summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers')
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go28
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go36
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go35
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go48
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go26
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go6
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/config.go12
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go9
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/devices/device.go4
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go107
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go5
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go112
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/linux.go49
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go27
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/userns_deprecated.go5
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/MAINTAINERS2
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go41
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go20
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go40
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/user.go48
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/user_fuzzer.go42
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go5
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go15
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go37
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go17
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/config.go13
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/state.go29
27 files changed, 421 insertions, 397 deletions
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
index 73965f12d..5da14fb3b 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
@@ -1,27 +1,41 @@
package apparmor
import (
- "bytes"
+ "errors"
"fmt"
"io/ioutil"
"os"
+ "sync"
"github.com/opencontainers/runc/libcontainer/utils"
)
+var (
+ appArmorEnabled bool
+ checkAppArmor sync.Once
+)
+
// IsEnabled returns true if apparmor is enabled for the host.
func IsEnabled() bool {
- if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
- buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
- return err == nil && bytes.HasPrefix(buf, []byte("Y"))
- }
- return false
+ checkAppArmor.Do(func() {
+ if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
+ buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
+ appArmorEnabled = err == nil && len(buf) > 1 && buf[0] == 'Y'
+ }
+ })
+ return appArmorEnabled
}
func setProcAttr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
- f, err := os.OpenFile("/proc/self/attr/"+attr, os.O_WRONLY, 0)
+ attrPath := "/proc/self/attr/apparmor/" + attr
+ if _, err := os.Stat(attrPath); errors.Is(err, os.ErrNotExist) {
+ // fall back to the old convention
+ attrPath = "/proc/self/attr/" + attr
+ }
+
+ f, err := os.OpenFile(attrPath, os.O_WRONLY, 0)
if err != nil {
return err
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
index a16a68e97..68a346ca5 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
@@ -7,37 +7,44 @@ import (
)
type Manager interface {
- // Applies cgroup configuration to the process with the specified pid
+ // Apply creates a cgroup, if not yet created, and adds a process
+ // with the specified pid into that cgroup. A special value of -1
+ // can be used to merely create a cgroup.
Apply(pid int) error
- // Returns the PIDs inside the cgroup set
+ // GetPids returns the PIDs of all processes inside the cgroup.
GetPids() ([]int, error)
- // Returns the PIDs inside the cgroup set & all sub-cgroups
+ // GetAllPids returns the PIDs of all processes inside the cgroup
+ // any all its sub-cgroups.
GetAllPids() ([]int, error)
- // Returns statistics for the cgroup set
+ // GetStats returns cgroups statistics.
GetStats() (*Stats, error)
- // Toggles the freezer cgroup according with specified state
+ // Freeze sets the freezer cgroup to the specified state.
Freeze(state configs.FreezerState) error
- // Destroys the cgroup set
+ // Destroy removes cgroup.
Destroy() error
// Path returns a cgroup path to the specified controller/subsystem.
// For cgroupv2, the argument is unused and can be empty.
Path(string) string
- // Sets the cgroup as configured.
- Set(container *configs.Config) error
+ // Set sets cgroup resources parameters/limits. If the argument is nil,
+ // the resources specified during Manager creation (or the previous call
+ // to Set) are used.
+ Set(r *configs.Resources) error
- // GetPaths returns cgroup path(s) to save in a state file in order to restore later.
+ // GetPaths returns cgroup path(s) to save in a state file in order to
+ // restore later.
//
- // For cgroup v1, a key is cgroup subsystem name, and the value is the path
- // to the cgroup for this subsystem.
+ // For cgroup v1, a key is cgroup subsystem name, and the value is the
+ // path to the cgroup for this subsystem.
//
- // For cgroup v2 unified hierarchy, a key is "", and the value is the unified path.
+ // For cgroup v2 unified hierarchy, a key is "", and the value is the
+ // unified path.
GetPaths() map[string]string
// GetCgroups returns the cgroup data as configured.
@@ -46,6 +53,9 @@ type Manager interface {
// GetFreezerState retrieves the current FreezerState of the cgroup.
GetFreezerState() (configs.FreezerState, error)
- // Whether the cgroup path exists or not
+ // Exists returns whether the cgroup path exists or not.
Exists() bool
+
+ // OOMKillCount reports OOM kill count for the cgroup.
