diff options
17 files changed, 202 insertions, 162 deletions
@@ -11,7 +11,7 @@ require ( github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.0 github.com/containers/buildah v1.19.3 - github.com/containers/common v0.33.1 + github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.10.1 github.com/containers/psgo v1.5.2 @@ -101,6 +101,8 @@ github.com/containers/buildah v1.19.3 h1:U0E1UKzqW5C11W7giHhLZI06xkZiV40ZKDK/c1j github.com/containers/buildah v1.19.3/go.mod h1:uZb6GuE36tmRSOcIXGfiYqdpr+GPXWmlUIJSk5sn19w= github.com/containers/common v0.33.1 h1:XpDiq8Cta8+u1s4kpYSEWdB140ZmqgyIXfWkLqKx3z0= github.com/containers/common v0.33.1/go.mod h1:mjDo/NKeweL/onaspLhZ38WnHXaYmrELHclIdvSnYpY= +github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 h1:tUJcLouJ1bC3w9gdqgKqZBsj2uCuM8D8jSR592lxbhE= +github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577/go.mod h1:mwZ9H8sK4+dtWxsnVLyWcjxK/gEQClrLsXsqLvbEKbI= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q= diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 0d7ee3ad2..98ab82259 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -282,16 +282,16 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil { if seopt.User != "" { - s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.User)) + s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User)) } if seopt.Role != "" { s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Role)) } if seopt.Type != "" { - s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Type)) + s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("type:%s", seopt.Type)) } if seopt.Level != "" { - s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Level)) + s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level)) } } if caps := containerYAML.SecurityContext.Capabilities; caps != nil { diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 5930462d5..2e5c72b0e 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -13,6 +13,7 @@ import ( . "github.com/containers/podman/v2/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" + "github.com/opencontainers/selinux/go-selinux" ) var unknownKindYaml = ` @@ -26,6 +27,49 @@ spec: hostname: unknown ` +var selinuxLabelPodYaml = ` +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: "2021-02-02T22:18:20Z" + labels: + app: label-pod + name: label-pod +spec: + containers: + - command: + - top + - -d + - "1.5" + env: + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + - name: TERM + value: xterm + - name: container + value: podman + - name: HOSTNAME + value: label-pod + image: quay.io/libpod/alpine:latest + name: test + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - CAP_MKNOD + - CAP_NET_RAW + - CAP_AUDIT_WRITE + privileged: false + readOnlyRootFilesystem: false + seLinuxOptions: + user: unconfined_u + role: system_r + type: spc_t + level: s0 + workingDir: / +status: {} +` + var configMapYamlTemplate = ` apiVersion: v1 kind: ConfigMap @@ -803,6 +847,24 @@ var _ = Describe("Podman play kube", func() { }) + It("podman play kube fail with custom selinux label", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + err := writeYaml(selinuxLabelPodYaml, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"}) + inspect.WaitWithDefaultTimeout() + label := inspect.OutputToString() + + Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0")) + }) + It("podman play kube fail with nonexistent authfile", func() { err := generateKubeYaml("pod", getPod(), kubeYaml) Expect(err).To(BeNil()) diff --git a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go index b11eafebb..749c89932 100644 --- a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go +++ b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go @@ -13,7 +13,7 @@ var ( isCgroupV2Err error ) -// Enabled returns whether we are running in cgroup 2 cgroup2 mode. +// Enabled returns whether we are running on cgroup v2 func Enabled() (bool, error) { isCgroupV2Once.Do(func() { var st syscall.Statfs_t