aboutsummaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/config.go55
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/version.go2
-rw-r--r--vendor/github.com/seccomp/containers-golang/.gitignore4
-rw-r--r--vendor/github.com/seccomp/containers-golang/LICENSE190
-rw-r--r--vendor/github.com/seccomp/containers-golang/Makefile22
-rw-r--r--vendor/github.com/seccomp/containers-golang/README.md12
-rw-r--r--vendor/github.com/seccomp/containers-golang/go.mod16
-rw-r--r--vendor/github.com/seccomp/containers-golang/go.sum48
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp.json45
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go36
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp_linux.go46
-rw-r--r--vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go19
-rw-r--r--vendor/github.com/seccomp/containers-golang/types.go5
-rw-r--r--vendor/github.com/seccomp/containers-golang/vendor.conf9
-rw-r--r--vendor/modules.txt4
15 files changed, 441 insertions, 72 deletions
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 48e621c99..7b60f8bb3 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -89,6 +89,8 @@ type User struct {
UID uint32 `json:"uid" platform:"linux,solaris"`
// GID is the group id.
GID uint32 `json:"gid" platform:"linux,solaris"`
+ // Umask is the umask for the init process.
+ Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"`
// AdditionalGids are additional group ids set for the container's process.
AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
// Username is the user name.
@@ -123,13 +125,26 @@ type Hook struct {
Timeout *int `json:"timeout,omitempty"`
}
+// Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container
// Hooks for container setup and teardown
type Hooks struct {
- // Prestart is a list of hooks to be run before the container process is executed.
+ // Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed.
+ // It is called in the Runtime Namespace
Prestart []Hook `json:"prestart,omitempty"`
+ // CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
+ // It is called in the Runtime Namespace
+ CreateRuntime []Hook `json:"createRuntime,omitempty"`
+ // CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
+ // It is called in the Container Namespace
+ CreateContainer []Hook `json:"createContainer,omitempty"`
+ // StartContainer is a list of hooks to be run after the start operation is called but before the container process is started
+ // It is called in the Container Namespace
+ StartContainer []Hook `json:"startContainer,omitempty"`
// Poststart is a list of hooks to be run after the container process is started.
+ // It is called in the Runtime Namespace
Poststart []Hook `json:"poststart,omitempty"`
// Poststop is a list of hooks to be run after the container process exits.
+ // It is called in the Runtime Namespace
Poststop []Hook `json:"poststop,omitempty"`
}
@@ -165,6 +180,8 @@ type Linux struct {
// IntelRdt contains Intel Resource Director Technology (RDT) information for
// handling resource constraints (e.g., L3 cache, memory bandwidth) for the container
IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
+ // Personality contains configuration for the Linux personality syscall
+ Personality *LinuxPersonality `json:"personality,omitempty"`
}
// LinuxNamespace is the configuration for a Linux namespace
@@ -291,6 +308,8 @@ type LinuxMemory struct {
Swappiness *uint64 `json:"swappiness,omitempty"`
// DisableOOMKiller disables the OOM killer for out of memory conditions
DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
+ // Enables hierarchical memory accounting
+ UseHierarchy *bool `json:"useHierarchy,omitempty"`
}
// LinuxCPU for Linux cgroup 'cpu' resource management
@@ -387,6 +406,28 @@ type LinuxDeviceCgroup struct {
Access string `json:"access,omitempty"`
}
+// LinuxPersonalityDomain refers to a personality domain.
+type LinuxPersonalityDomain string
+
+// LinuxPersonalityFlag refers to an additional personality flag. None are currently defined.
+type LinuxPersonalityFlag string
+
+// Define domain and flags for Personality
+const (
+ // PerLinux is the standard Linux personality
+ PerLinux LinuxPersonalityDomain = "LINUX"
+ // PerLinux32 sets personality to 32 bit
+ PerLinux32 LinuxPersonalityDomain = "LINUX32"
+)
+
+// LinuxPersonality represents the Linux personality syscall input
+type LinuxPersonality struct {
+ // Domain for the personality
+ Domain LinuxPersonalityDomain `json:"domain"`
+ // Additional flags
+ Flags []LinuxPersonalityFlag `json:"flags,omitempty"`
+}
+
// Solaris contains platform-specific configuration for Solaris application containers.
type Solaris struct {
// SMF FMRI which should go "online" before we start the container process.