+ OOMKillCount() (uint64, error)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go
index 0a7e3d952..49af83b3c 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/open.go
@@ -5,7 +5,6 @@ import (
"strings"
"sync"
- securejoin "github.com/cyphar/filepath-securejoin"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
@@ -17,7 +16,7 @@ const (
)
var (
- // Set to true by fs unit tests
+ // TestMode is set to true by unit tests that need "fake" cgroupfs.
TestMode bool
cgroupFd int = -1
@@ -71,12 +70,12 @@ func OpenFile(dir, file string, flags int) (*os.File, error) {
flags |= os.O_TRUNC | os.O_CREATE
mode = 0o600
}
+ if prepareOpenat2() != nil {
+ return openFallback(dir, file, flags, mode)
+ }
reldir := strings.TrimPrefix(dir, cgroupfsPrefix)
if len(reldir) == len(dir) { // non-standard path, old system?
- return openWithSecureJoin(dir, file, flags, mode)
- }
- if prepareOpenat2() != nil {
- return openWithSecureJoin(dir, file, flags, mode)
+ return openFallback(dir, file, flags, mode)
}
relname := reldir + "/" + file
@@ -93,11 +92,29 @@ func OpenFile(dir, file string, flags int) (*os.File, error) {
return os.NewFile(uintptr(fd), cgroupfsPrefix+relname), nil
}
-func openWithSecureJoin(dir, file string, flags int, mode os.FileMode) (*os.File, error) {
- path, err := securejoin.SecureJoin(dir, file)
+var errNotCgroupfs = errors.New("not a cgroup file")
+
+// openFallback is used when openat2(2) is not available. It checks the opened
+// file is on cgroupfs, returning an error otherwise.
+func openFallback(dir, file string, flags int, mode os.FileMode) (*os.File, error) {
+ path := dir + "/" + file
+ fd, err := os.OpenFile(path, flags, mode)
if err != nil {
return nil, err
}
+ if TestMode {
+ return fd, nil
+ }
+ // Check this is a cgroupfs file.
+ var st unix.Statfs_t
+ if err := unix.Fstatfs(int(fd.Fd()), &st); err != nil {
+ _ = fd.Close()
+ return nil, &os.PathError{Op: "statfs", Path: path, Err: err}
+ }
+ if st.Type != unix.CGROUP_SUPER_MAGIC && st.Type != unix.CGROUP2_SUPER_MAGIC {
+ _ = fd.Close()
+ return nil, &os.PathError{Op: "open", Path: path, Err: errNotCgroupfs}
+ }
- return os.OpenFile(path, flags, mode)
+ return fd, nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go
index 2e4e837f2..db0caded1 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go
@@ -35,22 +35,42 @@ func ParseUint(s string, base, bitSize int) (uint64, error) {
return value, nil
}
-// GetCgroupParamKeyValue parses a space-separated "name value" kind of cgroup
-// parameter and returns its components. For example, "io_service_bytes 1234"
-// will return as "io_service_bytes", 1234.
-func GetCgroupParamKeyValue(t string) (string, uint64, error) {
- parts := strings.Fields(t)
- switch len(parts) {
- case 2:
- value, err := ParseUint(parts[1], 10, 64)
- if err != nil {
- return "", 0, fmt.Errorf("unable to convert to uint64: %v", err)
- }
+// ParseKeyValue parses a space-separated "name value" kind of cgroup
+// parameter and returns its key as a string, and its value as uint64
+// (ParseUint is used to convert the value). For example,
+// "io_service_bytes 1234" will be returned as "io_service_bytes", 1234.
+func ParseKeyValue(t string) (string, uint64, error) {
+ parts := strings.SplitN(t, " ", 3)
+ if len(parts) != 2 {
+ return "", 0, fmt.Errorf("line %q is not in key value format", t)
+ }
- return parts[0], value, nil
- default:
- return "", 0, ErrNotValidFormat
+ value, err := ParseUint(parts[1], 10, 64)
+ if err != nil {
+ return "", 0, fmt.Errorf("unable to convert to uint64: %v", err)
}
+
+ return parts[0], value, nil
+}
+
+// GetValueByKey reads a key-value pairs from the specified cgroup file,
+// and returns a value of the specified key. ParseUint is used for value
+// conversion.
+func GetValueByKey(path, file, key string) (uint64, error) {
+ content, err := ReadFile(path, file)
+ if err != nil {
+ return 0, err
+ }
+
+ lines := strings.Split(string(content), "\n")
+ for _, line := range lines {
+ arr := strings.Split(line, " ")
+ if len(arr) == 2 && arr[0] == key {
+ return ParseUint(arr[1], 10, 64)
+ }
+ }
+
+ return 0, nil
}
// GetCgroupParamUint reads a single uint64 value from the specified cgroup file.
