the process is killed; see proc(5). + status, err := parseStatusFile(statusFilePath) + if err == nil { + _, ok := status["Seccomp"] + return ok + } + + // PR_GET_SECCOMP (since Linux 2.6.23) + // Return (as the function result) the secure computing mode of the calling + // thread. If the caller is not in secure computing mode, this operation + // returns 0; if the caller is in strict secure computing mode, then the + // prctl() call will cause a SIGKILL signal to be sent to the process. If + // the caller is in filter mode, and this system call is allowed by the + // seccomp filters, it returns 2; otherwise, the process is killed with a + // SIGKILL signal. This operation is available only if the kernel is + // configured with CONFIG_SECCOMP enabled. + if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); !errors.Is(err, unix.EINVAL) { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); !errors.Is(err, unix.EINVAL) { + return true + } + } + + return false +} + +// parseStatusFile reads the provided `file` into a map of strings. +func parseStatusFile(file string) (map[string]string, error) { + f, err := os.Open(file) + if err != nil { + return nil, perrors.Wrapf(err, "open status file %s", file) + } + defer f.Close() + + status := make(map[string]string) + scanner := bufio.NewScanner(f) + for scanner.Scan() { + text := scanner.Text() + parts := strings.SplitN(text, ":", 2) + + if len(parts) <= 1 { + continue + } + + status[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1]) + } + + if err := scanner.Err(); err != nil { + return nil, perrors.Wrapf(err, "scan status file %s", file) + } + + return status, nil +} diff --git a/vendor/github.com/containers/common/pkg/seccomp/types.go b/vendor/github.com/containers/common/pkg/seccomp/types.go new file mode 100644 index 000000000..7b0436dfc --- /dev/null +++ b/vendor/github.com/containers/common/pkg/seccomp/types.go @@ -0,0 +1,110 @@ +package seccomp + +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + +// Seccomp represents the config for a seccomp profile for syscall restriction. +type Seccomp struct { + DefaultAction Action `json:"defaultAction"` + // Architectures is kept to maintain backward compatibility with the old + // seccomp profile. + Architectures []Arch `json:"architectures,omitempty"` + ArchMap []Architecture `json:"archMap,omitempty"` + Syscalls []*Syscall `json:"syscalls"` +} + +// Architecture is used to represent a specific architecture +// and its sub-architectures +type Architecture struct { + Arch Arch `json:"architecture"` + SubArches []Arch `json:"subArchitectures"` +} + +// Arch used for architectures +type Arch string + +// Additional architectures permitted to be used for system calls +// By default only the native architecture of the kernel is permitted +const ( + ArchNative Arch = "SCMP_ARCH_NATIVE" + ArchX86 Arch = "SCMP_ARCH_X86" + ArchX86_64 Arch = "SCMP_ARCH_X86_64" + ArchX32 Arch = "SCMP_ARCH_X32" + ArchARM Arch = "SCMP_ARCH_ARM" + ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" + ArchMIPS Arch = "SCMP_ARCH_MIPS" + ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" + ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" + ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" + ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" + ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" + ArchPPC Arch = "SCMP_ARCH_PPC" + ArchPPC64 Arch = "SCMP_ARCH_PPC64" + ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" + ArchS390 Arch = "SCMP_ARCH_S390" + ArchS390X Arch = "SCMP_ARCH_S390X" + ArchPARISC Arch = "SCMP_ARCH_PARISC" + ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" + ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" +) + +// Action taken upon Seccomp rule match +type Action string + +// Define actions for Seccomp rules +const ( + // ActKill results in termination of the thread that made the system call. + ActKill Action = "SCMP_ACT_KILL" + // ActKillProcess results in termination of the entire process. + ActKillProcess Action = "SCMP_ACT_KILL_PROCESS" + // ActKillThread kills the thread that violated the rule. It is the same as + // ActKill. All other threads from the same thread group will continue to + // execute. + ActKillThread Action = "SCMP_ACT_KILL_THREAD" + ActTrap Action = "SCMP_ACT_TRAP" + ActErrno Action = "SCMP_ACT_ERRNO" + ActTrace Action = "SCMP_ACT_TRACE" + ActAllow Action = "SCMP_ACT_ALLOW" + ActLog Action = "SCMP_ACT_LOG" +) + +// Operator used to match syscall arguments in Seccomp +type Operator string + +// Define operators for syscall arguments in Seccomp +const ( + OpNotEqual Operator = "SCMP_CMP_NE" + OpLessThan Operator = "SCMP_CMP_LT" + OpLessEqual Operator = "SCMP_CMP_LE" + OpEqualTo Operator = "SCMP_CMP_EQ" + OpGreaterEqual Operator = "SCMP_CMP_GE" + OpGreaterThan Operator = "SCMP_CMP_GT" + OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ" +) + +// Arg used for matching specific syscall arguments in Seccomp +type Arg struct { + Index uint `json:"index"` + Value uint64 `json:"value"` + ValueTwo uint64 `json:"valueTwo"` + Op Operator `json:"op"` +} + +// Filter is used to