From c0a2d152d99dd9344f73bd70bb4ac92c11c9e07b Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Wed, 6 Sep 2017 08:09:27 -0500 Subject: [PATCH 1/2] adds seccomp support Signed-off-by: Mike Brown --- pkg/server/container_create.go | 43 +++++++++++++++++++++++++++++++--- pkg/server/sandbox_run.go | 30 ++++++++++++++++++++++-- 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index 4cecbf469..4bfa01b86 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -25,6 +25,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/contrib/apparmor" + "github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/typeurl" "github.com/docker/docker/pkg/mount" "github.com/golang/glog" @@ -48,10 +49,20 @@ import ( const ( // profileNamePrefix is the prefix for loading profiles on a localhost. Eg. AppArmor localhost/profileName. profileNamePrefix = "localhost/" // TODO (mikebrow): get localhost/ & runtime/default from CRI kubernetes/kubernetes#51747 - // runtimeDefault indicates that we should use or create a runtime default apparmor profile. + // runtimeDefault indicates that we should use or create a runtime default profile. runtimeDefault = "runtime/default" + // runtimeDefault indicates that we should use or create a docker default profile. + dockerDefault = "docker/default" // appArmorDefaultProfileName is name to use when creating a default apparmor profile. appArmorDefaultProfileName = "cri-containerd.apparmor.d" + // unconfinedProfile is a string indicating one should run a pod/containerd without a security profile + unconfinedProfile = "unconfined" + // seccompDefaultPodProfile is the default seccomp profile for pods. + seccompDefaultSandboxProfile = unconfinedProfile + // seccompDefaultContainerProfile is the default seccomp profile for containers. + seccompDefaultContainerProfile = dockerDefault + // seccompEnabled is a flag for globally enabling/disabling seccomp profiles for containers. + seccompEnabled = true // TODO (mikebrow): make these seccomp defaults configurable ) func init() { @@ -211,6 +222,33 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C specOpts = append(specOpts, apparmor.WithProfile(strings.TrimPrefix(appArmorProf, profileNamePrefix))) } } + + // Set seccomp profile + seccompProf := config.GetLinux().GetSecurityContext().GetSeccompProfilePath() + if seccompProf == runtimeDefault || seccompProf == dockerDefault { + // use correct default profile (Eg. if not configured otherwise, the default is docker/default for containers) + seccompProf = seccompDefaultContainerProfile + } + // Unset the seccomp profile, if seccomp is not enabled, unconfined, unset, or the security context is privileged + if !seccompEnabled || + seccompProf == unconfinedProfile || + seccompProf == "" || + config.GetLinux().GetSecurityContext().GetPrivileged() { + spec.Linux.Seccomp = nil + } else { + switch seccompProf { + case dockerDefault: + // Note: WithDefaultProfile specOpts must be added after capabilities + specOpts = append(specOpts, seccomp.WithDefaultProfile()) + default: + // Require and Trim default profile name prefix + if !strings.HasPrefix(seccompProf, profileNamePrefix) { + return nil, fmt.Errorf("invalid seccomp profile %q", seccompProf) + } + specOpts = append(specOpts, seccomp.WithProfile(strings.TrimPrefix(seccompProf, profileNamePrefix))) + } + } + opts = append(opts, containerd.WithSpec(spec, specOpts...), containerd.WithRuntime(defaultRuntime, nil), @@ -312,7 +350,7 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3 if err := setOCIPrivileged(&g, config); err != nil { return nil, err } - } else { + } else { // not privileged if err := c.addOCIDevices(&g, config.GetDevices()); err != nil { return nil, fmt.Errorf("failed to set devices mapping %+v: %v", config.GetDevices(), err) } @@ -321,7 +359,6 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3 return nil, fmt.Errorf("failed to set capabilities %+v: %v", securityContext.GetCapabilities(), err) } - // TODO(random-liu): [P2] Add seccomp not privileged only. } g.SetProcessSelinuxLabel(processLabel) diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go index 7074d995a..575e1dfed 100644 --- a/pkg/server/sandbox_run.go +++ b/pkg/server/sandbox_run.go @@ -22,6 +22,7 @@ import ( "strings" "github.com/containerd/containerd" + "github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/typeurl" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/golang/glog" @@ -127,6 +128,33 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil { specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue()))) } + + // Set seccomp profile + seccompProf := config.GetLinux().GetSecurityContext().GetSeccompProfilePath() + if seccompProf == runtimeDefault || seccompProf == dockerDefault { + // use correct default profile (Eg. if not configured otherwise, the default is unconfined for pods) + seccompProf = seccompDefaultSandboxProfile + } + // Unset the seccomp profile, if seccomp is not enabled, unconfined, unset, or the security context is privileged + if !seccompEnabled || + seccompProf == unconfinedProfile || + seccompProf == "" || + config.GetLinux().GetSecurityContext().GetPrivileged() { + spec.Linux.Seccomp = nil + } else { + switch seccompProf { + case dockerDefault: + // Note: WithDefaultProfile specOpts must be added after capabilities + specOpts = append(specOpts, seccomp.WithDefaultProfile()) + default: + // Require and Trim default profile name prefix + if !strings.HasPrefix(seccompProf, profileNamePrefix) { + return nil, fmt.Errorf("invalid seccomp profile %q", seccompProf) + } + specOpts = append(specOpts, seccomp.WithProfile(strings.TrimPrefix(seccompProf, profileNamePrefix))) + } + } + opts := []containerd.NewContainerOpts{ containerd.WithSnapshotter(c.config.ContainerdSnapshotter), containerd.WithNewSnapshot(id, image.Image), @@ -288,8 +316,6 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r g.AddLinuxSysctl(key, value) } - // TODO(random-liu): [P2] Set seccomp - // Note: LinuxSandboxSecurityContext does not currently provide an apparmor profile g.SetLinuxResourcesCPUShares(uint64(defaultSandboxCPUshares)) From 78a925f57b85787aa191062f4264ea5b935a7b25 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Thu, 14 Sep 2017 18:14:00 -0500 Subject: [PATCH 2/2] vendor for new seccomp helpers Signed-off-by: Mike Brown --- hack/test-cri.sh | 2 +- hack/versions | 4 +- pkg/server/container_create.go | 8 +- pkg/server/events.go | 2 +- pkg/server/restart.go | 2 +- pkg/server/sandbox_run.go | 6 +- pkg/server/sandbox_run_test.go | 2 +- vendor.conf | 3 +- .../api/services/events/v1/container.pb.go | 4 +- .../api/services/events/v1/events.pb.go | 4 +- .../containerd/containerd/client.go | 11 +- .../containerd/containerd/container.go | 2 +- .../containerd/containerd/container_opts.go | 6 +- .../containerd/container_opts_unix.go | 2 +- .../containerd/contrib/seccomp/seccomp.go | 40 ++ .../contrib/seccomp/seccomp_default.go | 581 ++++++++++++++++++ .../containerd/containerd/events/exchange.go | 2 +- .../github.com/containerd/containerd/image.go | 6 +- .../containerd/platforms/defaults.go | 9 +- .../containerd/containerd/process.go | 2 +- .../containerd/containerd/runtime/typeurl.go | 11 +- .../containerd/containerd/spec_opts.go | 2 +- .../containerd/containerd/spec_opts_unix.go | 4 +- .../containerd/spec_opts_windows.go | 2 +- .../github.com/containerd/containerd/task.go | 2 +- .../containerd/containerd/vendor.conf | 3 +- vendor/github.com/containerd/typeurl/LICENSE | 201 ++++++ .../github.com/containerd/typeurl/README.md | 9 + .../{containerd => }/typeurl/types.go | 16 +- 29 files changed, 894 insertions(+), 54 deletions(-) create mode 100644 vendor/github.com/containerd/containerd/contrib/seccomp/seccomp.go create mode 100644 vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go create mode 100644 vendor/github.com/containerd/typeurl/LICENSE create mode 100644 vendor/github.com/containerd/typeurl/README.md rename vendor/github.com/containerd/{containerd => }/typeurl/types.go (86%) diff --git a/hack/test-cri.sh b/hack/test-cri.sh index 88ed27a74..a1083a55d 100755 --- a/hack/test-cri.sh +++ b/hack/test-cri.sh @@ -21,7 +21,7 @@ source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh # FOCUS focuses the test to run. FOCUS=${FOCUS:-} # SKIP skips the test to skip. -SKIP=${SKIP:-"SeccompProfilePath"} +SKIP=${SKIP:-""} REPORT_DIR=${REPORT_DIR:-"/tmp/test-cri"} # Check GOPATH diff --git a/hack/versions b/hack/versions index 110c9cd06..a2a4c7efb 100644 --- a/hack/versions +++ b/hack/versions @@ -1,5 +1,5 @@ RUNC_VERSION=593914b8bd5448a93f7c3e4902a03408b6d5c0ce CNI_VERSION=v0.6.0 -CONTAINERD_VERSION=0cb2c961b2d41e46fbb94bfa165db6d6731b73d2 -CRITOOL_VERSION=046c028a5551b4c5d2a2e503eabeb238ccafe307 +CONTAINERD_VERSION=9934acb27147f6b25707ba486e30c4dc040ba040 +CRITOOL_VERSION=48f8614feab2e345647aa8c923c55b98bd1e842c KUBERNETES_VERSION=11a836078d0c78a4253a77a3ff6f4a555c4121f9 diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index 4bfa01b86..e25e7052c 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -26,7 +26,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/contrib/apparmor" "github.com/containerd/containerd/contrib/seccomp" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/docker/docker/pkg/mount" "github.com/golang/glog" imagespec "github.com/opencontainers/image-spec/specs-go/v1" @@ -51,14 +51,14 @@ const ( profileNamePrefix = "localhost/" // TODO (mikebrow): get localhost/ & runtime/default from CRI kubernetes/kubernetes#51747 // runtimeDefault indicates that we should use or create a runtime default profile. runtimeDefault = "runtime/default" - // runtimeDefault indicates that we should use or create a docker default profile. + // dockerDefault indicates that we should use or create a docker default profile. dockerDefault = "docker/default" // appArmorDefaultProfileName is name to use when creating a default apparmor profile. appArmorDefaultProfileName = "cri-containerd.apparmor.d" // unconfinedProfile is a string indicating one should run a pod/containerd without a security profile unconfinedProfile = "unconfined" - // seccompDefaultPodProfile is the default seccomp profile for pods. - seccompDefaultSandboxProfile = unconfinedProfile + // seccompDefaultSandboxProfile is the default seccomp profile for pods. + seccompDefaultSandboxProfile = dockerDefault // seccompDefaultContainerProfile is the default seccomp profile for containers. seccompDefaultContainerProfile = dockerDefault // seccompEnabled is a flag for globally enabling/disabling seccomp profiles for containers. diff --git a/pkg/server/events.go b/pkg/server/events.go index 0ea7b5abe..f38c0e2f9 100644 --- a/pkg/server/events.go +++ b/pkg/server/events.go @@ -20,7 +20,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/api/services/events/v1" "github.com/containerd/containerd/errdefs" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/golang/glog" "golang.org/x/net/context" diff --git a/pkg/server/restart.go b/pkg/server/restart.go index 7df4f1706..92c8c04a1 100644 --- a/pkg/server/restart.go +++ b/pkg/server/restart.go @@ -26,7 +26,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/content" "github.com/containerd/containerd/errdefs" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/docker/distribution/reference" "github.com/docker/docker/pkg/system" "github.com/golang/glog" diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go index 575e1dfed..a2267127a 100644 --- a/pkg/server/sandbox_run.go +++ b/pkg/server/sandbox_run.go @@ -23,7 +23,7 @@ import ( "github.com/containerd/containerd" "github.com/containerd/containerd/contrib/seccomp" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/golang/glog" imagespec "github.com/opencontainers/image-spec/specs-go/v1" @@ -132,9 +132,11 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run // Set seccomp profile seccompProf := config.GetLinux().GetSecurityContext().GetSeccompProfilePath() if seccompProf == runtimeDefault || seccompProf == dockerDefault { - // use correct default profile (Eg. if not configured otherwise, the default is unconfined for pods) + // use correct default profile (Eg. if not configured otherwise, the default is docker/default for pods) seccompProf = seccompDefaultSandboxProfile } + + // TODO (mikebrow): consider a fuction for the logic used in sandbox and container for secccomp // Unset the seccomp profile, if seccomp is not enabled, unconfined, unset, or the security context is privileged if !seccompEnabled || seccompProf == unconfinedProfile || diff --git a/pkg/server/sandbox_run_test.go b/pkg/server/sandbox_run_test.go index 47572006e..2d53d1772 100644 --- a/pkg/server/sandbox_run_test.go +++ b/pkg/server/sandbox_run_test.go @@ -20,7 +20,7 @@ import ( "os" "testing" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/cri-o/ocicni/pkg/ocicni" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" diff --git a/vendor.conf b/vendor.conf index 404ab7a8b..5185b8618 100644 --- a/vendor.conf +++ b/vendor.conf @@ -2,9 +2,10 @@ github.com/blang/semver v3.1.0 github.com/boltdb/bolt e9cf4fae01b5a8ff89d0ec6b32f0d9c9f79aefdd github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895 github.com/containerd/cgroups 5933ab4dc4f7caa3a73a1dc141bd11f42b5c9163 -github.com/containerd/containerd 0cb2c961b2d41e46fbb94bfa165db6d6731b73d2 +github.com/containerd/containerd 9934acb27147f6b25707ba486e30c4dc040ba040 github.com/containerd/continuity cf279e6ac893682272b4479d4c67fd3abf878b4e github.com/containerd/fifo fbfb6a11ec671efbe94ad1c12c2e98773f19e1e6 +github.com/containerd/typeurl f6943554a7e7e88b3c14aad190bf05932da84788 github.com/containernetworking/cni v0.6.0 github.com/containernetworking/plugins v0.6.0 github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 diff --git a/vendor/github.com/containerd/containerd/api/services/events/v1/container.pb.go