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
index 840817e39..35ce2c1c2 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -16,7 +16,7 @@ import (
"time"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
- "github.com/opencontainers/runc/libcontainer/system"
+ "github.com/opencontainers/runc/libcontainer/userns"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -37,7 +37,7 @@ func IsCgroup2UnifiedMode() bool {
var st unix.Statfs_t
err := unix.Statfs(unifiedMountpoint, &st)
if err != nil {
- if os.IsNotExist(err) && system.RunningInUserNS() {
+ if os.IsNotExist(err) && userns.RunningInUserNS() {
// ignore the "not found" error if running in userns
logrus.WithError(err).Debugf("%s missing, assuming cgroup v1", unifiedMountpoint)
isUnified = false
@@ -402,17 +402,6 @@ func WriteCgroupProc(dir string, pid int) error {
// Since the OCI spec is designed for cgroup v1, in some cases
// there is need to convert from the cgroup v1 configuration to cgroup v2
-// the formula for BlkIOWeight is y = (1 + (x - 10) * 9999 / 990)
-// convert linearly from [10-1000] to [1-10000]
-func ConvertBlkIOToCgroupV2Value(blkIoWeight uint16) uint64 {
- if blkIoWeight == 0 {
- return 0
- }
- return uint64(1 + (uint64(blkIoWeight)-10)*9999/990)
-}
-
-// Since the OCI spec is designed for cgroup v1, in some cases
-// there is need to convert from the cgroup v1 configuration to cgroup v2
// the formula for cpuShares is y = (1 + ((x - 2) * 9999) / 262142)
// convert from [2-262144] to [1-10000]
// 262144 comes from Linux kernel definition "#define MAX_SHARES (1UL << 18)"
@@ -450,3 +439,14 @@ func ConvertMemorySwapToCgroupV2Value(memorySwap, memory int64) (int64, error) {
return memorySwap - memory, nil
}
+
+// Since the OCI spec is designed for cgroup v1, in some cases
+// there is need to convert from the cgroup v1 configuration to cgroup v2
+// the formula for BlkIOWeight to IOWeight is y = (1 + (x - 10) * 9999 / 990)
+// convert linearly from [10-1000] to [1-10000]
+func ConvertBlkIOToIOWeightValue(blkIoWeight uint16) uint64 {
+ if blkIoWeight == 0 {
+ return 0
+ }
+ return uint64(1 + (uint64(blkIoWeight)-10)*9999/990)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
index aada5d62f..87d0da842 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
@@ -54,12 +54,6 @@ type Resources struct {
// Total memory usage (memory + swap); set `-1` to enable unlimited swap
MemorySwap int64 `json:"memory_swap"`
- // Kernel memory limit (in bytes)
- KernelMemory int64 `json:"kernel_memory"`
-
- // Kernel memory limit for TCP use (in bytes)
- KernelMemoryTCP int64 `json:"kernel_memory_tcp"`
-
// CPU shares (relative weight vs. other containers)
CpuShares uint64 `json:"cpu_shares"`
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
index e1cd16265..042ba1a2e 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
@@ -222,25 +222,25 @@ const (
// the runtime environment has been created but before the pivot_root has been executed.
// CreateRuntime is called immediately after the deprecated Prestart hook.
// CreateRuntime commands are called in the Runtime Namespace.
- CreateRuntime = "createRuntime"
+ CreateRuntime HookName = "createRuntime"
// CreateContainer commands MUST be called as part of the create operation after
// the runtime environment has been created but before the pivot_root has been executed.
// CreateContainer commands are called in the Container namespace.
- CreateContainer = "createContainer"
+ CreateContainer HookName = "createContainer"
// StartContainer commands MUST be called as part of the start operation and before
// the container process is started.
// StartContainer commands are called in the Container namespace.
- StartContainer = "startContainer"
+ StartContainer HookName = "startContainer"
// Poststart commands are executed after the container init process starts.
// Poststart commands are called in the Runtime Namespace.
- Poststart = "poststart"
+ Poststart HookName = "poststart"
// Poststop commands are executed after the container init process exits.
// Poststop commands are called in the Runtime Namespace.