conditionally apply Seccomp rules +type Filter struct { + Caps []string `json:"caps,omitempty"` + Arches []string `json:"arches,omitempty"` +} + +// Syscall is used to match a group of syscalls in Seccomp +type Syscall struct { + Name string `json:"name,omitempty"` + Names []string `json:"names,omitempty"` + Action Action `json:"action"` + Args []*Arg `json:"args"` + Comment string `json:"comment"` + Includes Filter `json:"includes"` + Excludes Filter `json:"excludes"` + ErrnoRet *uint `json:"errnoRet,omitempty"` +} diff --git a/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go b/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go index fcb3cab72..1935d71f1 100644 --- a/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go +++ b/vendor/github.com/containers/common/pkg/sysinfo/sysinfo_linux.go @@ -1,7 +1,6 @@ package sysinfo import ( - "fmt" "io/ioutil" "os" "path" @@ -9,6 +8,7 @@ import ( "github.com/containers/common/pkg/cgroupv2" "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" ) @@ -16,7 +16,7 @@ import ( func findCgroupMountpoints() (map[string]string, error) { cgMounts, err := cgroups.GetCgroupMounts(false) if err != nil { - return nil, fmt.Errorf("failed to parse cgroup information: %v", err) + return nil, errors.Wrap(err, "parse cgroup information") } mps := make(map[string]string) for _, m := range cgMounts { @@ -253,8 +253,8 @@ func cgroupEnabled(mountPoint, name string) bool { return err == nil } -func readProcBool(path string) bool { - val, err := ioutil.ReadFile(path) +func readProcBool(file string) bool { + val, err := ioutil.ReadFile(file) if err != nil { return false } diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 536e88076..ef9a947f0 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.20.3" +const Version = "0.20.4-dev" diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml index fe611f085..6ba46ebbb 100644 --- a/vendor/github.com/containers/storage/.cirrus.yml +++ b/vendor/github.com/containers/storage/.cirrus.yml @@ -106,7 +106,7 @@ lint_task: env: CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage" container: - image: golang:1.13 + image: golang:1.15 modules_cache: fingerprint_script: cat go.sum folder: $GOPATH/pkg/mod @@ -142,7 +142,7 @@ meta_task: vendor_task: container: - image: golang:1.14 + image: golang:1.15 modules_cache: fingerprint_script: cat go.sum folder: $GOPATH/pkg/mod @@ -157,6 +157,6 @@ success_task: - meta - vendor container: - image: golang:1.14 + image: golang:1.15 clone_script: 'mkdir -p "$CIRRUS_WORKING_DIR"' # Source code not needed script: /bin/true diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index 4d1e5d262..14bee92c9 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.23.1-dev +1.23.2 diff --git a/vendor/github.com/containers/storage/drivers/copy/copy_linux.go b/vendor/github.com/containers/storage/drivers/copy/copy_linux.go index c00b9e47d..1e380a5ac 100644 --- a/vendor/github.com/containers/storage/drivers/copy/copy_linux.go +++ b/vendor/github.com/containers/storage/drivers/copy/copy_linux.go @@ -143,10 +143,6 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { } dstPath := filepath.Join(dstDir, relPath) - if err != nil { - return err - } - stat, ok := f.Sys().(*syscall.Stat_t) if !ok { return fmt.Errorf("Unable to get raw syscall.Stat_t data for %s", srcPath) diff --git a/vendor/github.com/containers/storage/drivers/counter.go b/vendor/github.com/containers/storage/drivers/counter.go index 72551a38d..3fc45495b 100644 --- a/vendor/github.com/containers/storage/drivers/counter.go +++ b/vendor/github.com/containers/storage/drivers/counter.go @@ -51,6 +51,10 @@ func (c *RefCounter) incdec(path string, infoOp func(minfo *minfo)) int { if c.checker.IsMounted(path) { m.count++ } + } else if !c.checker.IsMounted(path) { + // if the unmount was performed outside of this process (e.g. conmon cleanup) + //the ref counter would lose track of it. Check if it is still mounted. + m.count = 0 } infoOp(m) count := m.count diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go index fc7010645..1de771bb0 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go +++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go @@ -274,22 +274,28 @@ func parseOptions(options []string) (*overlayOptions, error) { if err != nil { return nil, err } - key = strings.ToLower(key) - switch key { - case ".override_kernel_check", "overlay.override_kernel_check", "overlay2.override_kernel_check": + trimkey := strings.ToLower(key) + trimkey = strings.TrimPrefix(trimkey, "overlay.") + trimkey = strings.TrimPrefix(trimkey, "overlay2.") + trimkey = strings.TrimPrefix(trimkey, ".") + switch trimkey { + case "override_kernel_check": logrus.Warnf("overlay: override_kernel_check option was specified, but is no longer necessary") - case ".mountopt", "overlay.mountopt", "overlay2.mountopt": + case "mountopt": o.mountOptions = val - case ".size", "overlay.size", "overlay2.size": + case "size": logrus.Debugf("overlay: size=%s", val) size, err := units.RAMInBytes(val) if err != nil { return nil, err } o.quota.Size = uint64(size) - case ".imagestore", "overlay.imagestore", "overlay2.imagestore": + case "imagestore", "additionalimagestore": logrus.Debugf("overlay: imagestore=%s", val) // Additional read only image stores to use for lower paths + if val == "" { + continue + } for _, store := range strings.Split(val, ",") { store = filepath.Clean(store) if !filepath.IsAbs(store) { @@ -304,17 +310,17 @@ func parseOptions(options []string) (*overlayOptions, error) { } o.imageStores = append(o.imageStores, store) } - case ".mount_program", "overlay.mount_program", "overlay2.mount_program": + case "mount_program": logrus.Debugf("overlay: mount_program=%s", val) _, err := os.Stat(val) if err != nil { return nil, fmt.Errorf("overlay: can't stat program %s: %v", val, err) } o.mountProgram = val - case "overlay2.skip_mount_home", "overlay.skip_mount_home", ".skip_mount_home": + case "skip_mount_home": logrus.Debugf("overlay: skip_mount_home=%s", val) o.skipMountHome, err = strconv.ParseBool(val) - case ".ignore_chown_errors", "overlay2.ignore_chown_errors", "overlay.ignore_chown_errors": + case "ignore_chown_errors": logrus.Debugf("overlay: ignore_chown_errors=%s", val) o.ignoreChownErrors, err = strconv.ParseBool(val) if err != nil { diff --git a/vendor/github.com/containers/storage/go.mod b/vendor/github.com/containers/storage/go.mod index 36101194e..77eef7598 100644 --- a/vendor/github.com/containers/storage/go.mod +++ b/vendor/github.com/containers/storage/go.mod @@ -1,3 +1,5 @@ +go 1.15 + module github.com/containers/storage require ( @@ -6,7 +8,7 @@ require ( github.com/Microsoft/hcsshim v0.8.9 github.com/docker/go-units v0.4.0 github.com/hashicorp/go-multierror v1.1.0 - github.com/klauspost/compress v1.10.10 + github.com/klauspost/compress v1.10.11 github.com/klauspost/pgzip v1.2.4 github.com/mattn/go-shellwords v1.0.10 github.com/mistifyio/go-zfs v2.1.1+incompatible @@ -25,5 +27,3 @@ require ( golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775 gotest.tools v2.2.0+incompatible ) - -go 1.13 diff --git a/vendor/github.com/containers/storage/go.sum b/vendor/github.com/containers/storage/go.sum index d9b0d6396..04d48eb4f 100644 --- a/vendor/github.com/containers/storage/go.sum +++ b/vendor/github.com/containers/storage/go.sum @@ -62,8 +62,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I= -github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.10.11 h1:K9z59aO18Aywg2b/WSgBaUX99mHy2BES18Cr5lBKZHk= +github.com/klauspost/compress v1.10.11/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/pgzip v1.2.4 h1:TQ7CNpYKovDOmqzRHKxJh0BeaBI7UdQZYc6p7pMQh1A= github.com/klauspost/pgzip v1.2.4/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go index 937bf8c3a..2a34c84cc 100644 --- a/vendor/github.com/containers/storage/store.go +++ b/vendor/github.com/containers/storage/store.go @@ -2630,6 +2630,9 @@ func (s *store) mount(id string, options drivers.MountOpts) (string, error) { if err != nil { return "", err } + + s.graphLock.Lock() + defer s.graphLock.Unlock() rlstore.Lock() defer rlstore.Unlock() if modified, err := rlstore.Modified(); modified || err != nil { diff --git a/vendor/github.com/klauspost/compress/huff0/bitwriter.go b/vendor/github.com/klauspost/compress/huff0/bitwriter.go index bda4021ef..6bce4e87d 100644 --- a/vendor/github.com/klauspost/compress/huff0/bitwriter.go +++ b/vendor/github.com/klauspost/compress/huff0/bitwriter.go @@ -43,6 +43,11 @@ func (b *bitWriter) addBits16Clean(value uint16, bits uint8) { func (b *bitWriter) encSymbol(ct cTable, symbol byte) { enc := ct[symbol] b.bitContainer |= uint64(enc.val) << (b.nBits & 63) + if false { + if enc.nBits == 0 { + panic("nbits 0") + } + } b.nBits += enc.nBits } @@ -54,6 +59,14 @@ func (b *bitWriter) encTwoSymbols(ct cTable, av, bv byte) { sh := b.nBits & 63 combined := uint64(encA.val) | (uint64(encB.val) << (encA.nBits & 63)) b.bitContainer |= combined << sh + if false { + if encA.nBits == 0 { + panic("nbitsA 0") + } + if encB.nBits == 0 { + panic("nbitsB 0") + } + } b.nBits += encA.nBits + encB.nBits } diff --git a/vendor/github.com/klauspost/compress/huff0/compress.go b/vendor/github.com/klauspost/compress/huff0/compress.go index 0843cb014..f9ed5f830 100644 --- a/vendor/github.com/klauspost/compress/huff0/compress.go +++ b/vendor/github.com/klauspost/compress/huff0/compress.go @@ -77,8 +77,11 @@ func compress(in []byte, s *Scratch, compressor func(src []byte) ([]byte, error) // Each symbol present maximum once or too well distributed. return nil, false, ErrIncompressible } - - if s.Reuse == ReusePolicyPrefer && canReuse { + if s.Reuse == ReusePolicyMust && !canReuse { + // We must reuse, but we can't. + return nil, false, ErrIncompressible + } + if (s.Reuse == ReusePolicyPrefer || s.Reuse == ReusePolicyMust) && canReuse { keepTable := s.cTable keepTL := s.actualTableLog s.cTable = s.prevTable @@ -90,6 +93,9 @@ func compress(in []byte, s *Scratch, compressor func(src []byte) ([]byte, error) s.OutData = s.Out return s.Out, true, nil } + if s.Reuse == ReusePolicyMust { + return nil, false, ErrIncompressible + } // Do not attempt to re-use later. s.prevTable = s.prevTable[:0] } diff --git a/vendor/github.com/klauspost/compress/huff0/decompress.go