@@ -556,12 +597,16 @@ type VMImage struct {
type LinuxSeccomp struct {
DefaultAction LinuxSeccompAction `json:"defaultAction"`
Architectures []Arch `json:"architectures,omitempty"`
+ Flags []LinuxSeccompFlag `json:"flags,omitempty"`
Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
}
// Arch used for additional architectures
type Arch string
+// LinuxSeccompFlag is a flag to pass to seccomp(2).
+type LinuxSeccompFlag string
+
// Additional architectures permitted to be used for system calls
// By default only the native architecture of the kernel is permitted
const (
@@ -595,6 +640,7 @@ const (
ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"
ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"
ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"
+ ActLog LinuxSeccompAction = "SCMP_ACT_LOG"
)
// LinuxSeccompOperator used to match syscall arguments in Seccomp
@@ -621,9 +667,10 @@ type LinuxSeccompArg struct {
// LinuxSyscall is used to match a syscall in Seccomp
type LinuxSyscall struct {
- Names []string `json:"names"`
- Action LinuxSeccompAction `json:"action"`
- Args []LinuxSeccompArg `json:"args,omitempty"`
+ Names []string `json:"names"`
+ Action LinuxSeccompAction `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
+ Args []LinuxSeccompArg `json:"args,omitempty"`
}
// LinuxIntelRdt has container runtime resource constraints for Intel RDT
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
index b920fc1b3..596af0c2f 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
@@ -8,7 +8,7 @@ const (
// VersionMinor is for functionality in a backwards-compatible manner
VersionMinor = 0
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 1
+ VersionPatch = 2
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = "-dev"
diff --git a/vendor/github.com/seccomp/containers-golang/.gitignore b/vendor/github.com/seccomp/containers-golang/.gitignore
index 2cad96a16..e433eef88 100644
--- a/vendor/github.com/seccomp/containers-golang/.gitignore
+++ b/vendor/github.com/seccomp/containers-golang/.gitignore
@@ -1,2 +1,2 @@
-default.json
-fixtures
+*.orig
+generate
diff --git a/vendor/github.com/seccomp/containers-golang/LICENSE b/vendor/github.com/seccomp/containers-golang/LICENSE
new file mode 100644
index 000000000..bd465fcf0
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/LICENSE
@@ -0,0 +1,190 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ Copyright 2018-2019 github.com/seccomp authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/vendor/github.com/seccomp/containers-golang/Makefile b/vendor/github.com/seccomp/containers-golang/Makefile
index 88569e87b..2d91917f9 100644
--- a/vendor/github.com/seccomp/containers-golang/Makefile
+++ b/vendor/github.com/seccomp/containers-golang/Makefile
@@ -1,3 +1,5 @@
+export GO111MODULE=off
+
TAGS ?= seccomp
BUILDFLAGS := -tags "$(AUTOTAGS) $(TAGS)"
GO := go
@@ -5,14 +7,26 @@ PACKAGE := github.com/seccomp/containers-golang
sources := $(wildcard *.go)
-default.json: $(sources)
+.PHONY: seccomp.json
+seccomp.json: $(sources)
$(GO) build -compiler gc $(BUILDFLAGS) ./cmd/generate.go
$(GO) build -compiler gc ./cmd/generate.go
$(GO) run ${BUILDFLAGS} cmd/generate.go
-all: default.json
+all: seccomp.json
.PHONY: test-unit
test-unit:
- $(GO) test $(BUILDFLAGS) $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor)
- $(GO) test $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor)
+ $(GO) test -v $(BUILDFLAGS) $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor)
+ $(GO) test -v $(shell $(GO) list ./... | grep -v ^$(PACKAGE)/vendor)
+
+.PHONY: vendor
+vendor:
+ export GO111MODULE=on \
+ $(GO) mod tidy && \
+ $(GO) mod vendor && \
+ $(GO) mod verify
+
+.PHONY: clean
+clean:
+ rm -f generate
diff --git a/vendor/github.com/seccomp/containers-golang/README.md b/vendor/github.com/seccomp/containers-golang/README.md
index 1012baec3..a44238432 100644
--- a/vendor/github.com/seccomp/containers-golang/README.md
+++ b/vendor/github.com/seccomp/containers-golang/README.md
@@ -1,9 +1,13 @@
+# containers-golang
+
+[![CircleCI](https://circleci.com/gh/seccomp/containers-golang.svg?style=shield)](https://circleci.com/gh/seccomp/containers-golang)
+
`containers-golang` is a set of Go libraries used by container runtimes to generate and load seccomp mappings into the kernel.
