diff options
Diffstat (limited to 'vendor/github.com')
41 files changed, 605 insertions, 194 deletions
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index 836ae4eda..0044d6cb9 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.19.2 +1.20.1 diff --git a/vendor/github.com/containers/storage/drivers/devmapper/deviceset.go b/vendor/github.com/containers/storage/drivers/devmapper/deviceset.go index d0c7fab0a..f1c941f11 100644 --- a/vendor/github.com/containers/storage/drivers/devmapper/deviceset.go +++ b/vendor/github.com/containers/storage/drivers/devmapper/deviceset.go @@ -272,7 +272,7 @@ func (devices *DeviceSet) ensureImage(name string, size int64) (string, error) { if err != nil { return "", err } - if err := idtools.MkdirAllAs(dirname, 0700, uid, gid); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(dirname, 0700, uid, gid); err != nil { return "", err } @@ -1701,10 +1701,10 @@ func (devices *DeviceSet) initDevmapper(doInit bool) (retErr error) { if err != nil { return err } - if err := idtools.MkdirAs(devices.root, 0700, uid, gid); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAs(devices.root, 0700, uid, gid); err != nil { return err } - if err := os.MkdirAll(devices.metadataDir(), 0700); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(devices.metadataDir(), 0700); err != nil { return err } diff --git a/vendor/github.com/containers/storage/drivers/devmapper/driver.go b/vendor/github.com/containers/storage/drivers/devmapper/driver.go index ca50e7f06..0afa6c84d 100644 --- a/vendor/github.com/containers/storage/drivers/devmapper/driver.go +++ b/vendor/github.com/containers/storage/drivers/devmapper/driver.go @@ -183,7 +183,7 @@ func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { } // Create the target directories if they don't exist - if err := idtools.MkdirAllAs(path.Join(d.home, "mnt"), 0755, uid, gid); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(path.Join(d.home, "mnt"), 0755, uid, gid); err != nil { d.ctr.Decrement(mp) return "", err } @@ -198,7 +198,7 @@ func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) { return "", err } - if err := idtools.MkdirAllAs(rootFs, 0755, uid, gid); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(rootFs, 0755, uid, gid); err != nil { d.ctr.Decrement(mp) d.DeviceSet.UnmountDevice(id, mp) return "", err diff --git a/vendor/github.com/containers/storage/drivers/overlay/check.go b/vendor/github.com/containers/storage/drivers/overlay/check.go index a566e4afd..cbfad2cd5 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/check.go +++ b/vendor/github.com/containers/storage/drivers/overlay/check.go @@ -145,7 +145,7 @@ func doesMetacopy(d, mountOpts string) (bool, error) { opts = fmt.Sprintf("%s,%s", opts, data) } if err := unix.Mount("overlay", filepath.Join(td, "merged"), "overlay", uintptr(flags), opts); err != nil { - return false, errors.Wrap(err, "failed to mount overlay for metacopy check") + return false, errors.Wrapf(err, "failed to mount overlay for metacopy check with %q options", mountOpts) } defer func() { if err := unix.Unmount(filepath.Join(td, "merged"), 0); err != nil { diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go index 7e7dba753..2906e3e08 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go +++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go @@ -33,6 +33,7 @@ import ( "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" + "github.com/vbatts/tar-split/tar/storage" "golang.org/x/sys/unix" ) @@ -152,11 +153,11 @@ func Init(home string, options graphdriver.Options) (graphdriver.Driver, error) } // Create the driver home dir - if err := idtools.MkdirAllAs(path.Join(home, linkDir), 0700, rootUID, rootGID); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(path.Join(home, linkDir), 0700, rootUID, rootGID); err != nil { return nil, err } runhome := filepath.Join(options.RunRoot, filepath.Base(home)) - if err := idtools.MkdirAllAs(runhome, 0700, rootUID, rootGID); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(runhome, 0700, rootUID, rootGID); err != nil { return nil, err } @@ -555,7 +556,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr return err } // Make the link directory if it does not exist - if err := idtools.MkdirAllAs(path.Join(d.home, linkDir), 0700, rootUID, rootGID); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(path.Join(d.home, linkDir), 0700, rootUID, rootGID); err != nil { return err } if err := idtools.MkdirAllAs(path.Dir(dir), 0700, rootUID, rootGID); err != nil { @@ -767,7 +768,7 @@ func (d *Driver) recreateSymlinks() error { if err != nil { return err } - if err := idtools.MkdirAllAs(path.Join(d.home, linkDir), 0700, rootUID, rootGID); err != nil && !os.IsExist(err) { + if err := idtools.MkdirAllAs(path.Join(d.home, linkDir), 0700, rootUID, rootGID); err != nil { return err } for _, dir := range dirs { @@ -809,6 +810,13 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO } readWrite := true + for _, o := range options.Options { + if o == "ro" { + readWrite = false + break + } + } + lowers, err := ioutil.ReadFile(path.Join(dir, lowerFile)) if err != nil && !os.IsNotExist(err) { return "", err @@ -886,7 +894,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO // if we are doing a readOnly mount, and there is only one lower // We should just return the lower directory, no reason to mount. - if !readWrite { + if !readWrite && d.options.mountProgram == "" { if len(absLowers) == 0 { return path.Join(dir, "empty"), nil } @@ -904,10 +912,8 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO return "", err } diffDir := path.Join(dir, "diff") - if readWrite { - if err := idtools.MkdirAllAs(diffDir, 0755, rootUID, rootGID); err != nil && !os.IsExist(err) { - return "", err - } + if err := idtools.MkdirAllAs(diffDir, 0755, rootUID, rootGID); err != nil { + return "", err } mergedDir := path.Join(dir, "merged") @@ -932,7 +938,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO if readWrite { opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(absLowers, ":"), diffDir, path.Join(dir, "work")) } else { - opts = fmt.Sprintf("lowerdir=%s", strings.Join(absLowers, ":")) + opts = fmt.Sprintf("lowerdir=%s:%s", diffDir, strings.Join(absLowers, ":")) } if len(options.Options) > 0 { opts = fmt.Sprintf("%s,%s", strings.Join(options.Options, ","), opts) @@ -1018,7 +1024,7 @@ func (d *Driver) Put(id string) error { // If they fail, fallback to unix.Unmount for _, v := range []string{"fusermount3", "fusermount"} { err := exec.Command(v, "-u", mountpoint).Run() - if err != nil && !os.IsNotExist(err) { + if err != nil && errors.Cause(err) != exec.ErrNotFound { logrus.Debugf("Error unmounting %s with %s - %v", mountpoint, v, err) } if err == nil { @@ -1090,6 +1096,21 @@ func (d *Driver) getWhiteoutFormat() archive.WhiteoutFormat { return whiteoutFormat } +type fileGetNilCloser struct { + storage.FileGetter +} + +func (f fileGetNilCloser) Close() error { + return nil +} + +// DiffGetter returns a FileGetCloser that can read files from the directory that +// contains files for the layer differences. Used for direct access for tar-split. +func (d *Driver) DiffGetter(id string) (graphdriver.FileGetCloser, error) { + p := d.getDiffPath(id) + return fileGetNilCloser{storage.NewPathFileGetter(p)}, nil +} + // ApplyDiff applies the new layer into a root func (d *Driver) ApplyDiff(id, parent string, options graphdriver.ApplyDiffOpts) (size int64, err error) { diff --git a/vendor/github.com/containers/storage/drivers/vfs/driver.go b/vendor/github.com/containers/storage/drivers/vfs/driver.go index f2859b427..679d89112 100644 --- a/vendor/github.com/containers/storage/drivers/vfs/driver.go +++ b/vendor/github.com/containers/storage/drivers/vfs/driver.go @@ -15,6 +15,7 @@ import ( "github.com/containers/storage/pkg/system" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" + "github.com/vbatts/tar-split/tar/storage" ) var ( @@ -101,6 +102,21 @@ func (d *Driver) Cleanup() error { return nil } +type fileGetNilCloser struct { + storage.FileGetter +} + +func (f fileGetNilCloser) Close() error { + return nil +} + +// DiffGetter returns a FileGetCloser that can read files from the directory that +// contains files for the layer differences. Used for direct access for tar-split. +func (d *Driver) DiffGetter(id string) (graphdriver.FileGetCloser, error) { + p := d.dir(id) + return fileGetNilCloser{storage.NewPathFileGetter(p)}, nil +} + // CreateFromTemplate creates a layer with the same contents and parent as another layer. func (d *Driver) CreateFromTemplate(id, template string, templateIDMappings *idtools.IDMappings, parent string, parentIDMappings *idtools.IDMappings, opts *graphdriver.CreateOpts, readWrite bool) error { if readWrite { diff --git a/vendor/github.com/containers/storage/go.mod b/vendor/github.com/containers/storage/go.mod index a3ae07c9c..a7d9ade60 100644 --- a/vendor/github.com/containers/storage/go.mod +++ b/vendor/github.com/containers/storage/go.mod @@ -7,10 +7,10 @@ require ( github.com/docker/go-units v0.4.0 github.com/hashicorp/go-multierror v1.0.0 github.com/klauspost/compress v1.10.5 - github.com/klauspost/pgzip v1.2.3 + github.com/klauspost/pgzip v1.2.4 github.com/mattn/go-shellwords v1.0.10 github.com/mistifyio/go-zfs v2.1.1+incompatible - github.com/opencontainers/go-digest v1.0.0-rc1 + github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/runc v1.0.0-rc9 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700 github.com/opencontainers/selinux v1.5.1 diff --git a/vendor/github.com/containers/storage/go.sum b/vendor/github.com/containers/storage/go.sum index c430e925f..eab0fd61e 100644 --- a/vendor/github.com/containers/storage/go.sum +++ b/vendor/github.com/containers/storage/go.sum @@ -44,8 +44,8 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.10.5 h1:7q6vHIqubShURwQz8cQK6yIe/xC3IF0Vm7TGfqjewrc= github.com/klauspost/compress v1.10.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/pgzip v1.2.3 h1:Ce2to9wvs/cuJ2b86/CKQoTYr9VHfpanYosZ0UBJqdw= -github.com/klauspost/pgzip v1.2.3/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= +github.com/klauspost/pgzip v1.2.4 h1:TQ7CNpYKovDOmqzRHKxJh0BeaBI7UdQZYc6p7pMQh1A= +github.com/klauspost/pgzip v1.2.4/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -59,8 +59,8 @@ github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lL github.com/mistifyio/go-zfs v2.1.1+incompatible h1:gAMO1HM9xBRONLHHYnu5iFsOJUiJdNZo6oqSENd4eW8= github.com/mistifyio/go-zfs v2.1.1+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ= -github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc9 h1:/k06BMULKF5hidyoZymkoDCzdJzltZpz/UU4LguQVtc= github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= diff --git a/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go b/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go index a188c510d..90f196371 100644 --- a/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go +++ b/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go @@ -63,8 +63,6 @@ func NewPatternMatcher(patterns []string) (*PatternMatcher, error) { func (pm *PatternMatcher) Matches(file string) (bool, error) { matched := false file = filepath.FromSlash(file) - parentPath := filepath.Dir(file) - parentPathDirs := strings.Split(parentPath, string(os.PathSeparator)) for _, pattern := range pm.patterns { negative := false @@ -78,13 +76,6 @@ func (pm *PatternMatcher) Matches(file string) (bool, error) { return false, err } - if !match && parentPath != "." { - // Check to see if the pattern matches one of our parent dirs. - if len(pattern.dirs) <= len(parentPathDirs) { - match, _ = pattern.match(strings.Join(parentPathDirs[:len(pattern.dirs)], string(os.PathSeparator))) - } - } - if match { matched = !negative } @@ -122,8 +113,6 @@ func (m *MatchResult) Excludes() uint { // an error. This method is not safe to be called concurrently. func (pm *PatternMatcher) MatchesResult(file string) (res *MatchResult, err error) { file = filepath.FromSlash(file) - parentPath := filepath.Dir(file) - parentPathDirs := strings.Split(parentPath, string(os.PathSeparator)) res = &MatchResult{false, 0, 0} for _, pattern := range pm.patterns { @@ -138,16 +127,6 @@ func (pm *PatternMatcher) MatchesResult(file string) (res *MatchResult, err erro return nil, err } - if !match && parentPath != "." { - // Check to see if the pattern matches one of our parent dirs. - if len(pattern.dirs) <= len(parentPathDirs) { - match, _ = pattern.match(strings.Join( - parentPathDirs[:len(pattern.dirs)], - string(os.PathSeparator)), - ) - } - } - if match { res.isMatched = !negative if negative { @@ -265,8 +244,7 @@ func (p *Pattern) compile() error { // in golang's filepath.Match regStr += bs + string(ch) } else if ch == '\\' { - // escape next char. Note that a trailing \ in the pattern - // will be left alone (but need to escape it) + // escape next char. if sl == bs { // On windows map "\" to "\\", meaning an escaped backslash, // and then just continue because filepath.Match on @@ -277,14 +255,14 @@ func (p *Pattern) compile() error { if scan.Peek() != scanner.EOF { regStr += bs + string(scan.Next()) } else { - regStr += bs + return filepath.ErrBadPattern } } else { regStr += string(ch) } } - regStr += "$" + regStr += "(/.