b/vendor/github.com/klauspost/compress/huff0/decompress.go index a03b2634a..41703bba4 100644 --- a/vendor/github.com/klauspost/compress/huff0/decompress.go +++ b/vendor/github.com/klauspost/compress/huff0/decompress.go @@ -32,7 +32,7 @@ const use8BitTables = true // The size of the input may be larger than the table definition. // Any content remaining after the table definition will be returned. // If no Scratch is provided a new one is allocated. -// The returned Scratch can be used for decoding input using this table. +// The returned Scratch can be used for encoding or decoding input using this table. func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) { s, err = s.prepare(in) if err != nil { @@ -58,8 +58,8 @@ func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) { s.symbolLen = uint16(oSize) in = in[iSize:] } else { - if len(in) <= int(iSize) { - return s, nil, errors.New("input too small for table") + if len(in) < int(iSize) { + return s, nil, fmt.Errorf("input too small for table, want %d bytes, have %d", iSize, len(in)) } // FSE compressed weights s.fse.DecompressLimit = 255 @@ -138,15 +138,33 @@ func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) { if len(s.dt.single) != tSize { s.dt.single = make([]dEntrySingle, tSize) } + cTable := s.prevTable + if cap(cTable) < maxSymbolValue+1 { + cTable = make([]cTableEntry, 0, maxSymbolValue+1) + } + cTable = cTable[:maxSymbolValue+1] + s.prevTable = cTable[:s.symbolLen] + s.prevTableLog = s.actualTableLog + for n, w := range s.huffWeight[:s.symbolLen] { if w == 0 { + cTable[n] = cTableEntry{ + val: 0, + nBits: 0, + } continue } length := (uint32(1) << w) >> 1 d := dEntrySingle{ entry: uint16(s.actualTableLog+1-w) | (uint16(n) << 8), } + rank := &rankStats[w] + cTable[n] = cTableEntry{ + val: uint16(*rank >> (w - 1)), + nBits: uint8(d.entry), + } + single := s.dt.single[*rank : *rank+length] for i := range single { single[i] = d diff --git a/vendor/github.com/klauspost/compress/huff0/huff0.go b/vendor/github.com/klauspost/compress/huff0/huff0.go index 177d6c4ea..5dd66854b 100644 --- a/vendor/github.com/klauspost/compress/huff0/huff0.go +++ b/vendor/github.com/klauspost/compress/huff0/huff0.go @@ -55,6 +55,9 @@ const ( // ReusePolicyNone will disable re-use of tables. // This is slightly faster than ReusePolicyAllow but may produce larger output. ReusePolicyNone + + // ReusePolicyMust must allow reuse and produce smaller output. + ReusePolicyMust ) type Scratch struct { diff --git a/vendor/github.com/klauspost/compress/zstd/blockenc.go b/vendor/github.com/klauspost/compress/zstd/blockenc.go index c584f6aab..be718afd4 100644 --- a/vendor/github.com/klauspost/compress/zstd/blockenc.go +++ b/vendor/github.com/klauspost/compress/zstd/blockenc.go @@ -295,7 +295,7 @@ func (b *blockEnc) encodeRaw(a []byte) { b.output = bh.appendTo(b.output[:0]) b.output = append(b.output, a...) if debug { - println("Adding RAW block, length", len(a)) + println("Adding RAW block, length", len(a), "last:", b.last) } } @@ -308,7 +308,7 @@ func (b *blockEnc) encodeRawTo(dst, src []byte) []byte { dst = bh.appendTo(dst) dst = append(dst, src...) if debug { - println("Adding RAW block, length", len(src)) + println("Adding RAW block, length", len(src), "last:", b.last) } return dst } @@ -322,7 +322,7 @@ func (b *blockEnc) encodeLits(raw bool) error { // Don't compress extremely small blocks if len(b.literals) < 32 || raw { if debug { - println("Adding RAW block, length", len(b.literals)) + println("Adding RAW block, length", len(b.literals), "last:", b.last) } bh.setType(blockTypeRaw) b.output = bh.appendTo(b.output) @@ -349,7 +349,7 @@ func (b *blockEnc) encodeLits(raw bool) error { switch err { case huff0.ErrIncompressible: if debug { - println("Adding RAW block, length", len(b.literals)) + println("Adding RAW block, length", len(b.literals), "last:", b.last) } bh.setType(blockTypeRaw) b.output = bh.appendTo(b.output) diff --git a/vendor/github.com/klauspost/compress/zstd/encoder.go b/vendor/github.com/klauspost/compress/zstd/encoder.go index c56d2241f..95ebc3d84 100644 --- a/vendor/github.com/klauspost/compress/zstd/encoder.go +++ b/vendor/github.com/klauspost/compress/zstd/encoder.go @@ -190,6 +190,7 @@ func (e *Encoder) nextBlock(final bool) error { s.filling = s.filling[:0] s.headerWritten = true s.fullFrameWritten = true + s.eofWritten = true return nil } diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml new file mode 100644 index 000000000..feef144d1 --- /dev/null +++ b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml @@ -0,0 +1,37 @@ +# Travis CI configuration for libseccomp-golang + +# https://docs.travis-ci.com/user/reference/bionic +# https://wiki.ubuntu.com/Releases + +dist: bionic +sudo: false + +notifications: + email: + on_success: always + on_failure: always + +arch: + - amd64 + +os: + - linux + +language: go + +addons: + apt: + packages: + - build-essential + # TODO: use the main libseccomp git repo instead of a distro package + - libseccomp2 + - libseccomp-dev + +install: + - go get -u golang.org/x/lint/golint + +# run all of the