summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers')
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/config.go35
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/generate.go225
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go7
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label.go8
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go11
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go23
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go11
7 files changed, 306 insertions, 14 deletions
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/config.go b/vendor/github.com/opencontainers/runtime-tools/generate/config.go
index 164fdf141..f68bdde37 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/config.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/config.go
@@ -151,6 +151,13 @@ func (g *Generator) initConfigWindows() {
}
}
+func (g *Generator) initConfigWindowsNetwork() {
+ g.initConfigWindows()
+ if g.Config.Windows.Network == nil {
+ g.Config.Windows.Network = &rspec.WindowsNetwork{}
+ }
+}
+
func (g *Generator) initConfigWindowsHyperV() {
g.initConfigWindows()
if g.Config.Windows.HyperV == nil {
@@ -171,3 +178,31 @@ func (g *Generator) initConfigWindowsResourcesMemory() {
g.Config.Windows.Resources.Memory = &rspec.WindowsMemoryResources{}
}
}
+
+func (g *Generator) initConfigVM() {
+ g.initConfig()
+ if g.Config.VM == nil {
+ g.Config.VM = &rspec.VM{}
+ }
+}
+
+func (g *Generator) initConfigVMHypervisor() {
+ g.initConfigVM()
+ if &g.Config.VM.Hypervisor == nil {
+ g.Config.VM.Hypervisor = rspec.VMHypervisor{}
+ }
+}
+
+func (g *Generator) initConfigVMKernel() {
+ g.initConfigVM()
+ if &g.Config.VM.Kernel == nil {
+ g.Config.VM.Kernel = rspec.VMKernel{}
+ }
+}
+
+func (g *Generator) initConfigVMImage() {
+ g.initConfigVM()
+ if &g.Config.VM.Image == nil {
+ g.Config.VM.Image = rspec.VMImage{}
+ }
+}
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
index 1eb44770f..6d3268902 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
@@ -54,17 +54,8 @@ func New(os string) (generator Generator, err error) {
"cmd",
},
Cwd: `C:\`,
- ConsoleSize: &rspec.Box{
- Width: 80,
- Height: 20,
- },
- }
- config.Windows = &rspec.Windows{
- IgnoreFlushesDuringBoot: true,
- Network: &rspec.WindowsNetwork{
- AllowUnqualifiedDNSQuery: true,
- },
}
+ config.Windows = &rspec.Windows{}
} else {
config.Root = &rspec.Root{
Path: "rootfs",
@@ -368,6 +359,12 @@ func (g *Generator) SetHostname(s string) {
g.Config.Hostname = s
}
+// SetOCIVersion sets g.Config.Version.
+func (g *Generator) SetOCIVersion(s string) {
+ g.initConfig()
+ g.Config.Version = s
+}
+
// ClearAnnotations clears g.Config.Annotations.
func (g *Generator) ClearAnnotations() {
if g.Config == nil {
@@ -1074,6 +1071,69 @@ func (g *Generator) ClearProcessCapabilities() {
g.Config.Process.Capabilities.Ambient = []string{}
}
+// AddProcessCapability adds a process capability into all 5 capability sets.
+func (g *Generator) AddProcessCapability(c string) error {
+ cp := strings.ToUpper(c)
+ if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+ return err
+ }
+
+ g.initConfigProcessCapabilities()
+
+ var foundAmbient, foundBounding, foundEffective, foundInheritable, foundPermitted bool
+ for _, cap := range g.Config.Process.Capabilities.Ambient {
+ if strings.ToUpper(cap) == cp {
+ foundAmbient = true
+ break
+ }
+ }
+ if !foundAmbient {
+ g.Config.Process.Capabilities.Ambient = append(g.Config.Process.Capabilities.Ambient, cp)
+ }
+
+ for _, cap := range g.Config.Process.Capabilities.Bounding {
+ if strings.ToUpper(cap) == cp {
+ foundBounding = true
+ break
+ }
+ }
+ if !foundBounding {
+ g.Config.Process.Capabilities.Bounding = append(g.Config.Process.Capabilities.Bounding, cp)
+ }
+
+ for _, cap := range g.Config.Process.Capabilities.Effective {
+ if strings.ToUpper(cap) == cp {
+ foundEffective = true
+ break
+ }
+ }
+ if !foundEffective {
+ g.Config.Process.Capabilities.Effective = append(g.Config.Process.Capabilities.Effective, cp)
+ }
+
+ for _, cap := range g.Config.Process.Capabilities.Inheritable {
+ if strings.ToUpper(cap) == cp {
+ foundInheritable = true
+ break
+ }
+ }
+ if !foundInheritable {
+ g.Config.Process.Capabilities.Inheritable = append(g.Config.Process.Capabilities.Inheritable, cp)
+ }
+
+ for _, cap := range g.Config.Process.Capabilities.Permitted {
+ if strings.ToUpper(cap) == cp {
+ foundPermitted = true
+ break
+ }
+ }
+ if !foundPermitted {
+ g.Config.Process.Capabilities.Permitted = append(g.Config.Process.Capabilities.Permitted, cp)
+ }
+
+ return nil
+}
+
// AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.