diff --git a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go index cda68b405..61b3653e5 100644 --- a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go +++ b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go @@ -2,7 +2,7 @@ package cgroupv2 -// Enabled returns whether we are running in cgroup 2 cgroup2 mode. +// Enabled returns whether we are running on cgroup v2 func Enabled() (bool, error) { return false, nil } diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index 3b8baf87a..4a98c7e92 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -187,10 +187,6 @@ type ContainersConfig struct { // EngineConfig contains configuration options used to set up a engine runtime type EngineConfig struct { - // ImageBuildFormat indicates the default image format to building - // container images. Valid values are "oci" (default) or "docker". - ImageBuildFormat string `toml:"image_build_format,omitempty"` - // CgroupCheck indicates the configuration has been rewritten after an // upgrade to Fedora 31 to change the default OCI runtime for cgroupv2v2. CgroupCheck bool `toml:"cgroup_check,omitempty"` @@ -235,10 +231,25 @@ type EngineConfig struct { // this slice takes precedence. HooksDir []string `toml:"hooks_dir,omitempty"` + // ImageBuildFormat (DEPRECATED) indicates the default image format to + // building container images. Should use ImageDefaultFormat + ImageBuildFormat string `toml:"image_build_format,omitempty"` + // ImageDefaultTransport is the default transport method used to fetch // images. ImageDefaultTransport string `toml:"image_default_transport,omitempty"` + // ImageParallelCopies indicates the maximum number of image layers + // to be copied simultaneously. If this is zero, container engines + // will fall back to containers/image defaults. + ImageParallelCopies uint `toml:"image_parallel_copies,omitempty"` + + // ImageDefaultFormat sepecified the manifest Type (oci, v2s2, or v2s1) + // to use when pulling, pushing, building container images. By default + // image pulled and pushed match the format of the source image. + // Building/committing defaults to OCI. + ImageDefaultFormat string `toml:"image_default_format,omitempty"` + // InfraCommand is the command run to start up a pod infra container. InfraCommand string `toml:"infra_command,omitempty"` diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 0587469b2..18243f296 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -246,9 +246,14 @@ default_sysctls = [ # network_config_dir = "/etc/cni/net.d/" [engine] -# ImageBuildFormat indicates the default image format to building -# container images. Valid values are "oci" (default) or "docker". -# image_build_format = "oci" +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# image_parallel_copies=0 + +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/commiting defaults to OCI. +# image_default_format = "" # Cgroup management implementation used for the runtime. # Valid options "systemd" or "cgroupfs" diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index 2e26fb7b8..918ce93e5 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -518,3 +518,9 @@ func (c *Config) TZ() string { func (c *Config) Umask() string { return c.Containers.Umask } + +// LogDriver returns the logging driver to be used +// currently k8s-file or journald +func (c *Config) LogDriver() string { + return c.Containers.LogDriver +} diff --git a/vendor/github.com/containers/common/pkg/config/util_supported.go b/vendor/github.com/containers/common/pkg/config/util_supported.go index 4595716d1..326e7973a 100644 --- a/vendor/github.com/containers/common/pkg/config/util_supported.go +++ b/vendor/github.com/containers/common/pkg/config/util_supported.go @@ -25,6 +25,17 @@ func getRuntimeDir() (string, error) { rootlessRuntimeDirOnce.Do(func() { runtimeDir := os.Getenv("XDG_RUNTIME_DIR") + if runtimeDir != "" { + st, err := os.Stat(runtimeDir) + if err != nil { + rootlessRuntimeDirError = err + return + } + if int(st.Sys().