tests independently, fail if any of the tests error +script: + - make check-syntax + - make lint + - make check diff --git a/vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES b/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md index 744e5cd64..d6862cbd5 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES +++ b/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md @@ -8,11 +8,11 @@ to the rules described here, but by following the instructions below you should have a much easier time getting your work merged with the upstream project. -* Test Your Code +## Test Your Code Using Existing Tests -There are two possible tests you can run to verify your code. The first test -is used to check the formatting and coding style of your changes, you can run -the test with the following command: +There are two possible tests you can run to verify your code. The first +test is used to check the formatting and coding style of your changes, you +can run the test with the following command: # make check-syntax @@ -27,30 +27,13 @@ with the following command: ... if there are any faults or errors they will be displayed. -* Generate the Patch(es) +## Add New Tests for New Functionality -Depending on how you decided to work with the libseccomp code base and what -tools you are using there are different ways to generate your patch(es). -However, regardless of what tools you use, you should always generate your -patches using the "unified" diff/patch format and the patches should always -apply to the libseccomp source tree using the following command from the top -directory of the libseccomp sources: +Any submissions which add functionality, or significantly change the existing +code, should include additional tests to verify the proper operation of the +proposed changes. - # patch -p1 < changes.patch - -If you are not using git, stacked git (stgit), or some other tool which can -generate patch files for you automatically, you may find the following command -helpful in generating patches, where "libseccomp.orig/" is the unmodified -source code directory and "libseccomp/" is the source code directory with your -changes: - - # diff -purN libseccomp-golang.orig/ libseccomp-golang/ - -When in doubt please generate your patch and try applying it to an unmodified -copy of the libseccomp sources; if it fails for you, it will fail for the rest -of us. - -* Explain Your Work +## Explain Your Work At the top of every patch you should include a description of the problem you are trying to solve, how you solved it, and why you chose the solution you @@ -59,7 +42,7 @@ if you can describe/include a reproducer for the problem in the description as well as instructions on how to test for the bug and verify that it has been fixed. -* Sign Your Work +## Sign Your Work The sign-off is a simple line at the end of the patch description, which certifies that you wrote it or otherwise have the right to pass it on as an @@ -97,16 +80,49 @@ your real name, saying: Signed-off-by: Random J Developer <random@developer.example.org> -* Email Your Patch(es) +You can add this to your commit description in `git` with `git commit -s` + +## Post Your Patches Upstream + +The libseccomp project accepts both GitHub pull requests and patches sent via +the mailing list. GitHub pull requests are preferred. This sections below +explain how to contribute via either method. Please read each step and perform +all steps that apply to your chosen contribution method. + +### Submitting via Email + +Depending on how you decided to work with the libseccomp code base and what +tools you are using there are different ways to generate your patch(es). +However, regardless of what tools you use, you should always generate your +patches using the "unified" diff/patch format and the patches should always +apply to the libseccomp source tree using the following command from the top +directory of the libseccomp sources: + + # patch -p1 < changes.patch + +If you are not using git, stacked git (stgit), or some other tool which can +generate patch files for you automatically, you may find the following command +helpful in generating patches, where "libseccomp.orig/" is the unmodified +source code directory and "libseccomp/" is the source code directory with your +changes: + + # diff -purN libseccomp.orig/ libseccomp/ + +When in doubt please generate your patch and try applying it to an unmodified +copy of the libseccomp sources; if it fails for you, it will fail for the rest +of us. Finally, you will need to email your patches to the mailing list so they can -be reviewed and potentially merged into the main libseccomp-golang repository. -When sending patches to the mailing list it is important to send your email in -text form, no HTML mail please, and ensure that your email client does not -mangle your patches. It should be possible to save your raw email to disk and -apply it directly to the libseccomp source code; if that fails then you likely -have a problem with your email client. When in doubt try a test first by -sending yourself an email with your patch and attempting to apply the