func (g *Generator) AddProcessCapabilityAmbient(c string) error {
cp := strings.ToUpper(c)
@@ -1190,6 +1250,42 @@ func (g *Generator) AddProcessCapabilityPermitted(c string) error {
return nil
}
+// DropProcessCapability drops a process capability from all 5 capability sets.
+func (g *Generator) DropProcessCapability(c string) error {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
+ return nil
+ }
+
+ cp := strings.ToUpper(c)
+ for i, cap := range g.Config.Process.Capabilities.Ambient {
+ if strings.ToUpper(cap) == cp {
+ g.Config.Process.Capabilities.Ambient = removeFunc(g.Config.Process.Capabilities.Ambient, i)
+ }
+ }
+ for i, cap := range g.Config.Process.Capabilities.Bounding {
+ if strings.ToUpper(cap) == cp {
+ g.Config.Process.Capabilities.Bounding = removeFunc(g.Config.Process.Capabilities.Bounding, i)
+ }
+ }
+ for i, cap := range g.Config.Process.Capabilities.Effective {
+ if strings.ToUpper(cap) == cp {
+ g.Config.Process.Capabilities.Effective = removeFunc(g.Config.Process.Capabilities.Effective, i)
+ }
+ }
+ for i, cap := range g.Config.Process.Capabilities.Inheritable {
+ if strings.ToUpper(cap) == cp {
+ g.Config.Process.Capabilities.Inheritable = removeFunc(g.Config.Process.Capabilities.Inheritable, i)
+ }
+ }
+ for i, cap := range g.Config.Process.Capabilities.Permitted {
+ if strings.ToUpper(cap) == cp {
+ g.Config.Process.Capabilities.Permitted = removeFunc(g.Config.Process.Capabilities.Permitted, i)
+ }
+ }
+
+ return validate.CapValid(cp, false)
+}
+
// DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.
func (g *Generator) DropProcessCapabilityAmbient(c string) error {
if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
@@ -1533,14 +1629,82 @@ func (g *Generator) SetSolarisMilestone(milestone string) {
g.Config.Solaris.Milestone = milestone
}
+// SetVMHypervisorPath sets g.Config.VM.Hypervisor.Path
+func (g *Generator) SetVMHypervisorPath(path string) error {
+ if !strings.HasPrefix(path, "/") {
+ return fmt.Errorf("hypervisorPath %v is not an absolute path", path)
+ }
+ g.initConfigVMHypervisor()
+ g.Config.VM.Hypervisor.Path = path
+ return nil
+}
+
+// SetVMHypervisorParameters sets g.Config.VM.Hypervisor.Parameters
+func (g *Generator) SetVMHypervisorParameters(parameters []string) {
+ g.initConfigVMHypervisor()
+ g.Config.VM.Hypervisor.Parameters = parameters
+}
+
+// SetVMKernelPath sets g.Config.VM.Kernel.Path
+func (g *Generator) SetVMKernelPath(path string) error {
+ if !strings.HasPrefix(path, "/") {
+ return fmt.Errorf("kernelPath %v is not an absolute path", path)
+ }
+ g.initConfigVMKernel()
+ g.Config.VM.Kernel.Path = path
+ return nil
+}
+
+// SetVMKernelParameters sets g.Config.VM.Kernel.Parameters
+func (g *Generator) SetVMKernelParameters(parameters []string) {
+ g.initConfigVMKernel()
+ g.Config.VM.Kernel.Parameters = parameters
+}
+
+// SetVMKernelInitRD sets g.Config.VM.Kernel.InitRD
+func (g *Generator) SetVMKernelInitRD(initrd string) error {
+ if !strings.HasPrefix(initrd, "/") {
+ return fmt.Errorf("kernelInitrd %v is not an absolute path", initrd)
+ }
+ g.initConfigVMKernel()
