summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/containers/common/pkg/capabilities/capabilities.go49
-rw-r--r--vendor/github.com/containers/common/pkg/config/default.go2
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/supported.go97
-rw-r--r--vendor/github.com/containers/common/version/version.go2
-rw-r--r--vendor/modules.txt2
5 files changed, 70 insertions, 82 deletions
diff --git a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go
index 78be4d158..ccdcde877 100644
--- a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go
+++ b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go
@@ -7,6 +7,7 @@ package capabilities
import (
"strings"
+ "sync"
"github.com/pkg/errors"
"github.com/syndtr/gocapability/capability"
@@ -27,7 +28,7 @@ var (
ContainerImageLabels = []string{"io.containers.capabilities"}
)
-// All is a special value used to add/drop all known capababilities.
+// All is a special value used to add/drop all known capabilities.
// Useful on the CLI for `--cap-add=all` etc.
const All = "ALL"
@@ -60,24 +61,36 @@ func stringInSlice(s string, sl []string) bool {
return false
}
+var (
+ boundingSetOnce sync.Once
+ boundingSetRet []string
+ boundingSetErr error
+)
+
// BoundingSet returns the capabilities in the current bounding set
func BoundingSet() ([]string, error) {
- currentCaps, err := capability.NewPid2(0)
- if err != nil {
- return nil, err
- }
- err = currentCaps.Load()
- if err != nil {
- return nil, err
- }
- var r []string
- for _, c := range capsList {
- if !currentCaps.Get(capability.BOUNDING, c) {
- continue
+ boundingSetOnce.Do(func() {
+ currentCaps, err := capability.NewPid2(0)
+ if err != nil {
+ boundingSetErr = err
+ return
}
- r = append(r, getCapName(c))
- }
- return r, nil
+ err = currentCaps.Load()
+ if err != nil {
+ boundingSetErr = err
+ return
+ }
+ var r []string
+ for _, c := range capsList {
+ if !currentCaps.Get(capability.BOUNDING, c) {
+ continue
+ }
+ r = append(r, getCapName(c))
+ }
+ boundingSetRet = r
+ boundingSetErr = err
+ })
+ return boundingSetRet, boundingSetErr
}
// AllCapabilities returns all known capabilities.
@@ -116,7 +129,7 @@ func ValidateCapabilities(caps []string) error {
return nil
}
-// MergeCapabilities computes a set of capabilities by adding capapbitilities
+// MergeCapabilities computes a set of capabilities by adding capabilities
// to or dropping them from base.
//
// Note that:
@@ -150,7 +163,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
if stringInSlice(All, capAdd) {
// "Add" all capabilities;
- return capabilityList, nil
+ return BoundingSet()
}
for _, add := range capAdd {
diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go
index 9199a6286..4c55af5c1 100644
--- a/vendor/github.com/containers/common/pkg/config/default.go
+++ b/vendor/github.com/containers/common/pkg/config/default.go
@@ -45,7 +45,7 @@ var (
// DefaultInitPath is the default path to the container-init binary
DefaultInitPath = "/usr/libexec/podman/catatonit"
// DefaultInfraImage to use for infra container
- DefaultInfraImage = "k8s.gcr.io/pause:3.4.1"
+ DefaultInfraImage = "k8s.gcr.io/pause:3.5"
// DefaultRootlessSHMLockPath is the default path for rootless SHM locks
DefaultRootlessSHMLockPath = "/libpod_rootless_lock"
// DefaultDetachKeys is the default keys sequence for detaching a
diff --git a/vendor/github.com/containers/common/pkg/seccomp/supported.go b/vendor/github.com/containers/common/pkg/seccomp/supported.go
index e04324c8a..86e1b66bb 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/supported.go
+++ b/vendor/github.com/containers/common/pkg/seccomp/supported.go
@@ -3,72 +3,47 @@
package seccomp
import (
- "bufio"
- "errors"
- "os"
- "strings"
+ "sync"
- perrors "github.com/pkg/errors"
"golang.org/x/sys/unix"
)
-const statusFilePath = "/proc/self/status"
+var (
+ supported bool
+ supOnce sync.Once
+)
// IsSupported returns true if the system has been configured to support
-// seccomp.
+// seccomp (including the check for CONFIG_SECCOMP_FILTER kernel option).
func IsSupported() bool {
- // Since Linux 3.8, the Seccomp field of the /proc/[pid]/status file
- // provides a method of obtaining the same information, without the risk
- // that the process is killed; see proc(5).
- status, err := parseStatusFile(statusFilePath)
- if err == nil {
- _, ok := status["Seccomp"]
- return ok
- }
-
- // PR_GET_SECCOMP (since Linux 2.6.23)
- // Return (as the function result) the secure computing mode of the calling
- // thread. If the caller is not in secure computing mode, this operation
- // returns 0; if the caller is in strict secure computing mode, then the
- // prctl() call will cause a SIGKILL signal to be sent to the process. If
- // the caller is in filter mode, and this system call is allowed by the
- // seccomp filters, it returns 2; otherwise, the process is killed with a
- // SIGKILL signal. This operation is available only if the kernel is
- // configured with CONFIG_SECCOMP enabled.
- if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); !errors.Is(err, unix.EINVAL) {
- // Make sure the kernel has CONFIG_SECCOMP_FILTER.
- if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); !errors.Is(err, unix.EINVAL) {
- return true
- }
- }
-
- return false
-}
-
-// parseStatusFile reads the provided `file` into a map of strings.
-func parseStatusFile(file string) (map[string]string, error) {
- f, err := os.Open(file)
- if err != nil {
- return nil, perrors.Wrapf(err, "open status file %s", file)
- }
- defer f.Close()
-
- status := make(map[string]string)
- scanner := bufio.NewScanner(f)
- for scanner.Scan() {
- text := scanner.Text()
- parts := strings.SplitN(text, ":", 2)
-
- if len(parts) <= 1 {
- continue
- }
-
- status[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
- }
-
- if err := scanner.Err(); err != nil {
- return nil, perrors.Wrapf(err, "scan status file %s", file)
- }
-
- return status, nil
+ // Excerpts from prctl(2), section ERRORS:
+ //
+ // EACCES
+ // option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but
+ // the process does not have the CAP_SYS_ADMIN capability or has
+ // not set the no_new_privs attribute <...>.
+ // <...>
+ // EFAULT
+ // option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the
+ // system was built with CONFIG_SECCOMP_FILTER, and arg3 is an
+ // invalid address.
+ // <...>
+ // EINVAL
+ // option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel
+ // was not configured with CONFIG_SECCOMP.
+ //
+ // EINVAL
+ // option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER,
+ // and the kernel was not configured with CONFIG_SECCOMP_FILTER.
+ // <end of quote>
+ //
+ // Meaning, in case these kernel options are set (this is what we check
+ // for here), we will get some other error (most probably EACCES or
+ // EFAULT). IOW, EINVAL means "seccomp not supported", any other error
+ // means it is supported.
+
+ supOnce.Do(func() {
+ supported = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
+ })
+ return supported
}
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index afe620231..94f2048f3 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.35.3"
+const Version = "0.35.4"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 23197a878..32fb1b54a 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/util
-# github.com/containers/common v0.35.3
+# github.com/containers/common v0.35.4
github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/apparmor/internal/supported
github.com/containers/common/pkg/auth