seccomp (short for secure computing mode) is a BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.
## Building
- make - Generates default.json file, which containes the whitelisted syscalls that can be used by container runtime engines like [CRI-O][cri-o], [Buildah][buildah], [Podman][podman] and [Docker][docker], and container runtimes like OCI [Runc][runc] to controll the syscalls available to containers.
+ make - Generates seccomp.json file, which contains the whitelisted syscalls that can be used by container runtime engines like [CRI-O][cri-o], [Buildah][buildah], [Podman][podman] and [Docker][docker], and container runtimes like OCI [Runc][runc] to controll the syscalls available to containers.
### Supported build tags
@@ -13,13 +17,9 @@ seccomp (short for secure computing mode) is a BPF based syscall filter language
When developing this library, please use `make` (or `make … BUILDTAGS=…`) to take advantage of the tests and validation.
-## License
-
-ASL 2.0
-
## Contact
-- IRC: #[CRI-O](irc://irc.freenode.net:6667/#cri-o) on freenode.net
+- IRC: #[containers](irc://irc.freenode.net:6667/#containers) on freenode.net
[cri-o]: https://github.com/kubernetes-incubator/cri-o/pulls
[buildah]: https://github.com/projectatomic/buildah
diff --git a/vendor/github.com/seccomp/containers-golang/go.mod b/vendor/github.com/seccomp/containers-golang/go.mod
new file mode 100644
index 000000000..2b56d46fd
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/go.mod
@@ -0,0 +1,16 @@
+module github.com/seccomp/containers-golang
+
+go 1.13
+
+require (
+ github.com/blang/semver v3.5.1+incompatible // indirect
+ github.com/hashicorp/go-multierror v1.0.0 // indirect
+ github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2
+ github.com/opencontainers/runtime-tools v0.9.0
+ github.com/opencontainers/selinux v1.3.0 // indirect
+ github.com/seccomp/libseccomp-golang v0.9.1
+ github.com/sirupsen/logrus v1.4.2 // indirect
+ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 // indirect
+ github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+ golang.org/x/sys v0.0.0-20190921190940-14da1ac737cc
+)
diff --git a/vendor/github.com/seccomp/containers-golang/go.sum b/vendor/github.com/seccomp/containers-golang/go.sum
new file mode 100644
index 000000000..ba00acd09
--- /dev/null
+++ b/vendor/github.com/seccomp/containers-golang/go.sum
@@ -0,0 +1,48 @@
+github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7 h1:Dliu5QO+4JYWu/yMshaMU7G3JN2POGpwjJN7gjy10Go=
+github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.1 h1:wY4pOY8fBdSIvs9+IDHC55thBuEulhzfSgKeC1yFvzQ=
+github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.2-0.20191007145322-19e92ca81777 h1:7CkKaORyxoXsM8z56r+M0wf3uCpVGVqx4CWq7oJ/4DY=
+github.com/opencontainers/runtime-spec v1.0.2-0.20191007145322-19e92ca81777/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 h1:9mv9SC7GWmRWE0J/+oD8w3GsN2KYGKtg6uwLN7hfP5E=
+github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU=
+github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
+github.com/opencontainers/selinux v1.2.2 h1:Kx9J6eDG5/24A6DtUquGSpJQ+m2MUTahn4FtGEe8bFg=
+github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/opencontainers/selinux v1.3.0 h1:xsI95WzPZu5exzA6JzkLSfdr/DilzOhCJOqGe5TgR0g=
+github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo=
+github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
+github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0 h1:HyfiK1WMnHj5FXFXatD+Qs1A/xC2Run6RzeW1SyHxpc=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190921190940-14da1ac737cc h1:EinpED/Eb9JUgDi6pkoFjw+tz69c3lHUZr2+Va84S0w=
+golang.org/x/sys v0.0.0-20190921190940-14da1ac737cc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp.json b/vendor/github.com/seccomp/containers-golang/seccomp.json
