diff --git a/go.mod b/go.mod index 1f94095a25..11e5a35315 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/buildah v1.19.8 - github.com/containers/common v0.35.3 + github.com/containers/common v0.35.4 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.10.5 github.com/containers/ocicrypt v1.1.0 diff --git a/go.sum b/go.sum index 385047cc90..e1da71042f 100644 --- a/go.sum +++ b/go.sum @@ -179,8 +179,8 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD github.com/containers/buildah v1.19.8 h1:4TzmetfKPQF5hh6GgMwbAfrD50j+PAcsRiWDnx+gCI8= github.com/containers/buildah v1.19.8/go.mod h1:VnyHWgNmfR1d89/zJ/F4cbwOzaQS+6sBky46W7dCo3E= github.com/containers/common v0.33.4/go.mod h1:PhgL71XuC4jJ/1BIqeP7doke3aMFkCP90YBXwDeUr9g= -github.com/containers/common v0.35.3 h1:6tEBSIHlJzpmt35zA1ZcjBqbtUilAHDWaa7buPvaqWY= -github.com/containers/common v0.35.3/go.mod h1:rMzxgD7nMGw++cEbsp+NZv0UJO4rgXbm7F7IbJPTwIE= +github.com/containers/common v0.35.4 h1:szyWRncsHkBwCVpu1dkEOXUjkwCetlfcLmKJTwo1Sp8= +github.com/containers/common v0.35.4/go.mod h1:rMzxgD7nMGw++cEbsp+NZv0UJO4rgXbm7F7IbJPTwIE= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.10.1/go.mod h1:JlRLJZv7elVbtHaaaR6Kz8i6G3k2ttj4t7fubwxD9Hs= diff --git a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go index 78be4d1583..ccdcde8778 100644 --- a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go +++ b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go @@ -7,6 +7,7 @@ package capabilities import ( "strings" + "sync" "github.com/pkg/errors" "github.com/syndtr/gocapability/capability" @@ -27,7 +28,7 @@ var ( ContainerImageLabels = []string{"io.containers.capabilities"} ) -// All is a special value used to add/drop all known capababilities. +// All is a special value used to add/drop all known capabilities. // Useful on the CLI for `--cap-add=all` etc. const All = "ALL" @@ -60,24 +61,36 @@ func stringInSlice(s string, sl []string) bool { return false } +var ( + boundingSetOnce sync.Once + boundingSetRet []string + boundingSetErr error +) + // BoundingSet returns the capabilities in the current bounding set func BoundingSet() ([]string, error) { - currentCaps, err := capability.NewPid2(0) - if err != nil { - return nil, err - } - err = currentCaps.Load() - if err != nil { - return nil, err - } - var r []string - for _, c := range capsList { - if !currentCaps.Get(capability.BOUNDING, c) { - continue + boundingSetOnce.Do(func() { + currentCaps, err := capability.NewPid2(0) + if err != nil { + boundingSetErr = err + return } - r = append(r, getCapName(c)) - } - return r, nil + err = currentCaps.Load() + if err != nil { + boundingSetErr = err + return + } + var r []string + for _, c := range capsList { + if !currentCaps.Get(capability.BOUNDING, c) { + continue + } + r = append(r, getCapName(c)) + } + boundingSetRet = r + boundingSetErr = err + }) + return boundingSetRet, boundingSetErr } // AllCapabilities returns all known capabilities. @@ -116,7 +129,7 @@ func ValidateCapabilities(caps []string) error { return nil } -// MergeCapabilities computes a set of capabilities by adding capapbitilities +// MergeCapabilities computes a set of capabilities by adding capabilities // to or dropping them from base. // // Note that: @@ -150,7 +163,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) { if stringInSlice(All, capAdd) { // "Add" all capabilities; - return capabilityList, nil + return BoundingSet() } for _, add := range capAdd { diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index 9199a62864..4c55af5c18 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -45,7 +45,7 @@ var ( // DefaultInitPath is the default path to the container-init binary DefaultInitPath = "/usr/libexec/podman/catatonit" // DefaultInfraImage to use for infra container - DefaultInfraImage = "k8s.gcr.io/pause:3.4.1" + DefaultInfraImage = "k8s.gcr.io/pause:3.5" // DefaultRootlessSHMLockPath is the default path for rootless SHM locks DefaultRootlessSHMLockPath = "/libpod_rootless_lock" // DefaultDetachKeys is the default keys sequence for detaching a diff --git a/vendor/github.com/containers/common/pkg/seccomp/supported.go