(*syscall.Stat_t).Uid) != os.Geteuid() { + rootlessRuntimeDirError = fmt.Errorf("XDG_RUNTIME_DIR directory %q is not owned by the current user", runtimeDir) + return + } + } uid := fmt.Sprintf("%d", unshare.GetRootlessUID()) if runtimeDir == "" { tmpDir := filepath.Join("/run", "user", uid) diff --git a/vendor/github.com/containers/common/pkg/parse/parse.go b/vendor/github.com/containers/common/pkg/parse/parse.go index 611b2e84b..882953309 100644 --- a/vendor/github.com/containers/common/pkg/parse/parse.go +++ b/vendor/github.com/containers/common/pkg/parse/parse.go @@ -13,7 +13,7 @@ import ( // ValidateVolumeOpts validates a volume's options func ValidateVolumeOpts(options []string) ([]string, error) { - var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid int + var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid, foundChown int finalOpts := make([]string, 0, len(options)) for _, opt := range options { switch opt { @@ -42,6 +42,11 @@ func ValidateVolumeOpts(options []string) ([]string, error) { if foundLabelChange > 1 { return nil, errors.Errorf("invalid options %q, can only specify 1 'z', 'Z', or 'O' option", strings.Join(options, ", ")) } + case "U": + foundChown++ + if foundChown > 1 { + return nil, errors.Errorf("invalid options %q, can only specify 1 'U' option", strings.Join(options, ", ")) + } case "private", "rprivate", "shared", "rshared", "slave", "rslave", "unbindable", "runbindable": foundRootPropagation++ if foundRootPropagation > 1 { diff --git a/vendor/github.com/containers/common/pkg/report/doc.go b/vendor/github.com/containers/common/pkg/report/doc.go index 60d954d7e..326b315f2 100644 --- a/vendor/github.com/containers/common/pkg/report/doc.go +++ b/vendor/github.com/containers/common/pkg/report/doc.go @@ -38,7 +38,17 @@ Helpers: ... process JSON and output } -and +Template Functions: + +The following template functions are added to the template when parsed: + - join strings.Join, {{join .Field separator}} + - lower strings.ToLower {{ .Field | lower }} + - split strings.Split {{ .Field | split }} + - title strings.Title {{ .Field | title }} + - upper strings.ToUpper {{ .Field | upper }} + +report.Funcs() may be used to add additional template functions. +Adding an existing function will replace that function for the life of that template. Note: Your code should not ignore errors diff --git a/vendor/github.com/containers/common/pkg/report/template.go b/vendor/github.com/containers/common/pkg/report/template.go index 551fbb3cf..559c1625b 100644 --- a/vendor/github.com/containers/common/pkg/report/template.go +++ b/vendor/github.com/containers/common/pkg/report/template.go @@ -1,6 +1,8 @@ package report import ( + "bytes" + "encoding/json" "reflect" "strings" "text/template" @@ -21,16 +23,32 @@ type FuncMap template.FuncMap var tableReplacer = strings.NewReplacer( "table ", "", `\t`, "\t", - `\n`, "\n", " ", "\t", ) // escapedReplacer will clean up escaped characters from CLI var escapedReplacer = strings.NewReplacer( `\t`, "\t", - `\n`, "\n", ) +var DefaultFuncs = FuncMap{ + "join": strings.Join, + "json": func(v interface{}) string { + buf := &bytes.Buffer{} + enc := json.NewEncoder(buf) + enc.SetEscapeHTML(false) + enc.Encode(v) + // Remove the trailing new line added by the encoder + return strings.TrimSpace(buf.String()) + }, + "lower": strings.ToLower, + "pad": padWithSpace, + "split": strings.Split, + "title": strings.Title, + "truncate": truncateWithLength, + "upper": strings.ToUpper, +} + // NormalizeFormat reads given go template format provided by CLI and munges it into what we need func NormalizeFormat(format string) string { var f string @@ -47,6 +65,22 @@ func NormalizeFormat(format string) string { return f } +// padWithSpace adds spaces*prefix and spaces*suffix to the input when it is non-empty +func padWithSpace(source string, prefix, suffix int) string { + if source == "" { + return source + } + return