- Poststop = "poststop"
+ Poststop HookName = "poststop"
)
type Capabilities struct {
@@ -387,7 +387,7 @@ func (c Command) Run(s *specs.State) error {
return err
case <-timerCh:
cmd.Process.Kill()
- cmd.Wait()
+ <-errC
return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go
new file mode 100644
index 000000000..93bf41c8d
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go
@@ -0,0 +1,9 @@
+// +build gofuzz
+
+package configs
+
+func FuzzUnmarshalJSON(data []byte) int {
+ hooks := Hooks{}
+ _ = hooks.UnmarshalJSON(data)
+ return 1
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
index 3eb73cc7c..c2c2b3bb7 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
@@ -168,3 +168,7 @@ func (d *Rule) CgroupString() string {
}
return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
}
+
+func (d *Rule) Mkdev() (uint64, error) {
+ return mkDev(d)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
index a400341e4..acb816998 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
@@ -4,13 +4,118 @@ package devices
import (
"errors"
+ "io/ioutil"
+ "os"
+ "path/filepath"
"golang.org/x/sys/unix"
)
-func (d *Rule) Mkdev() (uint64, error) {
+var (
+ // ErrNotADevice denotes that a file is not a valid linux device.
+ ErrNotADevice = errors.New("not a device node")
+)
+
+// Testing dependencies
+var (
+ unixLstat = unix.Lstat
+ ioutilReadDir = ioutil.ReadDir
+)
+
+func mkDev(d *Rule) (uint64, error) {
if d.Major == Wildcard || d.Minor == Wildcard {
return 0, errors.New("cannot mkdev() device with wildcards")
}
return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
}
+
+// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the
+// information about a linux device and return that information as a Device struct.
+func DeviceFromPath(path, permissions string) (*Device, error) {
+ var stat unix.Stat_t
+ err := unixLstat(path, &stat)
+ if err != nil {
+ return nil, err
+ }
+
+ var (
+ devType Type
+ mode = stat.Mode
+ devNumber = uint64(stat.Rdev)
+ major = unix.Major(devNumber)
+ minor = unix.Minor(devNumber)
+ )
+ switch mode & unix.S_IFMT {
+ case unix.S_IFBLK:
+ devType = BlockDevice
+ case unix.S_IFCHR:
+ devType = CharDevice
+ case unix.S_IFIFO:
+ devType = FifoDevice
+ default:
+ return nil, ErrNotADevice
+ }
+ return &Device{
+ Rule: Rule{
+ Type: devType,
+ Major: int64(major),
+ Minor: int64(minor),
+ Permissions: Permissions(permissions),
+ },
+ Path: path,
+ FileMode: os.FileMode(mode &^ unix.S_IFMT),
+ Uid: stat.Uid,
+ Gid: stat.Gid,
+ }, nil
+}
+
+// HostDevices returns all devices that can be found under /dev directory.
+func HostDevices() ([]*Device, error) {
+ return GetDevices("/dev")
+}
+
+// GetDevices recursively traverses a directory specified by path
+// and returns all devices found there.
+func GetDevices(path string) ([]*Device, error) {
+ files, err := ioutilReadDir(path)
+ if err != nil {
+ return nil, err
+ }
+ var out []*Device
+ for _, f := range files {
+ switch {
+ case f.IsDir():
+ switch f.Name() {
+ // ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
+ // ".udev" added to address https://github.com/opencontainers/runc/issues/2093
+ case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
+ continue
+ default:
+ sub, err := GetDevices(filepath.Join(path, f.Name()))
+ if err != nil {
+ return nil, err
+ }
+
+ out = append(out, sub...)
+ continue
+ }
+ case f.Name() == "console":
+ continue
+ }
+ device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
+ if err != nil {
+ if err == ErrNotADevice {
+ continue
+ }
+ if os.IsNotExist(err) {
+ continue
+ }
+ return nil, err
+ }
+ if device.Type == FifoDevice {
+ continue
+ }
+ out = append(out, device)
+ }
+ return out, nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go
deleted file mode 100644
index 8511bf00e..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_windows.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package devices
-
-func (d *Rule) Mkdev() (uint64, error) {
- return 0, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
deleted file mode 100644
index 5011f373d..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
+++ /dev/null
@@ -1,112 +0,0 @@
-package devices
-
-import (
- "errors"
- "io/ioutil"
- "os"
- "path/filepath"
-
- "golang.org/x/sys/unix"
-)
-
-var (
- // ErrNotADevice denotes that a file is not a valid linux device.