b/vendor/github.com/containerd/containerd/api/services/events/v1/container.pb.go index 2533b1d43..420aba036 100644 --- a/vendor/github.com/containerd/containerd/api/services/events/v1/container.pb.go +++ b/vendor/github.com/containerd/containerd/api/services/events/v1/container.pb.go @@ -53,7 +53,7 @@ import _ "github.com/gogo/protobuf/gogoproto" import google_protobuf1 "github.com/gogo/protobuf/types" import _ "github.com/containerd/containerd/protobuf/plugin" -import github_com_containerd_containerd_typeurl "github.com/containerd/containerd/typeurl" +import github_com_containerd_typeurl "github.com/containerd/typeurl" import strings "strings" import reflect "reflect" @@ -158,7 +158,7 @@ func (m *ContainerCreate_Runtime) Field(fieldpath []string) (string, bool) { case "name": return string(m.Name), len(m.Name) > 0 case "options": - decoded, err := github_com_containerd_containerd_typeurl.UnmarshalAny(m.Options) + decoded, err := github_com_containerd_typeurl.UnmarshalAny(m.Options) if err != nil { return "", false } diff --git a/vendor/github.com/containerd/containerd/api/services/events/v1/events.pb.go b/vendor/github.com/containerd/containerd/api/services/events/v1/events.pb.go index 1d068d07b..e89406440 100644 --- a/vendor/github.com/containerd/containerd/api/services/events/v1/events.pb.go +++ b/vendor/github.com/containerd/containerd/api/services/events/v1/events.pb.go @@ -15,7 +15,7 @@ import _ "github.com/gogo/protobuf/types" import time "time" -import github_com_containerd_containerd_typeurl "github.com/containerd/containerd/typeurl" +import github_com_containerd_typeurl "github.com/containerd/typeurl" import ( context "golang.org/x/net/context" @@ -92,7 +92,7 @@ func (m *Envelope) Field(fieldpath []string) (string, bool) { case "topic": return string(m.Topic), len(m.Topic) > 0 case "event": - decoded, err := github_com_containerd_containerd_typeurl.UnmarshalAny(m.Event) + decoded, err := github_com_containerd_typeurl.UnmarshalAny(m.Event) if err != nil { return "", false } diff --git a/vendor/github.com/containerd/containerd/client.go b/vendor/github.com/containerd/containerd/client.go index ddf66bc8f..2c7227241 100644 --- a/vendor/github.com/containerd/containerd/client.go +++ b/vendor/github.com/containerd/containerd/client.go @@ -34,7 +34,7 @@ import ( imagesservice "github.com/containerd/containerd/services/images" snapshotservice "github.com/containerd/containerd/services/snapshot" "github.com/containerd/containerd/snapshot" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" pempty "github.com/golang/protobuf/ptypes/empty" ocispec "github.com/opencontainers/image-spec/specs-go/v1" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -44,12 +44,13 @@ import ( ) func init() { + const prefix = "types.containerd.io" // register TypeUrls for commonly marshaled external types major := strconv.Itoa(specs.VersionMajor) - typeurl.Register(&specs.Spec{}, "opencontainers/runtime-spec", major, "Spec") - typeurl.Register(&specs.Process{}, "opencontainers/runtime-spec", major, "Process") - typeurl.Register(&specs.LinuxResources{}, "opencontainers/runtime-spec", major, "LinuxResources") - typeurl.Register(&specs.WindowsResources{}, "opencontainers/runtime-spec", major, "WindowsResources") + typeurl.Register(&specs.Spec{}, prefix, "opencontainers/runtime-spec", major, "Spec") + typeurl.Register(&specs.Process{}, prefix, "opencontainers/runtime-spec", major, "Process") + typeurl.Register(&specs.LinuxResources{}, prefix, "opencontainers/runtime-spec", major, "LinuxResources") + typeurl.Register(&specs.WindowsResources{}, prefix, "opencontainers/runtime-spec", major, "WindowsResources") } // New returns a new containerd client that is connected to the containerd diff --git a/vendor/github.com/containerd/containerd/container.go b/vendor/github.com/containerd/containerd/container.go index af42cd44c..eec8863a6 100644 --- a/vendor/github.com/containerd/containerd/container.go +++ b/vendor/github.com/containerd/containerd/container.go @@ -11,7 +11,7 @@ import ( "github.com/containerd/containerd/api/types" "github.com/containerd/containerd/containers" "github.com/containerd/containerd/errdefs" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" prototypes "github.com/gogo/protobuf/types" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" diff --git a/vendor/github.com/containerd/containerd/container_opts.go b/vendor/github.com/containerd/containerd/container_opts.go index 756de7ad3..5ad0a9739 100644 --- a/vendor/github.com/containerd/containerd/container_opts.go +++ b/vendor/github.com/containerd/containerd/container_opts.go @@ -6,7 +6,7 @@ import ( "github.com/containerd/containerd/containers" "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/platforms" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/gogo/protobuf/types" "github.com/opencontainers/image-spec/identity" "github.com/pkg/errors" @@ -80,7 +80,7 @@ func WithSnapshot(id string) NewContainerOpts { // root filesystem in read-write mode func WithNewSnapshot(id string, i Image) NewContainerOpts { return func(ctx context.Context, client *Client, c *containers.Container) error { - diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), platforms.Format(platforms.Default())) + diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), platforms.Default()) if err != nil { return err } @@ -109,7 +109,7 @@ func WithSnapshotCleanup(ctx context.Context, client *Client, c containers.Conta // root filesystem in read-only mode func WithNewSnapshotView(id string, i Image) NewContainerOpts { return func(ctx context.Context, client *Client, c *containers.Container) error { - diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), platforms.Format(platforms.Default())) + diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), platforms.Default()) if err != nil { return err } diff --git a/vendor/github.com/containerd/containerd/container_opts_unix.go b/vendor/github.com/containerd/containerd/container_opts_unix.go index 8108f4b83..961ce720d 100644 --- a/vendor/github.com/containerd/containerd/container_opts_unix.go +++ b/vendor/github.com/containerd/containerd/container_opts_unix.go @@ -39,7 +39,7 @@ func WithCheckpoint(desc v1.Descriptor, snapshotKey string) NewContainerOpts { fk := m rw = &fk case images.MediaTypeDockerSchema2Manifest: - config, err := images.Config(ctx, store, m, platforms.Format(platforms.Default())) + config, err := images.Config(ctx, store, m, platforms.Default()) if err != nil { return err } diff --git a/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp.go b/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp.go new file mode 100644 index 000000000..6d4e99e49 --- /dev/null +++ b/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp.go @@ -0,0 +1,40 @@ +// +build linux + +package seccomp + +import ( + "context" + "encoding/json" + "fmt" + "io/ioutil" + + "github.com/containerd/containerd" + "github.com/containerd/containerd/containers" + "github.com/opencontainers/runtime-spec/specs-go" +) + +// WithProfile receives the name of a file stored on disk comprising a json +// formated seccomp profile, as specified by the opencontainers/runtime-spec. +// The profile is read from the file, unmarshaled, and set to the spec. +func WithProfile(profile string) containerd.SpecOpts { + return func(_ context.Context, _ *containerd.Client, _ *containers.Container, s *specs.Spec) error { + s.Linux.Seccomp = &specs.LinuxSeccomp{} + f, err := ioutil.ReadFile(profile) + if err != nil { + return fmt.Errorf("Cannot load seccomp profile %q: %v", profile, err) + } + if err := json.Unmarshal(f, s.Linux.Seccomp); err != nil { + return fmt.Errorf("Decoding seccomp profile failed %q: %v", profile, err) + } + return nil + } +} + +// WithDefaultProfile sets the default seccomp profile to the spec. +// Note: must follow the setting of process capabilities +func WithDefaultProfile() containerd.SpecOpts { + return func(_ context.Context, _ *containerd.Client, _ *containers.Container, s *specs.Spec) error { + s.Linux.Seccomp = DefaultProfile(s) + return nil + } +} diff --git a/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go b/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go new file mode 100644 index 000000000..7e2e3e628 --- /dev/null +++ b/vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go @@ -0,0 +1,581 @@ +// +build linux + +package seccomp + +import ( + "runtime" + "syscall" + + "github.com/opencontainers/runtime-spec/specs-go" +) + +func arches() []specs.Arch { + switch runtime.GOARCH { + case "amd64": + return []specs.Arch{specs.ArchX86_64, specs.ArchX86, specs.ArchX32} + case "arm64": + return []specs.Arch{specs.ArchARM, specs.ArchAARCH64} + case "mips64": + return []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64, specs.ArchMIPS64N32} + case "mips64n32": + return []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64, specs.ArchMIPS64N32} + case "mipsel64": + return []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64, specs.ArchMIPSEL64N32} + case "mipsel64n32": + return []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64, specs.ArchMIPSEL64N32} + case "s390x": + return []specs.Arch{specs.ArchS390, specs.ArchS390X} + default: + return []specs.Arch{} + } +} + +// DefaultProfile defines the whitelist for the default seccomp profile. +func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { + syscalls := []specs.LinuxSyscall{ + { + Names: []string{ + "accept", + "accept4", + "access", + "alarm", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_gettime", + "clock_nanosleep", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedsend", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "prctl", + "pread64", + "preadv", + "prlimit64", + "pselect6", + "pwrite64", + "pwritev", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "syslog", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", + "timer_getoverrun", + "timer_gettime", + "timer_settime", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }, + { + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x0, + Op: specs.OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x0008, + Op: specs.OpEqualTo, + }, + }, + }, + { + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0xffffffff, + Op: specs.OpEqualTo, + }, + }, + }, + } + + s := &specs.LinuxSeccomp{ + DefaultAction: specs.ActErrno, + Architectures: arches(), + Syscalls: syscalls, + } + + // include by arch + switch runtime.GOARCH { + case "arm", "arm64": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "arm_fadvise64_64", + "arm_sync_file_range", + "breakpoint", + "cacheflush", + "set_tls", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "amd64": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "arch_prctl", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + fallthrough + case "386": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "modify_ldt", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "s390", "s390x": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + } + + // make a map of enabled capabilities + caps := make(map[string]bool) + for _, c := range sp.Process.Capabilities.Bounding { + caps[c] = true + } + for _, c := range sp.Process.Capabilities.Effective { + caps[c] = true + } + for _, c := range sp.Process.Capabilities.Inheritable { + caps[c] = true + } + for _, c := range sp.Process.Capabilities.Permitted { + caps[c] = true + } + for _, c := range sp.Process.Capabilities.Ambient { + caps[c] = true + } + + for c := range caps { + switch c { + case "CAP_DAC_READ_SEARCH": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{"open_by_handle_at"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_ADMIN": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "bpf", + "clone", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "setdomainname", + "sethostname", + "setns", + "umount", + "umount2", + "unshare", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_BOOT": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{"reboot"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_CHROOT": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{"chroot"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_MODULE": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "delete_module", + "init_module", + "finit_module", + "query_module", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_PACCT": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{"acct"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_PTRACE": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_RAWIO": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "iopl", + "ioperm", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_TIME": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "settimeofday", + "stime", + "adjtimex", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + case "CAP_SYS_TTY_CONFIG": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{"vhangup"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{}, + }) + } + } + + if !caps["CAP_SYS_ADMIN"] { + switch runtime.GOARCH { + case "s390", "s390x": + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "clone", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 1, + Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, + }, + }) + default: + s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ + Names: []string{ + "clone", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, + }, + }) + } + } + + return s +} diff --git a/vendor/github.com/containerd/containerd/events/exchange.go b/vendor/github.com/containerd/containerd/events/exchange.go index 93f6dfa91..0c8e60f0e 100644 --- a/vendor/github.com/containerd/containerd/events/exchange.go +++ b/vendor/github.com/containerd/containerd/events/exchange.go @@ -11,7 +11,7 @@ import ( "github.com/containerd/containerd/identifiers" "github.com/containerd/containerd/log" "github.com/containerd/containerd/namespaces" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" goevents "github.com/docker/go-events" "github.com/gogo/protobuf/types" "github.com/pkg/errors" diff --git a/vendor/github.com/containerd/containerd/image.go b/vendor/github.com/containerd/containerd/image.go index 88f9b2e0f..5390a6d6c 100644 --- a/vendor/github.com/containerd/containerd/image.go +++ b/vendor/github.com/containerd/containerd/image.go @@ -45,7 +45,7 @@ func (i *image) Target() ocispec.Descriptor { func (i *image) RootFS(ctx context.Context) ([]digest.Digest, error) { provider := i.client.ContentStore() - return i.i.RootFS(ctx, provider, platforms.Format(platforms.Default())) + return i.i.RootFS(ctx, provider, platforms.Default()) } func (i *image) Size(ctx context.Context) (int64, error) { @@ -55,11 +55,11 @@ func (i *image) Size(ctx context.Context) (int64, error) { func (i *image) Config(ctx context.Context) (ocispec.Descriptor, error) { provider := i.client.ContentStore() - return i.i.Config(ctx, provider, platforms.Format(platforms.Default())) + return i.i.Config(ctx, provider, platforms.Default()) } func (i *image) Unpack(ctx context.Context, snapshotterName string) error { - layers, err := i.getLayers(ctx, platforms.Format(platforms.Default())) + layers, err := i.getLayers(ctx, platforms.Default()) if err != nil { return err } diff --git a/vendor/github.com/containerd/containerd/platforms/defaults.go b/vendor/github.com/containerd/containerd/platforms/defaults.go index d49912052..2b57b4979 100644 --- a/vendor/github.com/containerd/containerd/platforms/defaults.go +++ b/vendor/github.com/containerd/containerd/platforms/defaults.go @@ -6,8 +6,13 @@ import ( specs "github.com/opencontainers/image-spec/specs-go/v1" ) -// Default returns the current platform's default platform specification. -func Default() specs.Platform { +// Default returns the default specifier for the platform. +func Default() string { + return Format(DefaultSpec()) +} + +// DefaultSpec returns the current platform's default platform specification. +func DefaultSpec() specs.Platform { return specs.Platform{ OS: runtime.GOOS, Architecture: runtime.GOARCH, diff --git a/vendor/github.com/containerd/containerd/process.go b/vendor/github.com/containerd/containerd/process.go index 536d8a85e..b3e03c279 100644 --- a/vendor/github.com/containerd/containerd/process.go +++ b/vendor/github.com/containerd/containerd/process.go @@ -10,7 +10,7 @@ import ( "github.com/containerd/containerd/api/services/tasks/v1" "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/runtime" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" "github.com/pkg/errors" ) diff --git a/vendor/github.com/containerd/containerd/runtime/typeurl.go b/vendor/github.com/containerd/containerd/runtime/typeurl.go index 46b186d28..8ba2b43a6 100644 --- a/vendor/github.com/containerd/containerd/runtime/typeurl.go +++ b/vendor/github.com/containerd/containerd/runtime/typeurl.go @@ -3,15 +3,16 @@ package runtime import ( "strconv" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" specs "github.com/opencontainers/runtime-spec/specs-go" ) func init() { + const prefix = "types.containerd.io" // register TypeUrls for commonly marshaled external types major := strconv.Itoa(specs.VersionMajor) - typeurl.Register(&specs.Spec{}, "opencontainers/runtime-spec", major, "Spec") - typeurl.Register(&specs.Process{}, "opencontainers/runtime-spec", major, "Process") - typeurl.Register(&specs.LinuxResources{}, "opencontainers/runtime-spec", major, "LinuxResources") - typeurl.Register(&specs.WindowsResources{}, "opencontainers/runtime-spec", major, "WindowsResources") + typeurl.Register(&specs.Spec{}, prefix, "opencontainers/runtime-spec", major, "Spec") + typeurl.Register(&specs.Process{}, prefix, "opencontainers/runtime-spec", major, "Process") + typeurl.Register(&specs.LinuxResources{}, prefix, "opencontainers/runtime-spec", major, "LinuxResources") + typeurl.Register(&specs.WindowsResources{}, prefix, "opencontainers/runtime-spec", major, "WindowsResources") } diff --git a/vendor/github.com/containerd/containerd/spec_opts.go b/vendor/github.com/containerd/containerd/spec_opts.go index 811e1eeba..40cd2fa3f 100644 --- a/vendor/github.com/containerd/containerd/spec_opts.go +++ b/vendor/github.com/containerd/containerd/spec_opts.go @@ -4,7 +4,7 @@ import ( "context" "github.com/containerd/containerd/containers" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" specs "github.com/opencontainers/runtime-spec/specs-go" ) diff --git a/vendor/github.com/containerd/containerd/spec_opts_unix.go b/vendor/github.com/containerd/containerd/spec_opts_unix.go index b529cfb87..dfe875d17 100644 --- a/vendor/github.com/containerd/containerd/spec_opts_unix.go +++ b/vendor/github.com/containerd/containerd/spec_opts_unix.go @@ -73,7 +73,7 @@ func WithImageConfig(i Image) SpecOpts { image = i.