summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate/config_linux.go
Commit message (Collapse)AuthorAge
* Add filepath glob support to --security-opt unmaskDaniel J Walsh2021-05-04
| | | | | | | | Want to allow users to specify --security-opt unmask=/proc/*. This allows us to run podman within podman more securely, then specifing umask=all, also gives the user more flexibilty. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* replace local mount consts with libpod/defineJakub Guzik2021-03-07
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Enable more golangci-lint lintersPaul Holzinger2021-02-12
| | | | | | | | | | | | | | | | | Cleanup the golangci.yml file and enable more linters. `pkg/spec` and `iopodman.io` is history. The vendor directory is excluded by default. The dependencies dir was listed twice. Fix the reported problems in `pkg/specgen` because that was also excluded by `pkg/spec`. Enable the structcheck, typecheck, varcheck, deadcode and depguard linters. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* security: honor systempaths=unconfined for ro pathsGiuseppe Scrivano2020-12-09
| | | | | | | | | we must honor systempaths=unconfined also for read-only paths, as Docker does: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add mask and unmask option to --security-optUrvashi Mohnani2020-12-02
| | | | | | | | | Add the mask and unmask option to the --security-opt flag to allow users to specify paths to mask and unmask in the container. If unmask=ALL, this will unmask all the paths we mask by default. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* specgen: add support for ambient capabilitiesGiuseppe Scrivano2020-11-02
| | | | | | | | | | if the kernel supports ambient capabilities (Linux 4.3+), also set them when running with euid != 0. This is different that what Moby does, as ambient capabilities are never set. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Stop excessive wrapping of errorsDaniel J Walsh2020-10-30
| | | | | | | | | | | | Most of the builtin golang functions like os.Stat and os.Open report errors including the file system object path. We should not wrap these errors and put the file path in a second time, causing stuttering of errors when they get presented to the user. This patch tries to cleanup a bunch of these errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* spec: open fuse with --device .*/fuseGiuseppe Scrivano2020-10-02
| | | | | | | | | If the container uses the /dev/fuse device, attempt to load the fuse kernel module first so that nested containers can use it. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1872240 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix up some error messagesMatthew Heon2020-08-27
| | | | | | | | | We have a lot of 'cannot stat %s' errors in our codebase. These are terrible and confusing and utterly useless without context. Add some context to a few of them so we actually know what part of the code is failing. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Mask out /sys/dev to prevent information leak from the hostDaniel J Walsh2020-07-14
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove dependency on github.com/opencontainers/libpod/configsDaniel J Walsh2020-07-09
| | | | | | | | | We are using these dependencies just to get the device from path. These dependencies no longer build on Windows, so simply cloning the deviceFromPath function, we can eliminate the need for this vendoring. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* specgen: fix segfaultPeter Hunt2020-05-27
| | | | | | we should not access the devices without checking if the resources are there Signed-off-by: Peter Hunt <pehunt@redhat.com>
* podman v2 remove bloat v2Brent Baude2020-04-16
rid ourseleves of libpod references in v2 client Signed-off-by: Brent Baude <bbaude@redhat.com>