- ErrNotADevice = errors.New("not a device node")
-)
-
-// Testing dependencies
-var (
- unixLstat = unix.Lstat
- ioutilReadDir = ioutil.ReadDir
-)
-
-// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the
-// information about a linux device and return that information as a Device struct.
-func DeviceFromPath(path, permissions string) (*Device, error) {
- var stat unix.Stat_t
- err := unixLstat(path, &stat)
- if err != nil {
- return nil, err
- }
-
- var (
- devType Type
- mode = stat.Mode
- devNumber = uint64(stat.Rdev)
- major = unix.Major(devNumber)
- minor = unix.Minor(devNumber)
- )
- switch mode & unix.S_IFMT {
- case unix.S_IFBLK:
- devType = BlockDevice
- case unix.S_IFCHR:
- devType = CharDevice
- case unix.S_IFIFO:
- devType = FifoDevice
- default:
- return nil, ErrNotADevice
- }
- return &Device{
- Rule: Rule{
- Type: devType,
- Major: int64(major),
- Minor: int64(minor),
- Permissions: Permissions(permissions),
- },
- Path: path,
- FileMode: os.FileMode(mode),
- Uid: stat.Uid,
- Gid: stat.Gid,
- }, nil
-}
-
-// HostDevices returns all devices that can be found under /dev directory.
-func HostDevices() ([]*Device, error) {
- return GetDevices("/dev")
-}
-
-// GetDevices recursively traverses a directory specified by path
-// and returns all devices found there.
-func GetDevices(path string) ([]*Device, error) {
- files, err := ioutilReadDir(path)
- if err != nil {
- return nil, err
- }
- var out []*Device
- for _, f := range files {
- switch {
- case f.IsDir():
- switch f.Name() {
- // ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
- // ".udev" added to address https://github.com/opencontainers/runc/issues/2093
- case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
- continue
- default:
- sub, err := GetDevices(filepath.Join(path, f.Name()))
- if err != nil {
- return nil, err
- }
-
- out = append(out, sub...)
- continue
- }
- case f.Name() == "console":
- continue
- }
- device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
- if err != nil {
- if err == ErrNotADevice {
- continue
- }
- if os.IsNotExist(err) {
- continue
- }
- return nil, err
- }
- if device.Type == FifoDevice {
- continue
- }
- out = append(out, device)
- }
- return out, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
index 49471960b..4379a2070 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
@@ -3,12 +3,9 @@
package system
import (
- "os"
"os/exec"
- "sync"
"unsafe"
- "github.com/opencontainers/runc/libcontainer/user"
"golang.org/x/sys/unix"
)
@@ -87,52 +84,6 @@ func Setctty() error {
return nil
}
-var (
- inUserNS bool
- nsOnce sync.Once
-)
-
-// RunningInUserNS detects whether we are currently running in a user namespace.
-// Originally copied from github.com/lxc/lxd/shared/util.go
-func RunningInUserNS() bool {
- nsOnce.Do(func() {
- uidmap, err := user.CurrentProcessUIDMap()
- if err != nil {
- // This kernel-provided file only exists if user namespaces are supported
- return
- }
- inUserNS = UIDMapInUserNS(uidmap)
- })
- return inUserNS
-}
-
-func UIDMapInUserNS(uidmap []user.IDMap) bool {
- /*
- * We assume we are in the initial user namespace if we have a full
- * range - 4294967295 uids starting at uid 0.