emailed -patch to the libseccomp-golang repository; if it fails for you, it will fail -for the rest of us trying to test your patch and include it in the main -libseccomp-golang repository. +be reviewed and potentially merged into the main libseccomp repository. When +sending patches to the mailing list it is important to send your email in text +form, no HTML mail please, and ensure that your email client does not mangle +your patches. It should be possible to save your raw email to disk and apply +it directly to the libseccomp source code; if that fails then you likely have +a problem with your email client. When in doubt try a test first by sending +yourself an email with your patch and attempting to apply the emailed patch to +the libseccomp repository; if it fails for you, it will fail for the rest of +us trying to test your patch and include it in the main libseccomp repository. + +### Submitting via GitHub + +See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before. diff --git a/vendor/github.com/seccomp/libseccomp-golang/README b/vendor/github.com/seccomp/libseccomp-golang/README.md index 66839a466..27423f2d9 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/README +++ b/vendor/github.com/seccomp/libseccomp-golang/README.md @@ -1,7 +1,8 @@ -libseccomp-golang: Go Language Bindings for the libseccomp Project +![libseccomp Golang Bindings](https://github.com/seccomp/libseccomp-artwork/blob/main/logo/libseccomp-color_text.png) =============================================================================== https://github.com/seccomp/libseccomp-golang -https://github.com/seccomp/libseccomp + +[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/master.svg)](https://travis-ci.org/seccomp/libseccomp-golang) The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is @@ -12,40 +13,39 @@ be familiar to, and easily adopted by, application developers. The libseccomp-golang library provides a Go based interface to the libseccomp library. -* Online Resources +## Online Resources The library source repository currently lives on GitHub at the following URLs: - -> https://github.com/seccomp/libseccomp-golang - -> https://github.com/seccomp/libseccomp +* https://github.com/seccomp/libseccomp-golang +* https://github.com/seccomp/libseccomp The project mailing list is currently hosted on Google Groups at the URL below, please note that a Google account is not required to subscribe to the mailing list. - -> https://groups.google.com/d/forum/libseccomp +* https://groups.google.com/d/forum/libseccomp Documentation is also available at: - -> https://godoc.org/github.com/seccomp/libseccomp-golang +* https://godoc.org/github.com/seccomp/libseccomp-golang -* Installing the package +## Installing the package The libseccomp-golang bindings require at least Go v1.2.1 and GCC v4.8.4; earlier versions may yield unpredictable results. If you meet these requirements you can install this package using the command below: - $ go get github.com/seccomp/libseccomp-golang + # go get github.com/seccomp/libseccomp-golang -* Testing the Library +## Testing the Library A number of tests and lint related recipes are provided in the Makefile, if you want to run the standard regression tests, you can excute the following: - $ make check + # make check In order to execute the 'make lint' recipe the 'golint' tool is needed, it can be found at: - -> https://github.com/golang/lint - +* https://github.com/golang/lint diff --git a/vendor/github.com/seccomp/libseccomp-golang/go.mod b/vendor/github.com/seccomp/libseccomp-golang/go.mod new file mode 100644 index 000000000..6384b3769 --- /dev/null +++ b/vendor/github.com/seccomp/libseccomp-golang/go.mod @@ -0,0 +1,3 @@ +module github.com/seccomp/libseccomp-golang + +go 1.14 diff --git a/vendor/github.com/seccomp/libseccomp-golang/go.sum b/vendor/github.com/seccomp/libseccomp-golang/go.sum new file mode 100644 index 000000000..72ae16111 --- /dev/null +++ b/vendor/github.com/seccomp/libseccomp-golang/go.sum @@ -0,0 +1,23 @@ +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7 h1:EBZoQjiKKPaLbPrbpssUfuHtwM6KV/vb4U85g/cigFY= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200313205530-4303120df7d8 h1:gkI/wGGwpcG5W4hLCzZNGxA4wzWBGGDStRI1MrjDl2Q= +golang.org/x/tools v0.0.0-20200313205530-4303120df7d8/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go index a3cc53822..e489b9ebd 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go +++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go @@ -125,7 +125,8 @@ const ( // ActInvalid is a placeholder to ensure uninitialized ScmpAction // variables are invalid ActInvalid ScmpAction = iota - // ActKill kills the process + // ActKill kills the thread that violated the rule. It is the same as ActKillThread. + // All other threads from the same thread group will continue to execute. ActKill ScmpAction = iota // ActTrap throws SIGSYS ActTrap ScmpAction = iota @@ -141,6 +142,14 @@ const ( // This action is only usable when libseccomp API level 3 or higher is // supported. ActLog ScmpAction = iota + // ActKillThread kills the thread that violated the rule. It is the