github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp, apparmor: add go:noinline

Browse Source 
Tests in pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
since Go 1.21.

e.g.,
> ```
> === FAIL: pkg/cri/sbserver TestGenerateSeccompSecurityProfileSpecOpts/should_set_default_seccomp_when_seccomp_is_runtime/default (0.00s)
>     container_create_linux_test.go:1013:
>         	Error Trace:	/home/runner/work/containerd/containerd/pkg/cri/sbserver/container_create_linux_test.go:1013
>         	Error:      	Not equal:
>         	            	expected: 0x263d880
>         	            	actual  : 0x263cbc0
>         	Test:       	TestGenerateSeccompSecurityProfileSpecOpts/should_set_default_seccomp_when_seccomp_is_runtime/default
> ```

See comments in PR 8957.

Thanks to Wei Fu for analyzing this.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2023-08-15 04:31:45 +09:00
parent 5d9bf7d139
commit 0f043ae434
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
contrib/apparmor/apparmor.go
View File

@ -39,6 +39,11 @@ func WithProfile(profile string) oci.SpecOpts {
// WithDefaultProfile will generate a default apparmor profile under the provided name // WithDefaultProfile will generate a default apparmor profile under the provided name
// for the container. It is only generated if a profile under that name does not exist. // for the container. It is only generated if a profile under that name does not exist.
//
// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
// since Go 1.21.
//
//go:noinline
func WithDefaultProfile(name string) oci.SpecOpts { func WithDefaultProfile(name string) oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
if err := LoadDefaultProfile(name); err != nil { if err := LoadDefaultProfile(name); err != nil {

10
contrib/seccomp/seccomp.go
View File

@ -30,6 +30,11 @@ import (
// WithProfile receives the name of a file stored on disk comprising a json // WithProfile receives the name of a file stored on disk comprising a json
// formatted seccomp profile, as specified by the opencontainers/runtime-spec. // formatted seccomp profile, as specified by the opencontainers/runtime-spec.
// The profile is read from the file, unmarshaled, and set to the spec. // The profile is read from the file, unmarshaled, and set to the spec.
//
// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
// since Go 1.21.
//
//go:noinline
func WithProfile(profile string) oci.SpecOpts { func WithProfile(profile string) oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
s.Linux.Seccomp = &specs.LinuxSeccomp{} s.Linux.Seccomp = &specs.LinuxSeccomp{}
@ -46,6 +51,11 @@ func WithProfile(profile string) oci.SpecOpts {
// WithDefaultProfile sets the default seccomp profile to the spec. // WithDefaultProfile sets the default seccomp profile to the spec.
// Note: must follow the setting of process capabilities // Note: must follow the setting of process capabilities
//
// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
// since Go 1.21.
//
//go:noinline
func WithDefaultProfile() oci.SpecOpts { func WithDefaultProfile() oci.SpecOpts {
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
s.Linux.Seccomp = DefaultProfile(s) s.Linux.Seccomp = DefaultProfile(s)