- */
- if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
- return false
- }
- return true
-}
-
-// GetParentNSeuid returns the euid within the parent user namespace
-func GetParentNSeuid() int64 {
- euid := int64(os.Geteuid())
- uidmap, err := user.CurrentProcessUIDMap()
- if err != nil {
- // This kernel-provided file only exists if user namespaces are supported
- return euid
- }
- for _, um := range uidmap {
- if um.ID <= euid && euid <= um.ID+um.Count-1 {
- return um.ParentID + euid - um.ID
- }
- }
- return euid
-}
-
// SetSubreaper sets the value i as the subreaper setting for the calling process
func SetSubreaper(i int) error {
return unix.Prctl(unix.PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
deleted file mode 100644
index b94be74a6..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// +build !linux
-
-package system
-
-import (
- "os"
-
- "github.com/opencontainers/runc/libcontainer/user"
-)
-
-// RunningInUserNS is a stub for non-Linux systems
-// Always returns false
-func RunningInUserNS() bool {
- return false
-}
-
-// UIDMapInUserNS is a stub for non-Linux systems
-// Always returns false
-func UIDMapInUserNS(uidmap []user.IDMap) bool {
- return false
-}
-
-// GetParentNSeuid returns the euid within the parent user namespace
-// Always returns os.Geteuid on non-linux
-func GetParentNSeuid() int {
- return os.Geteuid()
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/userns_deprecated.go b/vendor/github.com/opencontainers/runc/libcontainer/system/userns_deprecated.go
new file mode 100644
index 000000000..2de3462a5
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/userns_deprecated.go
@@ -0,0 +1,5 @@
+package system
+
+import "github.com/opencontainers/runc/libcontainer/userns"
+
+var RunningInUserNS = userns.RunningInUserNS
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/MAINTAINERS b/vendor/github.com/opencontainers/runc/libcontainer/user/MAINTAINERS
deleted file mode 100644
index edbe20066..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/MAINTAINERS
+++ /dev/null
@@ -1,2 +0,0 @@
-Tianon Gravi <admwiggin@gmail.com> (@tianon)
-Aleksa Sarai <cyphar@cyphar.com> (@cyphar)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
deleted file mode 100644
index 6fd8dd0d4..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package user
-
-import (
- "errors"
-)
-
-var (
- // The current operating system does not provide the required data for user lookups.
- ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
- // No matching entries found in file.
- ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
- ErrNoGroupEntries = errors.New("no matching entries in group file")
-)
-
-// LookupUser looks up a user by their username in /etc/passwd. If the user
-// cannot be found (or there is no /etc/passwd file on the filesystem), then
-// LookupUser returns an error.
-func LookupUser(username string) (User, error) {
- return lookupUser(username)
-}
-
-// LookupUid looks up a user by their user id in /etc/passwd. If the user cannot
-// be found (or there is no /etc/passwd file on the filesystem), then LookupId
-// returns an error.
-func LookupUid(uid int) (User, error) {
- return lookupUid(uid)
-}
-
-// LookupGroup looks up a group by its name in /etc/group. If the group cannot
-// be found (or there is no /etc/group file on the filesystem), then LookupGroup
-// returns an error.
-func LookupGroup(groupname string) (Group, error) {
- return lookupGroup(groupname)
-}
-
-// LookupGid looks up a group by its group id in /etc/group. If the group cannot
-// be found (or there is no /etc/group file on the filesystem), then LookupGid
-// returns an error.
-func LookupGid(gid int) (Group, error) {
- return lookupGid(gid)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
index 92b5ae8de..967717a1b 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
@@ -16,13 +16,19 @@ const (
unixGroupPath = "/etc/group"
)
-func lookupUser(username string) (User, error) {
+// LookupUser looks up a user by their username in /etc/passwd. If the user
+// cannot be found (or there is no /etc/passwd file on the filesystem), then
+// LookupUser returns an error.
+func LookupUser(username string) (User, error) {
return lookupUserFunc(func(u User) bool {
return u.Name == username
})
}
-func lookupUid(uid int) (User, error) {
+// LookupUid looks up a user by their user id in /etc/passwd. If the user cannot
+// be found (or there is no /etc/passwd file on the filesystem), then LookupId
+// returns an error.
+func LookupUid(uid int) (User, error) {
return lookupUserFunc(func(u User) bool {
return u.Uid == uid
})
@@ -51,13 +57,19 @@ func lookupUserFunc(filter func(u User) bool) (User, error) {
return users[0], nil
}
-func lookupGroup(groupname string) (Group, error) {
+// LookupGroup looks up a group by its name in /etc/group. If the group cannot
+// be found (or there is no /etc/group file on the filesystem), then LookupGroup
+// returns an error.
+func LookupGroup(groupname string) (Group, error) {
return lookupGroupFunc(func(g Group) bool {
return g.Name == groupname
})
}
-func lookupGid(gid int) (Group, error) {
+// LookupGid looks up a group by its group id in /etc/group. If the group cannot
+// be found (or there is no /etc/group file on the filesystem), then LookupGid
+// returns an error.