index fe9eda56a..4c84d981f 100644
--- a/vendor/github.com/seccomp/containers-golang/seccomp.json
+++ b/vendor/github.com/seccomp/containers-golang/seccomp.json
@@ -52,6 +52,8 @@
"syscalls": [
{
"names": [
+ "_llseek",
+ "_newselect",
"accept",
"accept4",
"access",
@@ -118,6 +120,8 @@
"ftruncate64",
"futex",
"futimesat",
+ "get_robust_list",
+ "get_thread_area",
"getcpu",
"getcwd",
"getdents",
@@ -143,12 +147,10 @@
"getresuid",
"getresuid32",
"getrlimit",
- "get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
- "get_thread_area",
"gettid",
"gettimeofday",
"getuid",
@@ -159,13 +161,13 @@
"inotify_init1",
"inotify_rm_watch",
"io_cancel",
- "ioctl",
"io_destroy",
"io_getevents",
- "ioprio_get",
- "ioprio_set",
"io_setup",
"io_submit",
+ "ioctl",
+ "ioprio_get",
+ "ioprio_set",
"ipc",
"kill",
"lchown",
@@ -176,7 +178,6 @@
"listen",
"listxattr",
"llistxattr",
- "_llseek",
"lremovexattr",
"lseek",
"lsetxattr",
@@ -194,6 +195,7 @@
"mlockall",
"mmap",
"mmap2",
+ "mount",
"mprotect",
"mq_getsetattr",
"mq_notify",
@@ -210,9 +212,9 @@
"munlock",
"munlockall",
"munmap",
+ "name_to_handle_at",
"nanosleep",
"newfstatat",
- "_newselect",
"open",
"openat",
"pause",
@@ -234,6 +236,7 @@
"readlink",
"readlinkat",
"readv",
+ "reboot",
"recv",
"recvfrom",
"recvmmsg",
@@ -253,11 +256,11 @@
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_tgsigqueueinfo",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
- "sched_get_priority_max",
- "sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_setaffinity",
@@ -277,6 +280,9 @@
"sendmmsg",
"sendmsg",
"sendto",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
"setfsgid",
"setfsgid32",
"setfsuid",
@@ -297,11 +303,8 @@
"setreuid",
"setreuid32",
"setrlimit",
- "set_robust_list",
"setsid",
"setsockopt",
- "set_thread_area",
- "set_tid_address",
"setuid",
"setuid32",
"setxattr",
@@ -335,21 +338,24 @@
"time",
"timer_create",
"timer_delete",
- "timerfd_create",
- "timerfd_gettime",
- "timerfd_settime",
"timer_getoverrun",
"timer_gettime",
"timer_settime",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
"times",
"tkill",
"truncate",
"truncate64",
"ugetrlimit",
"umask",
+ "umount",
+ "umount2",
"uname",
"unlink",
"unlinkat",
+ "unshare",
"utime",
"utimensat",
"utimes",
@@ -359,12 +365,7 @@
"waitid",
"waitpid",
"write",
- "writev",
- "mount",
- "umount2",
- "reboot",
- "name_to_handle_at",
- "unshare"
+ "writev"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@@ -770,4 +771,4 @@
"excludes": {}
}
]
-}
+} \ No newline at end of file
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go
index fde3cff75..e137a5887 100644
--- a/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go
+++ b/vendor/github.com/seccomp/containers-golang/seccomp_default_linux.go
@@ -1,5 +1,9 @@
// +build seccomp
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
package seccomp // import "github.com/seccomp/containers-golang"
import (
@@ -44,6 +48,8 @@ func DefaultProfile() *Seccomp {
syscalls := []*Syscall{
{
Names: []string{
+ "_llseek",
+ "_newselect",
"accept",
"accept4",
"access",
@@ -110,6 +116,8 @@ func DefaultProfile() *Seccomp {
"ftruncate64",
"futex",
"futimesat",
+ "get_robust_list",
+ "get_thread_area",
"getcpu",
"getcwd",
"getdents",
@@ -135,12 +143,10 @@ func DefaultProfile() *Seccomp {
"getresuid",
"getresuid32",
"getrlimit",
- "get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
- "get_thread_area",
"gettid",
"gettimeofday",
"getuid",
@@ -151,13 +157,13 @@ func DefaultProfile() *Seccomp {
"inotify_init1",
"inotify_rm_watch",
"io_cancel",
- "ioctl",
"io_destroy",
"io_getevents",
- "ioprio_get",
- "ioprio_set",
"io_setup",
"io_submit",
+ "ioctl",
+ "ioprio_get",
+ "ioprio_set",
"ipc",
"kill",
"lchown",
@@ -168,7 +174,6 @@ func DefaultProfile() *Seccomp {
"listen",
"listxattr",
"llistxattr",
- "_llseek",
