summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--go.mod2
-rw-r--r--go.sum2
-rw-r--r--pkg/specgen/generate/kube/kube.go6
-rw-r--r--test/e2e/play_kube_test.go62
-rw-r--r--vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go2
-rw-r--r--vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go2
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go19
-rw-r--r--vendor/github.com/containers/common/pkg/config/containers.conf11
-rw-r--r--vendor/github.com/containers/common/pkg/config/default.go6
-rw-r--r--vendor/github.com/containers/common/pkg/config/util_supported.go11
-rw-r--r--vendor/github.com/containers/common/pkg/parse/parse.go7
-rw-r--r--vendor/github.com/containers/common/pkg/report/doc.go12
-rw-r--r--vendor/github.com/containers/common/pkg/report/template.go54
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/default_linux.go79
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp.json85
-rw-r--r--vendor/github.com/containers/common/version/version.go2
-rw-r--r--vendor/modules.txt2
17 files changed, 202 insertions, 162 deletions
diff --git a/go.mod b/go.mod
index 6847a49c7..e3ac45844 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.9.0
github.com/containers/buildah v1.19.3
- github.com/containers/common v0.33.1
+ github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.10.1
github.com/containers/psgo v1.5.2
diff --git a/go.sum b/go.sum
index 9eb760693..93c5cc6fa 100644
--- a/go.sum
+++ b/go.sum
@@ -101,6 +101,8 @@ github.com/containers/buildah v1.19.3 h1:U0E1UKzqW5C11W7giHhLZI06xkZiV40ZKDK/c1j
github.com/containers/buildah v1.19.3/go.mod h1:uZb6GuE36tmRSOcIXGfiYqdpr+GPXWmlUIJSk5sn19w=
github.com/containers/common v0.33.1 h1:XpDiq8Cta8+u1s4kpYSEWdB140ZmqgyIXfWkLqKx3z0=
github.com/containers/common v0.33.1/go.mod h1:mjDo/NKeweL/onaspLhZ38WnHXaYmrELHclIdvSnYpY=
+github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 h1:tUJcLouJ1bC3w9gdqgKqZBsj2uCuM8D8jSR592lxbhE=
+github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577/go.mod h1:mwZ9H8sK4+dtWxsnVLyWcjxK/gEQClrLsXsqLvbEKbI=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q=
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index 0d7ee3ad2..98ab82259 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -282,16 +282,16 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
if seopt.User != "" {
- s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.User))
+ s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
}
if seopt.Role != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Role))
}
if seopt.Type != "" {
- s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Type))
+ s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("type:%s", seopt.Type))
}
if seopt.Level != "" {
- s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Level))
+ s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level))
}
}
if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 5930462d5..2e5c72b0e 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -13,6 +13,7 @@ import (
. "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ "github.com/opencontainers/selinux/go-selinux"
)
var unknownKindYaml = `
@@ -26,6 +27,49 @@ spec:
hostname: unknown
`
+var selinuxLabelPodYaml = `
+apiVersion: v1
+kind: Pod
+metadata:
+ creationTimestamp: "2021-02-02T22:18:20Z"
+ labels:
+ app: label-pod
+ name: label-pod
+spec:
+ containers:
+ - command:
+ - top
+ - -d
+ - "1.5"
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ - name: HOSTNAME
+ value: label-pod
+ image: quay.io/libpod/alpine:latest
+ name: test
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities:
+ drop:
+ - CAP_MKNOD
+ - CAP_NET_RAW
+ - CAP_AUDIT_WRITE
+ privileged: false
+ readOnlyRootFilesystem: false
+ seLinuxOptions:
+ user: unconfined_u
+ role: system_r
+ type: spc_t
+ level: s0
+ workingDir: /
+status: {}
+`
+
var configMapYamlTemplate = `
apiVersion: v1
kind: ConfigMap
@@ -803,6 +847,24 @@ var _ = Describe("Podman play kube", func() {
})
+ It("podman play kube fail with custom selinux label", func() {
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+ err := writeYaml(selinuxLabelPodYaml, kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"})
+ inspect.WaitWithDefaultTimeout()
+ label := inspect.OutputToString()
+
+ Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0"))
+ })
+
It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil())
diff --git a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go
index b11eafebb..749c89932 100644
--- a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go
+++ b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go
@@ -13,7 +13,7 @@ var (
isCgroupV2Err error
)
-// Enabled returns whether we are running in cgroup 2 cgroup2 mode.