+func LookupGid(gid int) (Group, error) {
return lookupGroupFunc(func(g Group) bool {
return g.Gid == gid
})
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go
deleted file mode 100644
index f19333e61..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// +build windows
-
-package user
-
-import (
- "os/user"
- "strconv"
-)
-
-func lookupUser(username string) (User, error) {
- u, err := user.Lookup(username)
- if err != nil {
- return User{}, err
- }
- return userFromOS(u)
-}
-
-func lookupUid(uid int) (User, error) {
- u, err := user.LookupId(strconv.Itoa(uid))
- if err != nil {
- return User{}, err
- }
- return userFromOS(u)
-}
-
-func lookupGroup(groupname string) (Group, error) {
- g, err := user.LookupGroup(groupname)
- if err != nil {
- return Group{}, err
- }
- return groupFromOS(g)
-}
-
-func lookupGid(gid int) (Group, error) {
- g, err := user.LookupGroupId(strconv.Itoa(gid))
- if err != nil {
- return Group{}, err
- }
- return groupFromOS(g)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
index a533bf5e6..68da4400d 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -2,10 +2,10 @@ package user
import (
"bufio"
+ "errors"
"fmt"
"io"
"os"
- "os/user"
"strconv"
"strings"
)
@@ -16,6 +16,13 @@ const (
)
var (
+ // The current operating system does not provide the required data for user lookups.
+ ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
+
+ // No matching entries found in file.
+ ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
+ ErrNoGroupEntries = errors.New("no matching entries in group file")
+
ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
)
@@ -29,28 +36,6 @@ type User struct {
Shell string
}
-// userFromOS converts an os/user.(*User) to local User
-//
-// (This does not include Pass, Shell or Gecos)
-func userFromOS(u *user.User) (User, error) {
- newUser := User{
- Name: u.Username,
- Home: u.HomeDir,
- }
- id, err := strconv.Atoi(u.Uid)
- if err != nil {
- return newUser, err
- }
- newUser.Uid = id
-
- id, err = strconv.Atoi(u.Gid)
- if err != nil {
- return newUser, err
- }
- newUser.Gid = id
- return newUser, nil
-}
-
type Group struct {
Name string
Pass string
@@ -58,23 +43,6 @@ type Group struct {
List []string
}
-// groupFromOS converts an os/user.(*Group) to local Group
-//
-// (This does not include Pass or List)
-func groupFromOS(g *user.Group) (Group, error) {
- newGroup := Group{
- Name: g.Name,
- }
-
- id, err := strconv.Atoi(g.Gid)
- if err != nil {
- return newGroup, err
- }
- newGroup.Gid = id
-
- return newGroup, nil
-}
-
// SubID represents an entry in /etc/sub{u,g}id
type SubID struct {
Name string
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user_fuzzer.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user_fuzzer.go
new file mode 100644
index 000000000..8c9bb5df3
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user_fuzzer.go
@@ -0,0 +1,42 @@
+// +build gofuzz
+
+package user
+
+import (
+ "io"
+ "strings"
+)
+
+func IsDivisbleBy(n int, divisibleby int) bool {
+ return (n % divisibleby) == 0
+}
+
+func FuzzUser(data []byte) int {
+ if len(data) == 0 {
+ return -1
+ }
+ if !IsDivisbleBy(len(data), 5) {
+ return -1
+ }
+
+ var divided [][]byte
+
+ chunkSize := len(data) / 5
+
+ for i := 0; i < len(data); i += chunkSize {
+ end := i + chunkSize
+
+ divided = append(divided, data[i:end])
+ }
+
+ _, _ = ParsePasswdFilter(strings.NewReader(string(divided[0])), nil)
+
+ var passwd, group io.Reader
+
+ group = strings.NewReader(string(divided[1]))
+ _, _ = GetAdditionalGroups([]string{string(divided[2])}, group)
+
+ passwd = strings.NewReader(string(divided[3]))
+ _, _ = GetExecUser(string(divided[4]), nil, passwd, group)
+ return 1
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go
new file mode 100644
index 000000000..f6cb98e5e
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns.go
@@ -0,0 +1,5 @@
+package userns
+
+// RunningInUserNS detects whether we are currently running in a user namespace.
+// Originally copied from github.com/lxc/lxd/shared/util.go
+var RunningInUserNS = runningInUserNS
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go
new file mode 100644
index 000000000..529f8eaea
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_fuzzer.go
@@ -0,0 +1,15 @@
+// +build gofuzz
+
+package userns
+
+import (
+ "strings"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+)
+
+func FuzzUIDMap(data []byte) int {
+ uidmap, _ := user.ParseIDMap(strings.NewReader(string(data)))
+ _ = uidMapInUserNS(uidmap)
+ return 1
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go
new file mode 100644
index 000000000..724e6df01
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_linux.go
@@ -0,0 +1,37 @@
+package userns
+
+import (
+ "sync"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+)
+
+var (
+ inUserNS bool
+ nsOnce sync.Once
+)
+
+// runningInUserNS detects whether we are currently running in a user namespace.