*)?$" re, err := regexp.Compile(regStr) if err != nil { diff --git a/vendor/github.com/containers/storage/pkg/idtools/idtools_unix.go b/vendor/github.com/containers/storage/pkg/idtools/idtools_unix.go index 6b0f55030..9776b2a12 100644 --- a/vendor/github.com/containers/storage/pkg/idtools/idtools_unix.go +++ b/vendor/github.com/containers/storage/pkg/idtools/idtools_unix.go @@ -10,6 +10,7 @@ import ( "path/filepath" "strings" "sync" + "syscall" "github.com/containers/storage/pkg/system" "github.com/opencontainers/runc/libcontainer/user" @@ -26,13 +27,18 @@ func mkdirAs(path string, mode os.FileMode, ownerUID, ownerGID int, mkAll, chown // so that we can chown all of them properly at the end. If chownExisting is false, we won't // chown the full directory path if it exists var paths []string - if _, err := os.Stat(path); err != nil && os.IsNotExist(err) { + st, err := os.Stat(path) + if err != nil && os.IsNotExist(err) { paths = []string{path} - } else if err == nil && chownExisting { - // short-circuit--we were called with an existing directory and chown was requested - return SafeChown(path, ownerUID, ownerGID) } else if err == nil { - // nothing to do; directory path fully exists already and chown was NOT requested + if !st.IsDir() { + return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR} + } + if chownExisting { + // short-circuit--we were called with an existing directory and chown was requested + return SafeChown(path, ownerUID, ownerGID) + } + // nothing to do; directory exists and chown was NOT requested return nil } @@ -49,7 +55,7 @@ func mkdirAs(path string, mode os.FileMode, ownerUID, ownerGID int, mkAll, chown paths = append(paths, dirPath) } } - if err := os.MkdirAll(path, mode); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(path, mode); err != nil { return err } } else { diff --git a/vendor/github.com/containers/storage/pkg/idtools/idtools_windows.go b/vendor/github.com/containers/storage/pkg/idtools/idtools_windows.go index 9c8508397..16be94f44 100644 --- a/vendor/github.com/containers/storage/pkg/idtools/idtools_windows.go +++ b/vendor/github.com/containers/storage/pkg/idtools/idtools_windows.go @@ -9,7 +9,7 @@ import ( // Platforms such as Windows do not support the UID/GID concept. So make this // just a wrapper around system.MkdirAll. func mkdirAs(path string, mode os.FileMode, ownerUID, ownerGID int, mkAll, chownExisting bool) error { - if err := os.MkdirAll(path, mode); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(path, mode); err != nil { return err } return nil diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go index 43b84d769..eaf622f43 100644 --- a/vendor/github.com/containers/storage/store.go +++ b/vendor/github.com/containers/storage/store.go @@ -629,14 +629,14 @@ func GetStore(options StoreOptions) (Store, error) { return nil, errors.Wrap(ErrIncompleteOptions, "no storage runroot specified") } - if err := os.MkdirAll(options.RunRoot, 0700); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(options.RunRoot, 0700); err != nil { return nil, err } - if err := os.MkdirAll(options.GraphRoot, 0700); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(options.GraphRoot, 0700); err != nil { return nil, err } for _, subdir := range []string{"mounts", "tmp", options.GraphDriverName} { - if err := os.MkdirAll(filepath.Join(options.GraphRoot, subdir), 0700); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(filepath.Join(options.GraphRoot, subdir), 0700); err != nil { return nil, err } } diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go index 18e72efd1..34ff6a77a 100644 --- a/vendor/github.com/containers/storage/userns.go +++ b/vendor/github.com/containers/storage/userns.go @@ -113,7 +113,7 @@ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 { size = u.Uid } if u.Gid > size { - size = u.Uid + size = u.Gid } } } diff --git a/vendor/github.com/klauspost/pgzip/LICENSE b/vendor/github.com/klauspost/pgzip/LICENSE index 2bdc0d751..3909da410 100644 --- a/vendor/github.com/klauspost/pgzip/LICENSE +++ b/vendor/github.com/klauspost/pgzip/LICENSE @@ -1,4 +1,4 @@ -The MIT License (MIT) +MIT License Copyright (c) 2014 Klaus Post @@ -19,4 +19,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/vendor/github.com/klauspost/pgzip/gzip.go b/vendor/github.com/klauspost/pgzip/gzip.go index cb3dc0896..257c4d299 100644 --- a/vendor/github.com/klauspost/pgzip/gzip.go +++ b/vendor/github.com/klauspost/pgzip/gzip.go @@ -405,7 +405,7 @@ func (z *Writer) Write(p []byte) (int, error) { if len(z.currentBuffer) == z.blockSize { z.compressCurrent(false) if err := z.checkError(); err != nil { - return len(p) - len(q) - length, err + return len(p) - len(q), err } } z.size += length diff --git a/vendor/github.com/opencontainers/go-digest/.mailmap b/vendor/github.com/opencontainers/go-digest/.mailmap index ba611cb21..eaf8b2f9e 100644 --- a/vendor/github.com/opencontainers/go-digest/.mailmap +++ b/vendor/github.com/opencontainers/go-digest/.mailmap @@ -1 +1,4 @@ +Aaron Lehmann <aaronl@vitelus.com> <aaron.lehmann@docker.com> +Derek McGowan <derek@mcg.dev> <derek@mcgstyle.net> Stephen J Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com> +Haibing Zhou <zhouhaibing089@gmail.com> diff --git a/vendor/github.com/opencontainers/go-digest/.pullapprove.yml b/vendor/github.com/opencontainers/go-digest/.pullapprove.yml index 45fa4b9ec..b6165f83c 100644 --- a/vendor/github.com/opencontainers/go-digest/.pullapprove.yml +++ b/vendor/github.com/opencontainers/go-digest/.pullapprove.yml @@ -1,12 +1,28 @@ -approve_by_comment: true -approve_regex: '^(Approved|lgtm|LGTM|:shipit:|:star:|:\+1:|:ship:)' -reject_regex: ^Rejected -reset_on_push: true -author_approval: ignored -signed_off_by: - required: true -reviewers: - teams: - - go-digest-maintainers - name: default +version: 2 + +requirements: + signed_off_by: + required: true + +always_pending: + title_regex: '^WIP' + explanation: 'Work in progress...' + +group_defaults: required: 2 + approve_by_comment: + enabled: true + approve_regex: '^LGTM' + reject_regex: '^Rejected' + reset_on_push: + enabled: true + author_approval: + ignored: true + conditions: + branches: + - master + +groups: + go-digest: + teams: + - go-digest-maintainers diff --git a/vendor/github.com/opencontainers/go-digest/.travis.yml b/vendor/github.com/opencontainers/go-digest/.travis.yml index 7ea4ed1d2..5775f885c 100644 --- a/vendor/github.com/opencontainers/go-digest/.travis.yml +++ b/vendor/github.com/opencontainers/go-digest/.travis.yml @@ -1,4 +1,5 @@ language: go go: - - 1.7 + - 1.12.x + - 1.13.x - master diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE.code b/vendor/github.com/opencontainers/go-digest/LICENSE index 0ea3ff81e..3ac8ab648 100644 --- a/vendor/github.com/opencontainers/go-digest/LICENSE.code +++ b/vendor/github.com/opencontainers/go-digest/LICENSE @@ -176,6 +176,7 @@ END OF TERMS AND CONDITIONS + Copyright 2019, 2020 OCI Contributors Copyright 2016 Docker, Inc. Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/vendor/github.com/opencontainers/go-digest/MAINTAINERS b/vendor/github.com/opencontainers/go-digest/MAINTAINERS index 42a29795d..843b1b206 100644 --- a/vendor/github.com/opencontainers/go-digest/MAINTAINERS +++ b/vendor/github.com/opencontainers/go-digest/MAINTAINERS @@ -1,9 +1,5 @@ -Aaron Lehmann <aaron.lehmann@docker.com> (@aaronlehmann) -Brandon Philips <brandon.philips@coreos.com> (@philips) -Brendan Burns <bburns@microsoft.com> (@brendandburns) Derek McGowan <derek@mcgstyle.net> (@dmcgowan) -Jason Bouzane <jbouzane@google.com> (@jbouzane) -John Starks <jostarks@microsoft.com> (@jstarks) -Jonathan Boulle <jon.boulle@coreos.com> (@jonboulle) -Stephen Day <stephen.day@docker.com> (@stevvooe) -Vincent Batts <vbatts@redhat.com> (@vbatts) +Stephen Day <stevvooe@gmail.com> (@stevvooe) +Vincent Batts <vbatts@hashbangbash.com> (@vbatts) +Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (@AkihiroSuda) +Sebastiaan van Stijn <github@gone.nl> (@thaJeztah) diff --git a/vendor/github.com/opencontainers/go-digest/README.md b/vendor/github.com/opencontainers/go-digest/README.md index 0f5a04092..a11287207 100644 --- a/vendor/github.com/opencontainers/go-digest/README.md +++ b/vendor/github.com/opencontainers/go-digest/README.md @@ -8,20 +8,16 @@ Please see the [godoc](https://godoc.org/github.com/opencontainers/go-digest) fo # What is a digest? -A digest is just a hash. +A digest is just a [hash](https://en.wikipedia.org/wiki/Hash_function). -The most common use case for a digest is to create a content -identifier for use in [Content Addressable Storage](https://en.wikipedia.org/wiki/Content-addressable_storage) -systems: +The most common use case for a digest is to create a content identifier for use in [Content Addressable Storage](https://en.wikipedia.org/wiki/Content-addressable_storage) systems: ```go id := digest.FromBytes([]byte("my content")) ``` -In the example above, the id can be used to uniquely identify -the byte slice "my content". This allows two disparate applications -to agree on a verifiable identifier without having to trust one -another. +In the example above, the id can be used to uniquely identify the byte slice "my content". +This allows two disparate applications to agree on a verifiable identifier without having to trust one another. An identifying digest can be verified, as follows: @@ -31,8 +27,7 @@ if id != digest.FromBytes([]byte("my content")) { } ``` -A `Verifier` type can be used to handle cases where an `io.Reader` -makes more sense: +A `Verifier` type can be used to handle cases where an `io.Reader` makes more sense: ```go rd := getContent() @@ -44,33 +39,28 @@ if !verifier.Verified() { } ``` -Using [Merkle DAGs](https://en.wikipedia.org/wiki/Merkle_tree), this -can power a rich, safe, content distribution system. +Using [Merkle DAGs](https://en.wikipedia.org/wiki/Merkle_tree), this can power a rich, safe, content distribution system. # Usage -While the [godoc](https://godoc.org/github.com/opencontainers/go-digest) is -considered the best resource, a few important items need to be called -out when using this package. +While the [godoc](https://godoc.org/github.com/opencontainers/go-digest) is considered the best resource, a few important items need to be called out when using this package. -1. Make sure to import the hash implementations into your application - or the package will panic. You should have something like the - following in the main (or other entrypoint) of your application: +1. Make sure to import the hash implementations into your application or the package will panic. + You should have something like the following in the main (or other entrypoint) of your application: ```go import ( _ "crypto/sha256" - _ "crypto/sha512" + _ "crypto/sha512" ) ``` This may seem inconvenient but it allows you replace the hash implementations with others, such as https://github.com/stevvooe/resumable. -2. Even though `digest.Digest` may be assemable as a string, _always_ - verify your input with `digest.Parse` or use `Digest.Validate` - when accepting untrusted input. While there are measures to - avoid common problems, this will ensure you have valid digests - in the rest of your application. +2. Even though `digest.Digest` may be assemblable as a string, _always_ verify your input with `digest.Parse` or use `Digest.Validate` when accepting untrusted input. + While there are measures to avoid common problems, this will ensure you have valid digests in the rest of your application. + +3. While alternative encodings of hash values (digests) are possible (for example, base64), this package deals exclusively with hex-encoded digests. # Stability @@ -80,25 +70,27 @@ As always, before using a package export, read the [godoc](https://godoc.org/git # Contributing -This package is considered fairly complete. It has been in production -in thousands (millions?) of deployments and is fairly battle-hardened. -New additions will be met with skepticism. If you think there is a -missing feature, please file a bug clearly describing the problem and -the alternatives you tried before submitting a PR. +This package is considered fairly complete. +It has been in production in thousands (millions?) of deployments and is fairly battle-hardened. +New additions will be met with skepticism. +If you think there is a missing feature, please file a bug clearly describing the problem and the alternatives you tried before submitting a PR. -# Reporting security issues +## Code of Conduct -Please DO NOT file a public issue, instead send your report privately to -security@opencontainers.org. +Participation in the OpenContainers community is governed by [OpenContainer's Code of Conduct][code-of-conduct]. -The maintainers take security seriously. If you discover a security issue, -please bring it to their attention right away! +## Security -If you are reporting a security issue, do not create an issue or file a pull -request on GitHub. Instead, disclose the issue responsibly by sending