+// Enabled returns whether we are running on cgroup v2
func Enabled() (bool, error) {
isCgroupV2Once.Do(func() {
var st syscall.Statfs_t
diff --git a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go
index cda68b405..61b3653e5 100644
--- a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go
+++ b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go
@@ -2,7 +2,7 @@
package cgroupv2
-// Enabled returns whether we are running in cgroup 2 cgroup2 mode.
+// Enabled returns whether we are running on cgroup v2
func Enabled() (bool, error) {
return false, nil
}
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 3b8baf87a..4a98c7e92 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -187,10 +187,6 @@ type ContainersConfig struct {
// EngineConfig contains configuration options used to set up a engine runtime
type EngineConfig struct {
- // ImageBuildFormat indicates the default image format to building
- // container images. Valid values are "oci" (default) or "docker".
- ImageBuildFormat string `toml:"image_build_format,omitempty"`
-
// CgroupCheck indicates the configuration has been rewritten after an
// upgrade to Fedora 31 to change the default OCI runtime for cgroupv2v2.
CgroupCheck bool `toml:"cgroup_check,omitempty"`
@@ -235,10 +231,25 @@ type EngineConfig struct {
// this slice takes precedence.
HooksDir []string `toml:"hooks_dir,omitempty"`
+ // ImageBuildFormat (DEPRECATED) indicates the default image format to
+ // building container images. Should use ImageDefaultFormat
+ ImageBuildFormat string `toml:"image_build_format,omitempty"`
+
// ImageDefaultTransport is the default transport method used to fetch
// images.
ImageDefaultTransport string `toml:"image_default_transport,omitempty"`
+ // ImageParallelCopies indicates the maximum number of image layers
+ // to be copied simultaneously. If this is zero, container engines
+ // will fall back to containers/image defaults.
+ ImageParallelCopies uint `toml:"image_parallel_copies,omitempty"`
+
+ // ImageDefaultFormat sepecified the manifest Type (oci, v2s2, or v2s1)
+ // to use when pulling, pushing, building container images. By default
+ // image pulled and pushed match the format of the source image.
+ // Building/committing defaults to OCI.
+ ImageDefaultFormat string `toml:"image_default_format,omitempty"`
+
// InfraCommand is the command run to start up a pod infra container.
InfraCommand string `toml:"infra_command,omitempty"`
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf
index 0587469b2..18243f296 100644
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@@ -246,9 +246,14 @@ default_sysctls = [
# network_config_dir = "/etc/cni/net.d/"
[engine]
-# ImageBuildFormat indicates the default image format to building
-# container images. Valid values are "oci" (default) or "docker".
-# image_build_format = "oci"
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+# image_parallel_copies=0
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/commiting defaults to OCI.
+# image_default_format = ""
# Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs"
diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go
index 2e26fb7b8..918ce93e5 100644
--- a/vendor/github.com/containers/common/pkg/config/default.go
+++ b/vendor/github.com/containers/common/pkg/config/default.go
@@ -518,3 +518,9 @@ func (c *Config) TZ() string {
func (c *Config) Umask() string {
return c.Containers.Umask
}
+
+// LogDriver returns the logging driver to be used
+// currently k8s-file or journald
+func (c *Config) LogDriver() string {
+ return c.Containers.LogDriver
+}
diff --git a/vendor/github.com/containers/common/pkg/config/util_supported.go b/vendor/github.com/containers/common/pkg/config/util_supported.go
index 4595716d1..326e7973a 100644
--- a/vendor/github.com/containers/common/pkg/config/util_supported.go
+++ b/vendor/github.com/containers/common/pkg/config/util_supported.go
@@ -25,6 +25,17 @@ func getRuntimeDir() (string, error) {
rootlessRuntimeDirOnce.Do(func() {
runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+ if runtimeDir != "" {
+ st, err := os.Stat(runtimeDir)
+ if err != nil {
+ rootlessRuntimeDirError = err
+ return
+ }
+ if int(st.Sys().(*syscall.Stat_t).Uid) != os.Geteuid() {