"lremovexattr",
"lseek",
"lsetxattr",
@@ -206,7 +211,6 @@ func DefaultProfile() *Seccomp {
"name_to_handle_at",
"nanosleep",
"newfstatat",
- "_newselect",
"open",
"openat",
"pause",
@@ -248,11 +252,11 @@ func DefaultProfile() *Seccomp {
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_tgsigqueueinfo",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
- "sched_get_priority_max",
- "sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_setaffinity",
@@ -272,6 +276,9 @@ func DefaultProfile() *Seccomp {
"sendmmsg",
"sendmsg",
"sendto",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
"setfsgid",
"setfsgid32",
"setfsuid",
@@ -292,11 +299,8 @@ func DefaultProfile() *Seccomp {
"setreuid",
"setreuid32",
"setrlimit",
- "set_robust_list",
"setsid",
"setsockopt",
- "set_thread_area",
- "set_tid_address",
"setuid",
"setuid32",
"setxattr",
@@ -330,12 +334,12 @@ func DefaultProfile() *Seccomp {
"time",
"timer_create",
"timer_delete",
- "timerfd_create",
- "timerfd_gettime",
- "timerfd_settime",
"timer_getoverrun",
"timer_gettime",
"timer_settime",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
"times",
"tkill",
"truncate",
@@ -343,9 +347,11 @@ func DefaultProfile() *Seccomp {
"ugetrlimit",
"umask",
"umount",
+ "umount2",
"uname",
"unlink",
"unlinkat",
+ "unshare",
"utime",
"utimensat",
"utimes",
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_linux.go b/vendor/github.com/seccomp/containers-golang/seccomp_linux.go
index 9a495e3e2..44dcd90b8 100644
--- a/vendor/github.com/seccomp/containers-golang/seccomp_linux.go
+++ b/vendor/github.com/seccomp/containers-golang/seccomp_linux.go
@@ -1,5 +1,9 @@
// +build seccomp
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
package seccomp // import "github.com/seccomp/containers-golang"
import (
@@ -9,6 +13,7 @@ import (
"github.com/opencontainers/runtime-spec/specs-go"
libseccomp "github.com/seccomp/libseccomp-golang"
+ "golang.org/x/sys/unix"
)
//go:generate go run -tags 'seccomp' generate.go
@@ -22,11 +27,25 @@ func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
var config Seccomp
if err := json.Unmarshal([]byte(body), &config); err != nil {
- return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
+ return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
}
return setupSeccomp(&config, rs)
}
+// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
+func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ config := &Seccomp{}
+ if err := json.Unmarshal(body, config); err != nil {
+ return nil, fmt.Errorf("decoding seccomp profile failed: %v", err)
+ }
+ return setupSeccomp(config, rs)
+}
+
+// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp
+func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return setupSeccomp(config, specgen)
+}
+
var nativeToSeccomp = map[string]Arch{
"amd64": ArchX86_64,
"arm64": ArchAARCH64,
@@ -127,21 +146,22 @@ Loop:
}
if call.Name != "" {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args, call.ErrnoRet))
}
- for _, n := range call.Names {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
+ if len(call.Names) > 0 {
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args, call.ErrnoRet))
}
}
return newConfig, nil
}
-func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSyscall {
+func createSpecsSyscall(names []string, action Action, args []*Arg, errnoRet *uint) specs.LinuxSyscall {
newCall := specs.LinuxSyscall{
- Names: []string{name},
- Action: specs.LinuxSeccompAction(action),
+ Names: names,
+ Action: specs.LinuxSeccompAction(action),
+ ErrnoRet: errnoRet,
}
// Loop through all the arguments of the syscall and convert them
@@ -157,3 +177,15 @@ func createSpecsSyscall(name string, action Action, args []*Arg) specs.LinuxSysc
}
return newCall
}
+
+// IsEnabled returns true if seccomp is enabled for the host.