same as ActKill. + // All other threads from the same thread group will continue to execute. + ActKillThread ScmpAction = iota + // ActKillProcess kills the process that violated the rule. + // All threads in the thread group are also terminated. + // This action is only usable when libseccomp API level 3 or higher is + // supported. + ActKillProcess ScmpAction = iota ) const ( @@ -290,8 +299,10 @@ func (a ScmpCompareOp) String() string { // String returns a string representation of a seccomp match action func (a ScmpAction) String() string { switch a & 0xFFFF { - case ActKill: - return "Action: Kill Process" + case ActKill, ActKillThread: + return "Action: Kill thread" + case ActKillProcess: + return "Action: Kill process" case ActTrap: return "Action: Send SIGSYS" case ActErrno: @@ -334,23 +345,23 @@ func GetLibraryVersion() (major, minor, micro uint) { return verMajor, verMinor, verMicro } -// GetApi returns the API level supported by the system. +// GetAPI returns the API level supported by the system. // Returns a positive int containing the API level, or 0 with an error if the // API level could not be detected due to the library being older than v2.4.0. // See the seccomp_api_get(3) man page for details on available API levels: // https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3 -func GetApi() (uint, error) { - return getApi() +func GetAPI() (uint, error) { + return getAPI() } -// SetApi forcibly sets the API level. General use of this function is strongly +// SetAPI forcibly sets the API level. General use of this function is strongly // discouraged. // Returns an error if the API level could not be set. An error is always // returned if the library is older than v2.4.0 // See the seccomp_api_get(3) man page for details on available API levels: // https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3 -func SetApi(api uint) error { - return setApi(api) +func SetAPI(api uint) error { + return setAPI(api) } // Syscall functions @@ -552,9 +563,8 @@ func (f *ScmpFilter) Reset(defaultAction ScmpAction) error { return errBadFilter } - retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative()) - if retCode != 0 { - return syscall.Errno(-1 * retCode) + if retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative()); retCode != 0 { + return errRc(retCode) } return nil @@ -600,11 +610,12 @@ func (f *ScmpFilter) Merge(src *ScmpFilter) error { } // Merge the filters - retCode := C.seccomp_merge(f.filterCtx, src.filterCtx) - if syscall.Errno(-1*retCode) == syscall.EINVAL { - return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter") - } else if retCode != 0 { - return syscall.Errno(-1 * retCode) + if retCode := C.seccomp_merge(f.filterCtx, src.filterCtx); retCode != 0 { + e := errRc(retCode) + if e == syscall.EINVAL { + return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter") + } + return e } src.valid = false @@ -633,12 +644,13 @@ func (f *ScmpFilter) IsArchPresent(arch ScmpArch) (bool, error) { return false, errBadFilter } - retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative()) - if syscall.Errno(-1*retCode) == syscall.EEXIST { - // -EEXIST is "arch not present" - return false, nil - } else if retCode != 0 { - return false, syscall.Errno(-1 * retCode) + if retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative()); retCode != 0 { + e := errRc(retCode) + if e == syscall.EEXIST { + // -EEXIST is "arch not present" + return false, nil + } + return false, e } return true, nil @@ -661,9 +673,10 @@ func (f *ScmpFilter) AddArch(arch ScmpArch) error { // Libseccomp returns -EEXIST if the specified architecture is already // present. Succeed silently in this case, as it's not fatal, and the // architecture is present already. - retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative()) - if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST { - return syscall.Errno(-1 * retCode) + if retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative()); retCode != 0 { + if e := errRc(retCode); e != syscall.EEXIST { + return e + } } return nil @@ -686,9 +699,10 @@ func (f *ScmpFilter) RemoveArch(arch ScmpArch) error { // Similar to AddArch, -EEXIST is returned if the arch is not present // Succeed silently in that case, this is not fatal and the architecture // is not present in the filter after RemoveArch - retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative()) - if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST { - return syscall.Errno(-1 * retCode) + if retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative()); retCode != 0 { + if e := errRc(retCode); e != syscall.EEXIST { + return e + } } return nil @@ -705,7 +719,7 @@ func (f *ScmpFilter) Load() error { } if retCode := C.seccomp_load(f.filterCtx); retCode != 0 { - return syscall.Errno(-1 * retCode) + return errRc(retCode) } return nil @@ -764,7 +778,7 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) { func (f *ScmpFilter) GetLogBit() (bool, error) { log, err := f.getFilterAttr(filterAttrLog) if err != nil { - api, apiErr := getApi() + api, apiErr := getAPI() if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) { return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") } @@ -818,7 +832,7 @@ func (f *ScmpFilter) SetLogBit(state bool) error { err := f.setFilterAttr(filterAttrLog, toSet) if err != nil { - api, apiErr := getApi() + api, apiErr := getAPI() if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) { return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") } @@ -842,7 +856,7 @@ func (f *ScmpFilter) SetSyscallPriority(call ScmpSyscall, priority uint8) error if retCode := C.seccomp_syscall_priority(f.filterCtx, C.int(call), C.uint8_t(priority)); retCode != 0 { - return syscall.Errno(-1 * retCode) + return errRc(retCode) } return nil @@ -907,7 +921,7 @@ func (f *ScmpFilter) ExportPFC(file *os.File) error { } if retCode := C.seccomp_export_pfc(f.filterCtx, C.int(fd)); retCode != 0 { - return syscall.Errno(-1 * retCode) + return errRc(retCode) } return nil @@ -928,7 +942,7 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error { } if retCode := C.seccomp_export_bpf(f.filterCtx, C.int(fd)); retCode != 0 { - return syscall.Errno(-1 * retCode) + return errRc(retCode) } return nil diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go index 4e36b27ae..0982e930f 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go +++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go @@ -72,7 +72,17 @@ const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X; #define SCMP_ACT_LOG 0x7ffc0000U #endif +#ifndef SCMP_ACT_KILL_PROCESS +#define SCMP_ACT_KILL_PROCESS 0x80000000U +#endif + +#ifndef SCMP_ACT_KILL_THREAD +#define SCMP_ACT_KILL_THREAD 0x00000000U +#endif + const uint32_t C_ACT_KILL = SCMP_ACT_KILL; +const uint32_t C_ACT_KILL_PROCESS = SCMP_ACT_KILL_PROCESS; +const uint32_t C_ACT_KILL_THREAD = SCMP_ACT_KILL_THREAD; const uint32_t C_ACT_TRAP = SCMP_ACT_TRAP; const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0); const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0); @@ -203,7 +213,7 @@ const ( archEnd ScmpArch = ArchS390X // Comparison boundaries to check for action validity actionStart ScmpAction = ActKill - actionEnd ScmpAction = ActLog + actionEnd ScmpAction = ActKillProcess // Comparison boundaries to check for comparison operator validity compareOpStart ScmpCompareOp = CompareNotEqual compareOpEnd ScmpCompareOp = CompareMaskedEqual @@ -236,7 +246,7 @@ func ensureSupportedVersion() error { } // Get the API level -func getApi() (uint, error) { +func getAPI() (uint, error) { api := C.seccomp_api_get() if api == 0 { return 0, fmt.Errorf("API level operations are not supported") @@ -246,9 +256,9 @@ func getApi() (uint, error) { } // Set the API level -func setApi(api uint) error { +func setAPI(api uint) error { if retCode := C.seccomp_api_set(C.uint(api)); retCode != 0 { - if syscall.Errno(-1*retCode) == syscall.EOPNOTSUPP { + if errRc(retCode) == syscall.EOPNOTSUPP { return fmt.Errorf("API level operations are not supported") } @@ -265,6 +275,10 @@ func filterFinalizer(f *ScmpFilter) { f.Release() } +func errRc(rc C.int) error { + return syscall.Errno(-1 * rc) +} + // Get a raw filter attribute func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) { f.lock.Lock() @@ -278,7 +292,7 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) { retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute) if retCode != 0 { - return 0x0, syscall.Errno(-1 * retCode) + return 0x0, errRc(retCode) } return attribute, nil @@ -295,7 +309,7 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value) if retCode != 0 { - return syscall.Errno(-1 * retCode) + return errRc(retCode) } return nil @@ -316,14 +330,17 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b retCode = C.seccomp_rule_add_array(f.filterCtx, action.toNative(), C.int(call), length, cond) } - if syscall.Errno(-1*retCode) == syscall.EFAULT { - return fmt.Errorf("unrecognized syscall %#x", int32(call)) - } else if syscall.Errno(-1*retCode) == syscall.EPERM { - return fmt.Errorf("requested action matches default action of filter") - } else if syscall.Errno(-1*retCode) == syscall.EINVAL { - return fmt.Errorf("two checks on same syscall argument") - } else if retCode != 0 { - return syscall.Errno(-1 * retCode) + if retCode != 0 { + switch e := errRc(retCode); e { + case syscall.EFAULT: + return fmt.Errorf("unrecognized syscall %#x", int32(call)) + case syscall.EPERM: + return fmt.Errorf("requested action matches default action of filter") + case syscall.EINVAL: + return fmt.Errorf("two checks on same syscall argument") + default: + return e + } } return nil @@ -517,6 +534,10 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) { switch a & 0xFFFF0000 { case C.C_ACT_KILL: return ActKill, nil + case C.C_ACT_KILL_PROCESS: + return ActKillProcess, nil + case C.C_ACT_KILL_THREAD: + return ActKillThread, nil case C.C_ACT_TRAP: return ActTrap, nil case C.C_ACT_ERRNO: @@ -537,6 +558,10 @@ func (a ScmpAction) toNative() C.uint32_t { switch a & 0xFFFF { case ActKill: return C.C_ACT_KILL + case ActKillProcess: + return C.C_ACT_KILL_PROCESS + case ActKillThread: + return C.C_ACT_KILL_THREAD case ActTrap: return C.C_ACT_TRAP case ActErrno: |