an email -to security@opencontainers.org (which is inhabited only by the maintainers of -the various OCI projects). +If you find an issue, please follow the [security][security] protocol to report it. # Copyright and license -Copyright © 2016 Docker, Inc. All rights reserved, except as follows. Code is released under the [Apache 2.0 license](LICENSE.code). This `README.md` file and the [`CONTRIBUTING.md`](CONTRIBUTING.md) file are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file [`LICENSE.docs`](LICENSE.docs). You may obtain a duplicate copy of the same license, titled CC BY-SA 4.0, at http://creativecommons.org/licenses/by-sa/4.0/. +Copyright © 2019, 2020 OCI Contributors +Copyright © 2016 Docker, Inc. +All rights reserved, except as follows. +Code is released under the [Apache 2.0 license](LICENSE). +This `README.md` file and the [`CONTRIBUTING.md`](CONTRIBUTING.md) file are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file [`LICENSE.docs`](LICENSE.docs). +You may obtain a duplicate copy of the same license, titled CC BY-SA 4.0, at http://creativecommons.org/licenses/by-sa/4.0/. + +[security]: https://github.com/opencontainers/org/blob/master/security +[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md diff --git a/vendor/github.com/opencontainers/go-digest/algorithm.go b/vendor/github.com/opencontainers/go-digest/algorithm.go index 8813bd26f..490951dc3 100644 --- a/vendor/github.com/opencontainers/go-digest/algorithm.go +++ b/vendor/github.com/opencontainers/go-digest/algorithm.go @@ -1,3 +1,4 @@ +// Copyright 2019, 2020 OCI Contributors // Copyright 2017 Docker, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/vendor/github.com/opencontainers/go-digest/digest.go b/vendor/github.com/opencontainers/go-digest/digest.go index ad398cba2..518b5e715 100644 --- a/vendor/github.com/opencontainers/go-digest/digest.go +++ b/vendor/github.com/opencontainers/go-digest/digest.go @@ -1,3 +1,4 @@ +// Copyright 2019, 2020 OCI Contributors // Copyright 2017 Docker, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/vendor/github.com/opencontainers/go-digest/digester.go b/vendor/github.com/opencontainers/go-digest/digester.go index 36fa2728e..ede907757 100644 --- a/vendor/github.com/opencontainers/go-digest/digester.go +++ b/vendor/github.com/opencontainers/go-digest/digester.go @@ -1,3 +1,4 @@ +// Copyright 2019, 2020 OCI Contributors // Copyright 2017 Docker, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/vendor/github.com/opencontainers/go-digest/doc.go b/vendor/github.com/opencontainers/go-digest/doc.go index 491ea1ef1..83d3a936c 100644 --- a/vendor/github.com/opencontainers/go-digest/doc.go +++ b/vendor/github.com/opencontainers/go-digest/doc.go @@ -1,3 +1,4 @@ +// Copyright 2019, 2020 OCI Contributors // Copyright 2017 Docker, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); @@ -29,8 +30,13 @@ // // sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc // -// In this case, the string "sha256" is the algorithm and the hex bytes are -// the "digest". +// The "algorithm" portion defines both the hashing algorithm used to calculate +// the digest and the encoding of the resulting digest, which defaults to "hex" +// if not otherwise specified. Currently, all supported algorithms have their +// digests encoded in hex strings. +// +// In the example above, the string "sha256" is the algorithm and the hex bytes +// are the "digest". // // Because the Digest type is simply a string, once a valid Digest is // obtained, comparisons are cheap, quick and simple to express with the diff --git a/vendor/github.com/opencontainers/go-digest/go.mod b/vendor/github.com/opencontainers/go-digest/go.mod new file mode 100644 index 000000000..cf5d7b1d2 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/go.mod @@ -0,0 +1,3 @@ +module github.com/opencontainers/go-digest + +go 1.13 diff --git a/vendor/github.com/opencontainers/go-digest/verifiers.go b/vendor/github.com/opencontainers/go-digest/verifiers.go index 32125e918..afef506f4 100644 --- a/vendor/github.com/opencontainers/go-digest/verifiers.go +++ b/vendor/github.com/opencontainers/go-digest/verifiers.go @@ -1,3 +1,4 @@ +// Copyright 2019, 2020 OCI Contributors // Copyright 2017 Docker, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 48e621c99..7b60f8bb3 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -89,6 +89,8 @@ type User struct { UID uint32 `json:"uid" platform:"linux,solaris"` // GID is the group id. GID uint32 `json:"gid" platform:"linux,solaris"` + // Umask is the umask for the init process. + Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"` // AdditionalGids are additional group ids set for the container's process. AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` // Username is the user name. @@ -123,13 +125,26 @@ type Hook struct { Timeout *int `json:"timeout,omitempty"` } +// Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container // Hooks for container setup and teardown type Hooks struct { - // Prestart is a list of hooks to be run before the container process is executed. + // Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed. + // It is called in the Runtime Namespace Prestart []Hook `json:"prestart,omitempty"` + // CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called + // It is called in the Runtime Namespace + CreateRuntime []Hook `json:"createRuntime,omitempty"` + // CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called + // It is called in the Container Namespace + CreateContainer []Hook `json:"createContainer,omitempty"` + // StartContainer is a list of hooks to be run after the start operation is called but before the container process is started + // It is called in the Container Namespace + StartContainer []Hook `json:"startContainer,omitempty"` // Poststart is a list of hooks to be run after the container process is started. + // It is called in the Runtime Namespace Poststart []Hook `json:"poststart,omitempty"` // Poststop is a list of hooks to be run after the container process exits. + // It is called in the Runtime Namespace Poststop []Hook `json:"poststop,omitempty"` } @@ -165,6 +180,8 @@ type Linux struct { // IntelRdt contains Intel Resource Director Technology (RDT) information for // handling resource constraints (e.g., L3 cache, memory bandwidth) for the container IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` + // Personality contains configuration for the Linux personality syscall + Personality *LinuxPersonality `json:"personality,omitempty"` } // LinuxNamespace is the configuration