+ rootlessRuntimeDirError = fmt.Errorf("XDG_RUNTIME_DIR directory %q is not owned by the current user", runtimeDir)
+ return
+ }
+ }
uid := fmt.Sprintf("%d", unshare.GetRootlessUID())
if runtimeDir == "" {
tmpDir := filepath.Join("/run", "user", uid)
diff --git a/vendor/github.com/containers/common/pkg/parse/parse.go b/vendor/github.com/containers/common/pkg/parse/parse.go
index 611b2e84b..882953309 100644
--- a/vendor/github.com/containers/common/pkg/parse/parse.go
+++ b/vendor/github.com/containers/common/pkg/parse/parse.go
@@ -13,7 +13,7 @@ import (
// ValidateVolumeOpts validates a volume's options
func ValidateVolumeOpts(options []string) ([]string, error) {
- var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid int
+ var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid, foundChown int
finalOpts := make([]string, 0, len(options))
for _, opt := range options {
switch opt {
@@ -42,6 +42,11 @@ func ValidateVolumeOpts(options []string) ([]string, error) {
if foundLabelChange > 1 {
return nil, errors.Errorf("invalid options %q, can only specify 1 'z', 'Z', or 'O' option", strings.Join(options, ", "))
}
+ case "U":
+ foundChown++
+ if foundChown > 1 {
+ return nil, errors.Errorf("invalid options %q, can only specify 1 'U' option", strings.Join(options, ", "))
+ }
case "private", "rprivate", "shared", "rshared", "slave", "rslave", "unbindable", "runbindable":
foundRootPropagation++
if foundRootPropagation > 1 {
diff --git a/vendor/github.com/containers/common/pkg/report/doc.go b/vendor/github.com/containers/common/pkg/report/doc.go
index 60d954d7e..326b315f2 100644
--- a/vendor/github.com/containers/common/pkg/report/doc.go
+++ b/vendor/github.com/containers/common/pkg/report/doc.go
@@ -38,7 +38,17 @@ Helpers:
... process JSON and output
}
-and
+Template Functions:
+
+The following template functions are added to the template when parsed:
+ - join strings.Join, {{join .Field separator}}
+ - lower strings.ToLower {{ .Field | lower }}
+ - split strings.Split {{ .Field | split }}
+ - title strings.Title {{ .Field | title }}
+ - upper strings.ToUpper {{ .Field | upper }}
+
+report.Funcs() may be used to add additional template functions.
+Adding an existing function will replace that function for the life of that template.
Note: Your code should not ignore errors
diff --git a/vendor/github.com/containers/common/pkg/report/template.go b/vendor/github.com/containers/common/pkg/report/template.go
index 551fbb3cf..559c1625b 100644
--- a/vendor/github.com/containers/common/pkg/report/template.go
+++ b/vendor/github.com/containers/common/pkg/report/template.go
@@ -1,6 +1,8 @@
package report
import (
+ "bytes"
+ "encoding/json"
"reflect"
"strings"
"text/template"
@@ -21,16 +23,32 @@ type FuncMap template.FuncMap
var tableReplacer = strings.NewReplacer(
"table ", "",
`\t`, "\t",
- `\n`, "\n",
" ", "\t",
)
// escapedReplacer will clean up escaped characters from CLI
var escapedReplacer = strings.NewReplacer(
`\t`, "\t",
- `\n`, "\n",
)
+var DefaultFuncs = FuncMap{
+ "join": strings.Join,
+ "json": func(v interface{}) string {
+ buf := &bytes.Buffer{}
+ enc := json.NewEncoder(buf)
+ enc.SetEscapeHTML(false)
+ enc.Encode(v)
+ // Remove the trailing new line added by the encoder
+ return strings.TrimSpace(buf.String())
+ },
+ "lower": strings.ToLower,
+ "pad": padWithSpace,
+ "split": strings.Split,
+ "title": strings.Title,
+ "truncate": truncateWithLength,
+ "upper": strings.ToUpper,
+}
+
// NormalizeFormat reads given go template format provided by CLI and munges it into what we need
func NormalizeFormat(format string) string {
var f string
@@ -47,6 +65,22 @@ func NormalizeFormat(format string) string {
return f
}
+// padWithSpace adds spaces*prefix and spaces*suffix to the input when it is non-empty
+func padWithSpace(source string, prefix, suffix int) string {
+ if source == "" {
+ return source
+ }
+ return strings.Repeat(" ", prefix) + source + strings.Repeat(" ", suffix)
+}
+
+// truncateWithLength truncates the source string up to the length provided by the input
+func truncateWithLength(source string, length int) string {
+ if len(source) < length {
+ return source
+ }
+ return source[:length]
+}
+
// Headers queries the interface for field names.