+func IsEnabled() bool {
+ // Check if Seccomp is supported, via CONFIG_SECCOMP.
+ if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+ // Make sure the kernel has CONFIG_SECCOMP_FILTER.
+ if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+ return true
+ }
+ }
+ return false
+}
diff --git a/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go b/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go
index 279340426..936a9a641 100644
--- a/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go
+++ b/vendor/github.com/seccomp/containers-golang/seccomp_unsupported.go
@@ -1,5 +1,9 @@
// +build !seccomp
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
package seccomp // import "github.com/seccomp/containers-golang"
import (
@@ -22,3 +26,18 @@ func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
return nil, fmt.Errorf("Seccomp not supported on this platform")
}
+
+// LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
+func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, fmt.Errorf("Seccomp not supported on this platform")
+}
+
+// LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp
+func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error) {
+ return nil, fmt.Errorf("Seccomp not supported on this platform")
+}
+
+// IsEnabled returns true if seccomp is enabled for the host.
+func IsEnabled() bool {
+ return false
+}
diff --git a/vendor/github.com/seccomp/containers-golang/types.go b/vendor/github.com/seccomp/containers-golang/types.go
index b549a55fe..6651c423f 100644
--- a/vendor/github.com/seccomp/containers-golang/types.go
+++ b/vendor/github.com/seccomp/containers-golang/types.go
@@ -1,5 +1,9 @@
package seccomp // import "github.com/seccomp/containers-golang"
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2013-2018 Docker, Inc.
+
// Seccomp represents the config for a seccomp profile for syscall restriction.
type Seccomp struct {
DefaultAction Action `json:"defaultAction"`
@@ -90,4 +94,5 @@ type Syscall struct {
Comment string `json:"comment"`
Includes Filter `json:"includes"`
Excludes Filter `json:"excludes"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
}
diff --git a/vendor/github.com/seccomp/containers-golang/vendor.conf b/vendor/github.com/seccomp/containers-golang/vendor.conf
deleted file mode 100644
index 6111c475b..000000000
--- a/vendor/github.com/seccomp/containers-golang/vendor.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-github.com/opencontainers/runtime-tools master
-github.com/blang/semver master
-github.com/hashicorp/go-multierror master
-github.com/hashicorp/errwrap master
-github.com/syndtr/gocapability master
-github.com/xeipuuv/gojsonschema master
-github.com/xeipuuv/gojsonreference master
-github.com/xeipuuv/gojsonpointer master
-
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ed3c9df85..d396297c9 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -412,7 +412,7 @@ github.com/opencontainers/runc/libcontainer/devices
github.com/opencontainers/runc/libcontainer/system
github.com/opencontainers/runc/libcontainer/user
github.com/opencontainers/runc/libcontainer/utils
-# github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7
+# github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2
github.com/opencontainers/runtime-spec/specs-go
# github.com/opencontainers/runtime-tools v0.9.0
github.com/opencontainers/runtime-tools/error
@@ -477,7 +477,7 @@ github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udpproxy
github.com/rootless-containers/rootlesskit/pkg/port/portutil
# github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8
github.com/safchain/ethtool
-# github.com/seccomp/containers-golang v0.0.0-20190312124753-8ca8945ccf5f
+# github.com/seccomp/containers-golang v0.4.1
github.com/seccomp/containers-golang
# github.com/seccomp/libseccomp-golang v0.9.1
github.com/seccomp/libseccomp-golang