+ g.Config.VM.Kernel.InitRD = initrd
+ return nil
+}
+
+// SetVMImagePath sets g.Config.VM.Image.Path
+func (g *Generator) SetVMImagePath(path string) error {
+ if !strings.HasPrefix(path, "/") {
+ return fmt.Errorf("imagePath %v is not an absolute path", path)
+ }
+ g.initConfigVMImage()
+ g.Config.VM.Image.Path = path
+ return nil
+}
+
+// SetVMImageFormat sets g.Config.VM.Image.Format
+func (g *Generator) SetVMImageFormat(format string) error {
+ switch format {
+ case "raw":
+ case "qcow2":
+ case "vdi":
+ case "vmdk":
+ case "vhd":
+ default:
+ return fmt.Errorf("Commonly supported formats are: raw, qcow2, vdi, vmdk, vhd")
+ }
+ g.initConfigVMImage()
+ g.Config.VM.Image.Format = format
+ return nil
+}
+
// SetWindowsHypervUntilityVMPath sets g.Config.Windows.HyperV.UtilityVMPath.
func (g *Generator) SetWindowsHypervUntilityVMPath(path string) {
g.initConfigWindowsHyperV()
g.Config.Windows.HyperV.UtilityVMPath = path
}
-// SetWinodwsIgnoreFlushesDuringBoot sets g.Config.Winodws.IgnoreFlushesDuringBoot.
-func (g *Generator) SetWinodwsIgnoreFlushesDuringBoot(ignore bool) {
+// SetWindowsIgnoreFlushesDuringBoot sets g.Config.Windows.IgnoreFlushesDuringBoot.
+func (g *Generator) SetWindowsIgnoreFlushesDuringBoot(ignore bool) {
g.initConfigWindows()
g.Config.Windows.IgnoreFlushesDuringBoot = ignore
}
@@ -1551,12 +1715,45 @@ func (g *Generator) AddWindowsLayerFolders(folder string) {
g.Config.Windows.LayerFolders = append(g.Config.Windows.LayerFolders, folder)
}
+// AddWindowsDevices adds or sets g.Config.Windwos.Devices
+func (g *Generator) AddWindowsDevices(id, idType string) error {
+ if idType != "class" {
+ return fmt.Errorf("Invalid idType value: %s. Windows only supports a value of class", idType)
+ }
+ device := rspec.WindowsDevice{
+ ID: id,
+ IDType: idType,
+ }
+
+ g.initConfigWindows()
+ for i, device := range g.Config.Windows.Devices {
+ if device.ID == id {
+ g.Config.Windows.Devices[i].IDType = idType
+ return nil
+ }
+ }
+ g.Config.Windows.Devices = append(g.Config.Windows.Devices, device)
+ return nil
+}
+
// SetWindowsNetwork sets g.Config.Windows.Network.
func (g *Generator) SetWindowsNetwork(network rspec.WindowsNetwork) {
g.initConfigWindows()
g.Config.Windows.Network = &network
}
+// SetWindowsNetworkAllowUnqualifiedDNSQuery sets g.Config.Windows.Network.AllowUnqualifiedDNSQuery
+func (g *Generator) SetWindowsNetworkAllowUnqualifiedDNSQuery(setting bool) {
+ g.initConfigWindowsNetwork()
+ g.Config.Windows.Network.AllowUnqualifiedDNSQuery = setting
+}
+
+// SetWindowsNetworkNamespace sets g.Config.Windows.Network.NetworkNamespace
+func (g *Generator) SetWindowsNetworkNamespace(path string) {
+ g.initConfigWindowsNetwork()
+ g.Config.Windows.Network.NetworkNamespace = path
+}
+
// SetWindowsResourcesCPU sets g.Config.Windows.Resources.CPU.
func (g *Generator) SetWindowsResourcesCPU(cpu rspec.WindowsCPUResources) {
g.initConfigWindowsResources()
@@ -1575,8 +1772,8 @@ func (g *Generator) SetWindowsResourcesStorage(storage rspec.WindowsStorageResou
g.Config.Windows.Resources.Storage = &storage
}
-// SetWinodwsServicing sets g.Config.Winodws.Servicing.