b/vendor/github.com/containers/common/pkg/seccomp/supported.go index e04324c8af..86e1b66bbe 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/supported.go +++ b/vendor/github.com/containers/common/pkg/seccomp/supported.go @@ -3,72 +3,47 @@ package seccomp import ( - "bufio" - "errors" - "os" - "strings" + "sync" - perrors "github.com/pkg/errors" "golang.org/x/sys/unix" ) -const statusFilePath = "/proc/self/status" +var ( + supported bool + supOnce sync.Once +) // IsSupported returns true if the system has been configured to support -// seccomp. +// seccomp (including the check for CONFIG_SECCOMP_FILTER kernel option). func IsSupported() bool { - // Since Linux 3.8, the Seccomp field of the /proc/[pid]/status file - // provides a method of obtaining the same information, without the risk - // that the process is killed; see proc(5). - status, err := parseStatusFile(statusFilePath) - if err == nil { - _, ok := status["Seccomp"] - return ok - } - - // PR_GET_SECCOMP (since Linux 2.6.23) - // Return (as the function result) the secure computing mode of the calling - // thread. If the caller is not in secure computing mode, this operation - // returns 0; if the caller is in strict secure computing mode, then the - // prctl() call will cause a SIGKILL signal to be sent to the process. If - // the caller is in filter mode, and this system call is allowed by the - // seccomp filters, it returns 2; otherwise, the process is killed with a - // SIGKILL signal. This operation is available only if the kernel is - // configured with CONFIG_SECCOMP enabled. - if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); !errors.Is(err, unix.EINVAL) { - // Make sure the kernel has CONFIG_SECCOMP_FILTER. - if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); !errors.Is(err, unix.EINVAL) { - return true - } - } - - return false -} - -// parseStatusFile reads the provided `file` into a map of strings. -func parseStatusFile(file string) (map[string]string, error) { - f, err := os.Open(file) - if err != nil { - return nil, perrors.Wrapf(err, "open status file %s", file) - } - defer f.Close() - - status := make(map[string]string) - scanner := bufio.NewScanner(f) - for scanner.Scan() { - text := scanner.Text() - parts := strings.SplitN(text, ":", 2) - - if len(parts) <= 1 { - continue - } - - status[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1]) - } - - if err := scanner.Err(); err != nil { - return nil, perrors.Wrapf(err, "scan status file %s", file) - } - - return status, nil + // Excerpts from prctl(2), section ERRORS: + // + // EACCES + // option is PR_SET_SECCOMP and arg2 is SECCOMP_MODE_FILTER, but + // the process does not have the CAP_SYS_ADMIN capability or has + // not set the no_new_privs attribute <...>. + // <...> + // EFAULT + // option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, the + // system was built with CONFIG_SECCOMP_FILTER, and arg3 is an + // invalid address. + // <...> + // EINVAL + // option is PR_SET_SECCOMP or PR_GET_SECCOMP, and the kernel + // was not configured with CONFIG_SECCOMP. + // + // EINVAL + // option is PR_SET_SECCOMP, arg2 is SECCOMP_MODE_FILTER, + // and the kernel was not configured with CONFIG_SECCOMP_FILTER. + // + // + // Meaning, in case these kernel options are set (this is what we check + // for here), we will get some other error (most probably EACCES or + // EFAULT). IOW, EINVAL means "seccomp not supported", any other error + // means it is supported. + + supOnce.Do(func() { + supported = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL + }) + return supported } diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index afe6202318..94f2048f3a 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.35.3" +const Version = "0.35.4" diff --git a/vendor/modules.txt b/vendor/modules.txt index 22a2ece0a3..60d311d096 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/parse github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/util -# github.com/containers/common v0.35.3 +# github.com/containers/common v0.35.4 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/auth