for a Linux namespace @@ -291,6 +308,8 @@ type LinuxMemory struct { Swappiness *uint64 `json:"swappiness,omitempty"` // DisableOOMKiller disables the OOM killer for out of memory conditions DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` + // Enables hierarchical memory accounting + UseHierarchy *bool `json:"useHierarchy,omitempty"` } // LinuxCPU for Linux cgroup 'cpu' resource management @@ -387,6 +406,28 @@ type LinuxDeviceCgroup struct { Access string `json:"access,omitempty"` } +// LinuxPersonalityDomain refers to a personality domain. +type LinuxPersonalityDomain string + +// LinuxPersonalityFlag refers to an additional personality flag. None are currently defined. +type LinuxPersonalityFlag string + +// Define domain and flags for Personality +const ( + // PerLinux is the standard Linux personality + PerLinux LinuxPersonalityDomain = "LINUX" + // PerLinux32 sets personality to 32 bit + PerLinux32 LinuxPersonalityDomain = "LINUX32" +) + +// LinuxPersonality represents the Linux personality syscall input +type LinuxPersonality struct { + // Domain for the personality + Domain LinuxPersonalityDomain `json:"domain"` + // Additional flags + Flags []LinuxPersonalityFlag `json:"flags,omitempty"` +} + // Solaris contains platform-specific configuration for Solaris application containers. type Solaris struct { // SMF FMRI which should go "online" before we start the container process. @@ -556,12 +597,16 @@ type VMImage struct { type LinuxSeccomp struct { DefaultAction LinuxSeccompAction `json:"defaultAction"` Architectures []Arch `json:"architectures,omitempty"` + Flags []LinuxSeccompFlag `json:"flags,omitempty"` Syscalls []LinuxSyscall `json:"syscalls,omitempty"` } // Arch used for additional architectures type Arch string +// LinuxSeccompFlag is a flag to pass to seccomp(2). +type LinuxSeccompFlag string + // Additional architectures permitted to be used for system calls // By default only the native architecture of the kernel is permitted const ( @@ -595,6 +640,7 @@ const ( ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO" ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE" ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW" + ActLog LinuxSeccompAction = "SCMP_ACT_LOG" ) // LinuxSeccompOperator used to match syscall arguments in Seccomp @@ -621,9 +667,10 @@ type LinuxSeccompArg struct { // LinuxSyscall is used to match a syscall in Seccomp type LinuxSyscall struct { - Names []string `json:"names"` - Action LinuxSeccompAction `json:"action"` - Args []LinuxSeccompArg `json:"args,omitempty"` + Names []string `json:"names"` + Action LinuxSeccompAction `json:"action"` + ErrnoRet *uint `json:"errnoRet,omitempty"` + Args []LinuxSeccompArg `json:"args,omitempty"` } // LinuxIntelRdt has container runtime resource constraints for Intel RDT diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index b920fc1b3..596af0c2f 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -8,7 +8,7 @@ const ( // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 0 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 1 + VersionPatch = 2 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "-dev" diff --git a/vendor/github.com/seccomp/containers-golang/.gitignore b/vendor/github.com/seccomp/containers-golang/.gitignore index 2cad96a16..e433eef88 100644 --- a/vendor/github.com/seccomp/containers-golang/.gitignore +++ b/vendor/github.com/seccomp/containers-golang/.gitignore @@ -1,2 +1,2 @@ -default.json -fixtures +*.orig +generate diff --git a/vendor/github.com/seccomp/containers-golang/LICENSE b/vendor/github.com/seccomp/containers-golang/LICENSE new file mode 100644 index 000000000..bd465fcf0 --- /dev/null +++ b/vendor/github.com/seccomp/containers-golang/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2018-2019 github.com/seccomp authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/seccomp/containers-golang/Makefile b/vendor/github.com/seccomp/containers-golang/Makefile index 88569e87b..2d91917f9 100644 --- a/vendor/github.com/seccomp/containers-golang/Makefile +++ b/vendor/github.com/seccomp/containers-golang/Makefile @@ -1,3 +1,5 @@ +export GO111MODULE=off + TAGS ?= seccomp BUILDFLAGS := -tags "$(AUTOTAGS) $(TAGS)" GO := go @@ -5,14 +7,26 @@ PACKAGE := github.com/seccomp/containers-golang sources := $(wildcard *.go) -default.json: $(sources) +.PHONY: seccomp.json +seccomp.json: $(sources) $(GO) build -compiler gc $(BUILDFLAGS) ./cmd/generate.go $(GO) build -compiler gc ./cmd/generate.go $(GO) run ${BUILDFLAGS} cmd/generate.go -all: default.json +all: seccomp.json .PHONY: test-unit test-unit: - $(GO) test $(BUILDFLAGS) $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor) - $(GO) test $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor) + $(GO) test -v $(BUILDFLAGS) $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor) + $(GO) test -v $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor) + +.PHONY: vendor +vendor: + export GO111MODULE=on \ + $(GO) mod tidy && \ + $(GO) mod vendor && \ + $(GO) mod verify + +.PHONY: clean +clean: + rm -f generate diff --git a/vendor/github.com/seccomp/containers-golang/README.md b/vendor/github.com/seccomp/containers-golang/README.md index 1012baec3..a44238432 100644 --- a/vendor/github.com/seccomp/containers-golang/README.md +++ b/vendor/github.com/seccomp/containers-golang/README.md @@ -1,9 +1,13 @@ +# containers-golang + +[](https://circleci.com/gh/seccomp/containers-golang) + `containers-golang` is a set of Go libraries used by container runtimes to generate and load seccomp mappings into the kernel. seccomp (short for secure computing mode) is a BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers. ## Building - make - Generates default.json file, which containes the whitelisted syscalls that can be used by container runtime engines like [CRI-O][cri-o], [Buildah][buildah], [Podman][podman] and [Docker][docker], and container runtimes like OCI [Runc][runc] to controll the syscalls available to containers. + make - Generates seccomp.json file, which contains the whitelisted syscalls that can be used by container runtime engines like [CRI-O][cri-o], [Buildah][buildah], [Podman][podman] and [Docker][docker], and container runtimes like OCI [Runc][runc] to controll the syscalls available to containers. ### Supported build tags @@ -13,13 +17,9 @@ seccomp (short for secure computing mode) is a BPF based syscall filter language When developing this library, please use `make` (or `make … BUILDTAGS=…`) to take advantage of the tests and validation. -## License - -ASL 2.0 - ## Contact -- IRC: #[CRI-O](irc://irc.freenode.net:6667/#cri-o) on freenode.net +- IRC: #[containers](irc://irc.freenode.net:6667/#containers) on freenode.net [cri-o]: https://github.com/kubernetes-incubator/cri-o/pulls [buildah]: https://github.com/projectatomic/buildah diff --git a/vendor/github.com/seccomp/containers-golang/go.mod b/vendor/github.com/seccomp/containers-golang/go.mod new file mode 100644 index 000000000..2b56d46fd --- /dev/null +++ b/vendor/github.com/seccomp/containers-golang/go.mod @@ -0,0 +1,16 @@ +module github.com/seccomp/containers-golang + +go 1.13 + +require ( + github.com/blang/semver v3.5.1+incompatible // indirect + github.com/hashicorp/go-multierror v1.0.0 // indirect + github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 + github.com/opencontainers/runtime-tools v0.9.0 + github.com/opencontainers/selinux v1.3.0 // indirect + github.com/seccomp/libseccomp-golang v0.9.1 + github.com/sirupsen/logrus v1.4.2 // indirect + github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 // indirect + github.com/xeipuuv/gojsonschema v1.2.0 // indirect + golang.org/x/sys v0.0.0-20190921190940-14da1ac737cc +) diff --git a/vendor/github.com/seccomp/containers-golang/go.sum b/vendor/github.com/seccomp/containers-golang/go.sum new file mode 100644 index 000000000..ba00acd09 --- /dev/null +++ b/vendor/github.com/seccomp/containers-golang/go.sum @@ -0,0 +1,48 @@ +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= +github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7 h1:Dliu5QO+4JYWu/yMshaMU7G3JN2POGpwjJN7gjy10Go= +github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.1 h1:wY4pOY8fBdSIvs9+IDHC55thBuEulhzfSgKeC1yFvzQ= +github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.2-0.20191007145322-19e92ca81777 h1:7CkKaORyxoXsM8z56r+M0wf3uCpVGVqx4CWq7oJ/4DY= +github.com/opencontainers/runtime-spec v1.0.2-0.20191007145322-19e92ca81777/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 h1:9mv9SC7GWmRWE0J/+oD8w3GsN2KYGKtg6uwLN7hfP5E= +github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU= +github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/opencontainers/selinux v1.2.2 h1:Kx9J6eDG5/24A6DtUquGSpJQ+m2MUTahn4FtGEe8bFg= +github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs= +github.com/opencontainers/selinux v1.3.0 h1:xsI95WzPZu5exzA6JzkLSfdr/DilzOhCJOqGe5TgR0g= +github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo= +github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= +github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8= +github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg= +github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0 h1:HyfiK1WMnHj5FXFXatD+Qs1A/xC2Run6RzeW1SyHxpc= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190921190940-14da1ac737cc h1:EinpED/Eb9JUgDi6pkoFjw+tz69c3lHUZr2+Va84S0w= +golang.org/x/sys v0.0.0-20190921190940-14da1ac737cc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/vendor/github.com/seccomp/containers-golang/seccomp.json b/vendor/github.com/seccomp/containers-golang/seccomp.json index fe9eda56a..4c84d981f 100644 --- a/vendor/github.com/seccomp/containers-golang/seccomp.json +++ b/vendor/github.com/seccomp/containers-golang/seccomp.json @@ -52,6 +52,8 @@ "syscalls": [ { "names": [ + "_llseek", + "_newselect", "accept", "accept4", "access", @@ -118,6 +120,8 @@ "ftruncate64", "futex", "futimesat", + "get_robust_list", + "get_thread_area", "getcpu", "getcwd", "getdents", @@ -143,12 +147,10 @@ "getresuid", "getresuid32", "getrlimit", - "get_robust_list", "getrusage", "getsid", "getsockname", "getsockopt", - "get_thread_area", "gettid", "gettimeofday", "getuid", @@ -159,13 +161,13 @@ "inotify_init1", "inotify_rm_watch", "io_cancel", - "ioctl", "io_destroy", "io_getevents", - "ioprio_get", - "ioprio_set", "io_setup", "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", "ipc", "kill", "lchown", @@ -176,7 +178,6 @@ "listen", "listxattr", "llistxattr", - "_llseek", "lremovexattr", "lseek", "lsetxattr", @@ -194,6 +195,7 @@ "mlockall", "mmap", "mmap2", + "mount", "mprotect", "mq_getsetattr", "mq_notify", @@ -210,9 +212,9 @@ "munlock", "munlockall", "munmap", + "name_to_handle_at", "nanosleep", "newfstatat", - "_newselect", "open", "openat", "pause", @@ -234,6 +236,7 @@ "readlink", "readlinkat", "readv", + "reboot", "recv", "recvfrom", "recvmmsg", @@ -253,11 +256,11 @@ "rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval", "sched_setaffinity", @@ -277,6 +280,9 @@ "sendmmsg", "sendmsg", "sendto", + "set_robust_list", + "set_thread_area", + "set_tid_address", "setfsgid", "setfsgid32", "setfsuid", @@ -297,11 +303,8 @@ "setreuid", "setreuid32", "setrlimit", - "set_robust_list", "setsid", "setsockopt", - "set_thread_area", - "set_tid_address", "setuid", "setuid32", "setxattr", @@ -335,21 +338,24 @@ "time", "timer_create", "timer_delete", - "timerfd_create", - "timerfd_gettime", - "timerfd_settime", "timer_getoverrun", "timer_gettime", "timer_settime", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask", + "umount", + "umount2", "uname", "unlink", "unlinkat", + "unshare", "utime", "utimensat", "utimes", @@ -359,12 +365,7 @@ "waitid", "waitpid", "write", - "writev", - "mount", - "umount2", - "reboot", - "name_to_handle_at", - "unshare" + "writev" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -770,4 +771,4 @@ "excludes": {} } ] -} +}
\ No newline at end of file diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go index fde3cff75..e137a5887 100644 --- a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go +++ b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go @@ -1,5 +1,9 @@ // +build seccomp +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + package seccomp // import "github.com/seccomp/containers-golang" import ( @@ -44,6 +48,8 @@ func DefaultProfile() *Seccomp { syscalls := []*Syscall{ { Names: []string{ + "_llseek", + "_newselect", "accept", "accept4", "access", @@ -110,6 +116,8 @@ func DefaultProfile() *Seccomp { "ftruncate64", "futex", "futimesat", + "get_robust_list", + "get_thread_area", "getcpu", "getcwd", "getdents", @@ -135,12 +143,10 @@ func DefaultProfile() *Seccomp { "getresuid", "getresuid32", "getrlimit", - "get_robust_list", "getrusage", "getsid", "getsockname", "getsockopt", - "get_thread_area", "gettid", "gettimeofday", "getuid", @@ -151,13 +157,13 @@ func DefaultProfile() *Seccomp { "inotify_init1", "inotify_rm_watch", "io_cancel", - "ioctl", "io_destroy", "io_getevents", - "ioprio_get", - "ioprio_set", "io_setup", "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", "ipc", "kill", "lchown", @@ -168,7 +174,6 @@ func DefaultProfile() *Seccomp { "listen", "listxattr", "llistxattr", - "_llseek", "lremovexattr", "lseek", "lsetxattr", @@ -206,7 +211,6 @@ func DefaultProfile() *Seccomp { "name_to_handle_at", "nanosleep", "newfstatat", - "_newselect", "open", "openat", "pause", @@ -248,11 +252,11 @@ func DefaultProfile() *Seccomp { "rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval", "sched_setaffinity", @@ -272,6 +276,9 @@ func DefaultProfile() *Seccomp { "sendmmsg", "sendmsg", "sendto", + "set_robust_list", + "set_thread_area", + "set_tid_address", "setfsgid", "setfsgid32", "setfsuid", @@ -292,11 +299,8 @@ func DefaultProfile() *Seccomp { "setreuid", "setreuid32", "setrlimit", - "set_robust_list", "setsid", "setsockopt", - "set_thread_area", - "set_tid_address", "setuid", "setuid32", "setxattr", @@ -330,12 +334,12 @@ func DefaultProfile() *Seccomp { "time", "timer_create", "timer_delete", - "timerfd_create", - "timerfd_gettime", - "timerfd_settime", "timer_getoverrun", "timer_gettime", "timer_settime", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", "times", "tkill", "truncate", @@ -343,9 +347,11 @@ func DefaultProfile() *Seccomp { "ugetrlimit", "umask", "umount", + "umount2", "uname", "unlink", "unlinkat", + "unshare", "utime", "utimensat", "utimes", diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_linux.go index 9a495e3e2..44dcd90b8 100644 --- a/vendor/github.com/seccomp/containers-golang/seccomp_linux.go +++ b/vendor/github.com/seccomp/containers-golang/seccomp_linux.go @@ -1,5 +1,9 @@ // +build seccomp +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + package seccomp // import "github.com/seccomp/containers-golang" import ( @@ -9,6 +13,7 @@ import ( "github.com/opencontainers/runtime-spec/specs-go" libseccomp "github.com/seccomp/libseccomp-golang" + "golang.org/x/sys/unix" ) //go:generate go run -tags 'seccomp' generate.go @@ -22,11 +27,25 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { var config Seccomp if err := json.Unmarshal([]byte(body), &config); err != nil { - return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err) + return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) } return setupSeccomp(&config, rs) } +// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile. +func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + config := &Seccomp{} + if err := json.Unmarshal(body, config); err != nil { + return nil, fmt.Errorf("decoding seccomp profile failed: %v", err) + } + return setupSeccomp(config, rs) +} + +// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp +func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) { + return setupSeccomp(config, specgen) +} + var nativeToSeccomp = map[string]Arch{ "amd64": ArchX86_64, "arm64": ArchAARCH64, @@ -127,21 +146,22 @@ Loop: } if call.Name != "" { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args)) + newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args, call.ErrnoRet)) } - for _, n := range call.Names { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args)) + if len(call.Names) > 0 { + newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args, call.ErrnoRet)) } } return newConfig, nil } -func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSyscall { +func createSpecsSyscall(names []string, action Action, args []*Arg, errnoRet *uint) specs.LinuxSyscall { newCall := specs.LinuxSyscall{ - Names: []string{name}, - Action: specs.LinuxSeccompAction(action), + Names: names, + Action: specs.LinuxSeccompAction(action), + ErrnoRet: errnoRet, } // Loop through all the arguments of the syscall and convert them @@ -157,3 +177,15 @@ func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSysc } return newCall } + +// IsEnabled returns true if seccomp is enabled for the host. +func IsEnabled() bool { + // Check if Seccomp is supported, via CONFIG_SECCOMP. + if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL { + // Make sure the kernel has CONFIG_SECCOMP_FILTER. + if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL { + return true + } + } + return false +} diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go b/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go index 279340426..936a9a641 100644 --- a/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go +++ b/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go @@ -1,5 +1,9 @@ // +build !seccomp +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + package seccomp // import "github.com/seccomp/containers-golang" import ( @@ -22,3 +26,18 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) { func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) { return nil, fmt.Errorf("Seccomp not supported on this platform") } + +// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile. +func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) { + return nil, fmt.Errorf("Seccomp not supported on this platform") +} + +// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp +func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) { + return nil, fmt.Errorf("Seccomp not supported on this platform") +} + +// IsEnabled returns true if seccomp is enabled for the host. +func IsEnabled() bool { + return false +} diff --git a/vendor/github.com/seccomp/containers-golang/types.go b/vendor/github.com/seccomp/containers-golang/types.go index b549a55fe..6651c423f 100644 --- a/vendor/github.com/seccomp/containers-golang/types.go +++ b/vendor/github.com/seccomp/containers-golang/types.go @@ -1,5 +1,9 @@ package seccomp // import "github.com/seccomp/containers-golang" +// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2013-2018 Docker, Inc. + // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { DefaultAction Action `json:"defaultAction"` @@ -90,4 +94,5 @@ type Syscall struct { Comment string `json:"comment"` Includes Filter `json:"includes"` Excludes Filter `json:"excludes"` + ErrnoRet *uint `json:"errnoRet,omitempty"` } diff --git a/vendor/github.com/seccomp/containers-golang/vendor.conf b/vendor/github.com/seccomp/containers-golang/vendor.conf deleted file mode 100644 index 6111c475b..000000000 --- a/vendor/github.com/seccomp/containers-golang/vendor.conf +++ /dev/null @@ -1,9 +0,0 @@ -github.com/opencontainers/runtime-tools master -github.com/blang/semver master -github.com/hashicorp/go-multierror master -github.com/hashicorp/errwrap master -github.com/syndtr/gocapability master -github.com/xeipuuv/gojsonschema master -github.com/xeipuuv/gojsonreference master -github.com/xeipuuv/gojsonpointer master - |