strings.Repeat(" ", prefix) + source + strings.Repeat(" ", suffix) +} + +// truncateWithLength truncates the source string up to the length provided by the input +func truncateWithLength(source string, length int) string { + if len(source) < length { + return source + } + return source[:length] +} + // Headers queries the interface for field names. // Array of map is returned to support range templates // Note: unexported fields can be supported by adding field to overrides @@ -88,7 +122,7 @@ func Headers(object interface{}, overrides map[string]string) []map[string]strin // NewTemplate creates a new template object func NewTemplate(name string) *Template { - return &Template{template.New(name), false} + return &Template{Template: template.New(name).Funcs(template.FuncMap(DefaultFuncs))} } // Parse parses text as a template body for t @@ -100,13 +134,21 @@ func (t *Template) Parse(text string) (*Template, error) { text = NormalizeFormat(text) } - tt, err := t.Template.Parse(text) + tt, err := t.Template.Funcs(template.FuncMap(DefaultFuncs)).Parse(text) return &Template{tt, t.isTable}, err } -// Funcs adds the elements of the argument map to the template's function map +// Funcs adds the elements of the argument map to the template's function map. +// A default template function will be replace if there is a key collision. func (t *Template) Funcs(funcMap FuncMap) *Template { - return &Template{t.Template.Funcs(template.FuncMap(funcMap)), t.isTable} + m := make(FuncMap) + for k, v := range DefaultFuncs { + m[k] = v + } + for k, v := range funcMap { + m[k] = v + } + return &Template{Template: t.Template.Funcs(template.FuncMap(m)), isTable: t.isTable} } // IsTable returns true if format string defines a "table" diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go index 5c4427318..24077778e 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go +++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go @@ -5,8 +5,6 @@ package seccomp import ( - "syscall" - "golang.org/x/sys/unix" ) @@ -45,7 +43,7 @@ func arches() []Architecture { // DefaultProfile defines the allowlist for the default seccomp profile. func DefaultProfile() *Seccomp { - einval := uint(syscall.EINVAL) + einval := uint(unix.EINVAL) syscalls := []*Syscall{ { @@ -87,6 +85,7 @@ func DefaultProfile() *Seccomp { "epoll_ctl", "epoll_ctl_old", "epoll_pwait", + "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", @@ -115,7 +114,11 @@ func DefaultProfile() *Seccomp { "flock", "fork", "fremovexattr", + "fsconfig", "fsetxattr", + "fsmount", + "fsopen", + "fspick", "fstat", "fstat64", "fstatat64", @@ -203,6 +206,7 @@ func DefaultProfile() *Seccomp { "mmap", "mmap2", "mount", + "move_mount", "mprotect", "mq_getsetattr", "mq_notify", @@ -225,6 +229,7 @@ func DefaultProfile() *Seccomp { "open", "openat", "openat2", + "open_tree", "pause", "pidfd_getfd", "pidfd_open", @@ -331,7 +336,6 @@ func DefaultProfile() *Seccomp { "signalfd", "signalfd4", "sigreturn", - "socket", "socketcall", "socketpair", "splice", @@ -512,19 +516,13 @@ func DefaultProfile() *Seccomp { { Names: []string{ "bpf", - "clone", "fanotify_init", "lookup_dcookie", - "mount", - "name_to_handle_at", "perf_event_open", "quotactl", "setdomainname", "sethostname", "setns", - "umount", - "umount2", - "unshare", }, Action: ActAllow, Args: []*Arg{}, @@ -534,55 +532,6 @@ func DefaultProfile() *Seccomp { }, { Names: []string{ - "clone", - }, - Action: ActAllow, - Args: []*Arg{ - { - Index: 0, - Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, - ValueTwo: 0, - Op: OpMaskedEqual, - }, - }, - Excludes: Filter{ - Caps: []string{"CAP_SYS_ADMIN"}, - Arches: []string{"s390", "s390x"}, - }, - }, - { - Names: []string{ - "clone", - }, - Action: ActAllow, - Args: []*Arg{ - { - Index: 1, - Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, - ValueTwo: 0, - Op: OpMaskedEqual, - }, - }, - Comment: "s390 parameter ordering for clone is different", - Includes: Filter{ - Arches: []string{"s390", "s390x"}, - }, - Excludes: Filter{ - Caps: []string{"CAP_SYS_ADMIN"}, - }, - }, - { - Names: []string{ - "reboot", - }, - Action: ActAllow, - Args: []*Arg{}, - Includes: Filter{ - Caps: []string{"CAP_SYS_BOOT"}, - }, - }, - { - Names: []string{ "chroot", }, Action: ActAllow, @@ -608,7 +557,6 @@ func DefaultProfile() *Seccomp { Names: []string{ "get_mempolicy", "mbind", - "name_to_handle_at", "set_mempolicy", }, Action: ActAllow, @@ -630,6 +578,7 @@ func DefaultProfile() *Seccomp { { Names: []string{ "kcmp", + "process_madvise", "process_vm_readv", "process_vm_writev", "ptrace", @@ -683,12 +632,12 @@ func DefaultProfile() *Seccomp { Args: []*Arg{ { Index: 0, - Value: syscall.AF_NETLINK, + Value: unix.AF_NETLINK, Op: OpEqualTo, }, { Index: 2, - Value: syscall.NETLINK_AUDIT, + Value: unix.NETLINK_AUDIT, Op: OpEqualTo, }, }, @@ -704,7 +653,7 @@ func DefaultProfile() *Seccomp { Args: []*Arg{ { Index: 2, - Value: syscall.NETLINK_AUDIT, + Value: unix.NETLINK_AUDIT, Op: OpNotEqual, }, }, @@ -720,7 +669,7 @@ func DefaultProfile() *Seccomp { Args: []*Arg{ { Index: 0, - Value: syscall.AF_NETLINK, + Value: unix.AF_NETLINK, Op: OpNotEqual, }, }, @@ -736,7 +685,7 @@ func DefaultProfile() *Seccomp { Args: []*Arg{ { Index: 2, - Value: syscall.NETLINK_AUDIT, + Value: unix.NETLINK_AUDIT, Op: OpNotEqual, }, }, diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json index d6f3f4938..48420905c 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json @@ -89,6 +89,7 @@ "epoll_ctl", "epoll_ctl_old", "epoll_pwait", + "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", @@ -117,7 +118,11 @@ "flock", "fork", "fremovexattr", + "fsconfig", "fsetxattr", + "fsmount", + "fsopen", + "fspick", "fstat", "fstat64", "fstatat64", @@ -177,6 +182,7 @@ "ioprio_get", "ioprio_set", "ipc", + "keyctl", "kill", "lchown", "lchown32", @@ -204,6 +210,7 @@ "mmap", "mmap2", "mount", + "move_mount", "mprotect", "mq_getsetattr", "mq_notify", @@ -226,6 +233,7 @@ "open", "openat", "openat2", + "open_tree", "pause", "pidfd_getfd", "pidfd_open", @@ -574,19 +582,13 @@ { "names": [ "bpf", - "clone", "fanotify_init", "lookup_dcookie", - "mount", - "name_to_handle_at", "perf_event_open", "quotactl", "setdomainname", "sethostname", - "setns", - "umount", - "umount2", - "unshare" + "setns" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -600,71 +602,6 @@ }, { "names": [ - "clone" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 2080505856, - "valueTwo": 0, - "op": "SCMP_CMP_MASKED_EQ" - } - ], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ], - "arches": [ - "s390", - "s390x" - ] - } - }, - { - "names": [ - "clone" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 1, - "value": 2080505856, - "valueTwo": 0, - "op": "SCMP_CMP_MASKED_EQ" - } - ], - "comment": "s390 parameter ordering for clone is different", - "includes": { - "arches": [ - "s390", - "s390x" - ] - }, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - } - }, - { - "names": [ - "reboot" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_BOOT" - ] - }, - "excludes": {} - }, - { - "names": [ "chroot" ], "action": "SCMP_ACT_ALLOW", @@ -698,7 +635,6 @@ "names": [ "get_mempolicy", "mbind", - "name_to_handle_at", "set_mempolicy" ], "action": "SCMP_ACT_ALLOW", @@ -728,6 +664,7 @@ { "names": [ "kcmp", + "process_madvise", "process_vm_readv", "process_vm_writev", "ptrace" @@ -894,4 +831,4 @@ "excludes": {} } ] -} +}
\ No newline at end of file diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 7d7cf59f1..8efc8b8a2 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.33.1" +const Version = "0.34.3-dev" diff --git a/vendor/modules.txt b/vendor/modules.txt index ef33a0dcc..e8b5edf8c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -89,7 +89,7 @@ github.com/containers/buildah/pkg/parse github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/util -# github.com/containers/common v0.33.1 +# github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/auth |