+// Originally copied from github.com/lxc/lxd/shared/util.go
+func runningInUserNS() bool {
+ nsOnce.Do(func() {
+ uidmap, err := user.CurrentProcessUIDMap()
+ if err != nil {
+ // This kernel-provided file only exists if user namespaces are supported
+ return
+ }
+ inUserNS = uidMapInUserNS(uidmap)
+ })
+ return inUserNS
+}
+
+func uidMapInUserNS(uidmap []user.IDMap) bool {
+ /*
+ * We assume we are in the initial user namespace if we have a full
+ * range - 4294967295 uids starting at uid 0.
+ */
+ if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
+ return false
+ }
+ return true
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go
new file mode 100644
index 000000000..f45bb0c31
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/userns/userns_unsupported.go
@@ -0,0 +1,17 @@
+// +build !linux
+
+package userns
+
+import "github.com/opencontainers/runc/libcontainer/user"
+
+// runningInUserNS is a stub for non-Linux systems
+// Always returns false
+func runningInUserNS() bool {
+ return false
+}
+
+// uidMapInUserNS is a stub for non-Linux systems
+// Always returns false
+func uidMapInUserNS(uidmap []user.IDMap) bool {
+ return false
+}
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 5fceeb635..6a7a91e55 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -598,10 +598,13 @@ type VMImage struct {
// LinuxSeccomp represents syscall restrictions
type LinuxSeccomp struct {
- DefaultAction LinuxSeccompAction `json:"defaultAction"`
- Architectures []Arch `json:"architectures,omitempty"`
- Flags []LinuxSeccompFlag `json:"flags,omitempty"`
- Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
+ DefaultAction LinuxSeccompAction `json:"defaultAction"`
+ DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
+ Architectures []Arch `json:"architectures,omitempty"`
+ Flags []LinuxSeccompFlag `json:"flags,omitempty"`
+ ListenerPath string `json:"listenerPath,omitempty"`
+ ListenerMetadata string `json:"listenerMetadata,omitempty"`
+ Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
}
// Arch used for additional architectures
@@ -641,11 +644,13 @@ type LinuxSeccompAction string
const (
ActKill LinuxSeccompAction = "SCMP_ACT_KILL"
ActKillProcess LinuxSeccompAction = "SCMP_ACT_KILL_PROCESS"
+ ActKillThread LinuxSeccompAction = "SCMP_ACT_KILL_THREAD"
ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP"
ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"
ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"
ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"
ActLog LinuxSeccompAction = "SCMP_ACT_LOG"
+ ActNotify LinuxSeccompAction = "SCMP_ACT_NOTIFY"
)
// LinuxSeccompOperator used to match syscall arguments in Seccomp
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go
index e2e64c663..7c010d4fe 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go
@@ -5,17 +5,17 @@ type ContainerState string
const (
// StateCreating indicates that the container is being created
- StateCreating ContainerState = "creating"
+ StateCreating ContainerState = "creating"
// StateCreated indicates that the runtime has finished the create operation
- StateCreated ContainerState = "created"
+ StateCreated ContainerState = "created"
// StateRunning indicates that the container process has executed the
// user-specified program but has not exited
- StateRunning ContainerState = "running"
+ StateRunning ContainerState = "running"
// StateStopped indicates that the container process has exited
- StateStopped ContainerState = "stopped"
+ StateStopped ContainerState = "stopped"
)
// State holds information about the runtime state of the container.
@@ -33,3 +33,24 @@ type State struct {
// Annotations are key values associated with the container.
Annotations map[string]string `json:"annotations,omitempty"`
}
+
+const (
+ // SeccompFdName is the name of the seccomp notify file descriptor.
+ SeccompFdName string = "seccompFd"
+)
+
+// ContainerProcessState holds information about the state of a container process.
+type ContainerProcessState struct {
+ // Version is the version of the specification that is supported.
+ Version string `json:"ociVersion"`
+ // Fds is a string array containing the names of the file descriptors passed.
+ // The index of the name in this array corresponds to index of the file
+ // descriptor in the `SCM_RIGHTS` array.
+ Fds []string `json:"fds"`
+ // Pid is the process ID as seen by the runtime.
+ Pid int `json:"pid"`
+ // Opaque metadata.
+ Metadata string `json:"metadata,omitempty"`
+ // State of the container.
+ State State `json:"state"`
+}