// Array of map is returned to support range templates
// Note: unexported fields can be supported by adding field to overrides
@@ -88,7 +122,7 @@ func Headers(object interface{}, overrides map[string]string) []map[string]strin
// NewTemplate creates a new template object
func NewTemplate(name string) *Template {
- return &Template{template.New(name), false}
+ return &Template{Template: template.New(name).Funcs(template.FuncMap(DefaultFuncs))}
}
// Parse parses text as a template body for t
@@ -100,13 +134,21 @@ func (t *Template) Parse(text string) (*Template, error) {
text = NormalizeFormat(text)
}
- tt, err := t.Template.Parse(text)
+ tt, err := t.Template.Funcs(template.FuncMap(DefaultFuncs)).Parse(text)
return &Template{tt, t.isTable}, err
}
-// Funcs adds the elements of the argument map to the template's function map
+// Funcs adds the elements of the argument map to the template's function map.
+// A default template function will be replace if there is a key collision.
func (t *Template) Funcs(funcMap FuncMap) *Template {
- return &Template{t.Template.Funcs(template.FuncMap(funcMap)), t.isTable}
+ m := make(FuncMap)
+ for k, v := range DefaultFuncs {
+ m[k] = v
+ }
+ for k, v := range funcMap {
+ m[k] = v
+ }
+ return &Template{Template: t.Template.Funcs(template.FuncMap(m)), isTable: t.isTable}
}
// IsTable returns true if format string defines a "table"
diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
index 5c4427318..24077778e 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
+++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
@@ -5,8 +5,6 @@
package seccomp
import (
- "syscall"
-
"golang.org/x/sys/unix"
)
@@ -45,7 +43,7 @@ func arches() []Architecture {
// DefaultProfile defines the allowlist for the default seccomp profile.
func DefaultProfile() *Seccomp {
- einval := uint(syscall.EINVAL)
+ einval := uint(unix.EINVAL)
syscalls := []*Syscall{
{
@@ -87,6 +85,7 @@ func DefaultProfile() *Seccomp {
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
+ "epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
@@ -115,7 +114,11 @@ func DefaultProfile() *Seccomp {
"flock",
"fork",
"fremovexattr",
+ "fsconfig",
"fsetxattr",
+ "fsmount",
+ "fsopen",
+ "fspick",
"fstat",
"fstat64",
"fstatat64",
@@ -203,6 +206,7 @@ func DefaultProfile() *Seccomp {
"mmap",
"mmap2",
"mount",
+ "move_mount",
"mprotect",
"mq_getsetattr",
"mq_notify",
@@ -225,6 +229,7 @@ func DefaultProfile() *Seccomp {
"open",
"openat",
"openat2",
+ "open_tree",
"pause",
"pidfd_getfd",
"pidfd_open",
@@ -331,7 +336,6 @@ func DefaultProfile() *Seccomp {
"signalfd",
"signalfd4",
"sigreturn",
- "socket",
"socketcall",
"socketpair",
"splice",
@@ -512,19 +516,13 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"bpf",
- "clone",
"fanotify_init",
"lookup_dcookie",
- "mount",
- "name_to_handle_at",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
"setns",
- "umount",
- "umount2",
- "unshare",
},
Action: ActAllow,
Args: []*Arg{},
@@ -534,55 +532,6 @@ func DefaultProfile() *Seccomp {
},
{
Names: []string{
- "clone",
- },
- Action: ActAllow,
- Args: []*Arg{
- {
- Index: 0,
- Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
- ValueTwo: 0,
- Op: OpMaskedEqual,
- },
- },
- Excludes: Filter{
- Caps: []string{"CAP_SYS_ADMIN"},
- Arches: []string{"s390", "s390x"},
- },
- },
- {
- Names: []string{
- "clone",
- },
- Action: ActAllow,
- Args: []*Arg{
- {
- Index: 1,
- Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
- ValueTwo: 0,
- Op: OpMaskedEqual,
- },
- },
- Comment: "s390 parameter ordering for clone is different",
- Includes: Filter{
- Arches: []string{"s390", "s390x"},
- },
- Excludes: Filter{
- Caps: []string{"CAP_SYS_ADMIN"},
- },
- },
- {
- Names: []string{
- "reboot",
- },
- Action: ActAllow,
- Args: []*Arg{},
- Includes: Filter{