-func (g *Generator) SetWinodwsServicing(servicing bool) {
+// SetWindowsServicing sets g.Config.Windows.Servicing.
+func (g *Generator) SetWindowsServicing(servicing bool) {
g.initConfigWindows()
g.Config.Windows.Servicing = servicing
}
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go
index 8d452c209..dcefafae7 100644
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go
@@ -16,6 +16,7 @@ import (
rspec "github.com/opencontainers/runtime-spec/specs-go"
osFilepath "github.com/opencontainers/runtime-tools/filepath"
"github.com/opencontainers/runtime-tools/specerror"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus"
)
@@ -226,5 +227,11 @@ func (v *Validator) CheckLinux() (errs error) {
}
}
+ if v.spec.Linux.MountLabel != "" {
+ if err := label.Validate(v.spec.Linux.MountLabel); err != nil {
+ errs = multierror.Append(errs, fmt.Errorf("mountLabel %v is invalid", v.spec.Linux.MountLabel))
+ }
+ }
+
return
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
index 4e9a8c54f..e178568fd 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@@ -37,6 +37,14 @@ func SocketLabel() (string, error) {
return "", nil
}
+func SetKeyLabel(processLabel string) error {
+ return nil
+}
+
+func KeyLabel() (string, error) {
+ return "", nil
+}
+
func FileLabel(path string) (string, error) {
return "", nil
}
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index d4e26909d..1eb9a6bf2 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -115,6 +115,17 @@ func SocketLabel() (string, error) {
return selinux.SocketLabel()
}
+// SetKeyLabel takes a process label and tells the kernel to assign the
+// label to the next kernel keyring that gets created
+func SetKeyLabel(processLabel string) error {
+ return selinux.SetKeyLabel(processLabel)
+}
+
+// KeyLabel retrieves the current default kernel keyring label setting
+func KeyLabel() (string, error) {
+ return selinux.KeyLabel()
+}
+
// ProcessLabel returns the process label that the kernel will assign
// to the next program executed by the current process. If "" is returned
// this indicates that the default labeling will happen for the process.
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index 5adafd317..d7786c33c 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -333,6 +333,11 @@ func writeCon(fpath string, val string) error {
if fpath == "" {
return ErrEmptyPath
}
+ if val == "" {
+ if !GetEnabled() {
+ return nil
+ }
+ }
out, err := os.OpenFile(fpath, os.O_WRONLY, 0)
if err != nil {
@@ -398,6 +403,24 @@ func SocketLabel() (string, error) {
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
}
+// SetKeyLabel takes a process label and tells the kernel to assign the
+// label to the next kernel keyring that gets created
+func SetKeyLabel(label string) error {
+ err := writeCon("/proc/self/attr/keycreate", label)
+ if os.IsNotExist(err) {
+ return nil
+ }
+ if label == "" && os.IsPermission(err) && !GetEnabled() {
+ return nil
+ }
+ return err
+}
+
+// KeyLabel retrieves the current kernel keyring label setting
+func KeyLabel() (string, error) {
+ return readCon("/proc/self/attr/keycreate")
+}
+
// Get returns the Context as a string
func (c Context) Get() string {
if c["level"] != "" {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 9497acbd0..79b005d19 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -109,6 +109,17 @@ func SocketLabel() (string, error) {
return "", nil
}
+// SetKeyLabel takes a process label and tells the kernel to assign the
+// label to the next kernel keyring that gets created
+func SetKeyLabel(label string) error {
+ return nil
+}
+
+// KeyLabel retrieves the current kernel keyring label setting
+func KeyLabel() (string, error) {
+ return "", nil
+}
+
// Get returns the Context as a string
func (c Context) Get() string {
return ""