- Caps: []string{"CAP_SYS_BOOT"},
- },
- },
- {
- Names: []string{
"chroot",
},
Action: ActAllow,
@@ -608,7 +557,6 @@ func DefaultProfile() *Seccomp {
Names: []string{
"get_mempolicy",
"mbind",
- "name_to_handle_at",
"set_mempolicy",
},
Action: ActAllow,
@@ -630,6 +578,7 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"kcmp",
+ "process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace",
@@ -683,12 +632,12 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 0,
- Value: syscall.AF_NETLINK,
+ Value: unix.AF_NETLINK,
Op: OpEqualTo,
},
{
Index: 2,
- Value: syscall.NETLINK_AUDIT,
+ Value: unix.NETLINK_AUDIT,
Op: OpEqualTo,
},
},
@@ -704,7 +653,7 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 2,
- Value: syscall.NETLINK_AUDIT,
+ Value: unix.NETLINK_AUDIT,
Op: OpNotEqual,
},
},
@@ -720,7 +669,7 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 0,
- Value: syscall.AF_NETLINK,
+ Value: unix.AF_NETLINK,
Op: OpNotEqual,
},
},
@@ -736,7 +685,7 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 2,
- Value: syscall.NETLINK_AUDIT,
+ Value: unix.NETLINK_AUDIT,
Op: OpNotEqual,
},
},
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
index d6f3f4938..48420905c 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
@@ -89,6 +89,7 @@
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
+ "epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
@@ -117,7 +118,11 @@
"flock",
"fork",
"fremovexattr",
+ "fsconfig",
"fsetxattr",
+ "fsmount",
+ "fsopen",
+ "fspick",
"fstat",
"fstat64",
"fstatat64",
@@ -177,6 +182,7 @@
"ioprio_get",
"ioprio_set",
"ipc",
+ "keyctl",
"kill",
"lchown",
"lchown32",
@@ -204,6 +210,7 @@
"mmap",
"mmap2",
"mount",
+ "move_mount",
"mprotect",
"mq_getsetattr",
"mq_notify",
@@ -226,6 +233,7 @@
"open",
"openat",
"openat2",
+ "open_tree",
"pause",
"pidfd_getfd",
"pidfd_open",
@@ -574,19 +582,13 @@
{
"names": [
"bpf",
- "clone",
"fanotify_init",
"lookup_dcookie",
- "mount",
- "name_to_handle_at",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
- "setns",
- "umount",
- "umount2",
- "unshare"
+ "setns"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@@ -600,71 +602,6 @@
},
{
"names": [
- "clone"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 2080505856,
- "valueTwo": 0,
- "op": "SCMP_CMP_MASKED_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_ADMIN"
- ],
- "arches": [
- "s390",
- "s390x"
- ]
- }
- },
- {
- "names": [
- "clone"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 1,
- "value": 2080505856,
- "valueTwo": 0,
- "op": "SCMP_CMP_MASKED_EQ"
- }
- ],
- "comment": "s390 parameter ordering for clone is different",
- "includes": {
- "arches": [
- "s390",
- "s390x"
- ]
- },
- "excludes": {
- "caps": [
- "CAP_SYS_ADMIN"
- ]
- }
- },
- {
- "names": [
- "reboot"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_BOOT"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
"chroot"
],
"action": "SCMP_ACT_ALLOW",
@@ -698,7 +635,6 @@
"names": [
"get_mempolicy",
"mbind",
- "name_to_handle_at",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
@@ -728,6 +664,7 @@
{
"names": [
"kcmp",
+ "process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace"
@@ -894,4 +831,4 @@
"excludes": {}
}
]
-}
+} \ No newline at end of file
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 7d7cf59f1..8efc8b8a2 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.33.1"
+const Version = "0.34.3-dev"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ef33a0dcc..e8b5edf8c 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -89,7 +89,7 @@ github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/util
-# github.com/containers/common v0.33.1
+# github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577
github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/apparmor/internal/supported
github.com/containers/common/pkg/auth