(*image) store = client.ContentStore() ) - ic, err := image.i.Config(ctx, store, platforms.Format(platforms.Default())) + ic, err := image.i.Config(ctx, store, platforms.Default()) if err != nil { return err } @@ -236,7 +236,7 @@ func WithRemappedSnapshotView(id string, i Image, uid, gid uint32) NewContainerO func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool) NewContainerOpts { return func(ctx context.Context, client *Client, c *containers.Container) error { - diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), platforms.Format(platforms.Default())) + diffIDs, err := i.(*image).i.RootFS(ctx, client.ContentStore(), platforms.Default()) if err != nil { return err } diff --git a/vendor/github.com/containerd/containerd/spec_opts_windows.go b/vendor/github.com/containerd/containerd/spec_opts_windows.go index 33aba1a9c..5aa5c3029 100644 --- a/vendor/github.com/containerd/containerd/spec_opts_windows.go +++ b/vendor/github.com/containerd/containerd/spec_opts_windows.go @@ -21,7 +21,7 @@ func WithImageConfig(i Image) SpecOpts { image = i.(*image) store = client.ContentStore() ) - ic, err := image.i.Config(ctx, store, platforms.Format(platforms.Default())) + ic, err := image.i.Config(ctx, store, platforms.Default()) if err != nil { return err } diff --git a/vendor/github.com/containerd/containerd/task.go b/vendor/github.com/containerd/containerd/task.go index 6da88d374..90ccbd14a 100644 --- a/vendor/github.com/containerd/containerd/task.go +++ b/vendor/github.com/containerd/containerd/task.go @@ -21,7 +21,7 @@ import ( "github.com/containerd/containerd/plugin" "github.com/containerd/containerd/rootfs" "github.com/containerd/containerd/runtime" - "github.com/containerd/containerd/typeurl" + "github.com/containerd/typeurl" digest "github.com/opencontainers/go-digest" "github.com/opencontainers/image-spec/specs-go/v1" specs "github.com/opencontainers/runtime-spec/specs-go" diff --git a/vendor/github.com/containerd/containerd/vendor.conf b/vendor/github.com/containerd/containerd/vendor.conf index 1698fbe70..abb7383d5 100644 --- a/vendor/github.com/containerd/containerd/vendor.conf +++ b/vendor/github.com/containerd/containerd/vendor.conf @@ -1,7 +1,8 @@ github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6 github.com/containerd/go-runc b3c048c028ddd789c6f9510c597f8b9c62f25359 -github.com/containerd/console 76d18fd1d66972718ab2284449591db0b3cdb4de +github.com/containerd/console b28c739c79ce69d017e3691ad3664568d68e95c6 github.com/containerd/cgroups 5933ab4dc4f7caa3a73a1dc141bd11f42b5c9163 +github.com/containerd/typeurl f6943554a7e7e88b3c14aad190bf05932da84788 github.com/docker/go-metrics 8fd5772bf1584597834c6f7961a530f06cbfbb87 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f diff --git a/vendor/github.com/containerd/typeurl/LICENSE b/vendor/github.com/containerd/typeurl/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/vendor/github.com/containerd/typeurl/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/containerd/typeurl/README.md b/vendor/github.com/containerd/typeurl/README.md new file mode 100644 index 000000000..e0787743c --- /dev/null +++ b/vendor/github.com/containerd/typeurl/README.md @@ -0,0 +1,9 @@ +# typeurl + +[![Build Status](https://travis-ci.org/containerd/typeurl.svg?branch=master)](https://travis-ci.org/containerd/typeurl) + +[![codecov](https://codecov.io/gh/containerd/typeurl/branch/master/graph/badge.svg)](https://codecov.io/gh/containerd/typeurl) + +A Go package for managing the registration, marshaling, and unmarshaling of encoded types. + +This package helps when types are sent over a GRPC API and marshaled as a [protobuf.Any](). diff --git a/vendor/github.com/containerd/containerd/typeurl/types.go b/vendor/github.com/containerd/typeurl/types.go similarity index 86% rename from vendor/github.com/containerd/containerd/typeurl/types.go rename to vendor/github.com/containerd/typeurl/types.go index 63b214b5e..10a78228b 100644 --- a/vendor/github.com/containerd/containerd/typeurl/types.go +++ b/vendor/github.com/containerd/typeurl/types.go @@ -4,27 +4,25 @@ import ( "encoding/json" "path" "reflect" - "strings" "sync" - "github.com/containerd/containerd/errdefs" "github.com/gogo/protobuf/proto" "github.com/gogo/protobuf/types" "github.com/pkg/errors" ) -const Prefix = "types.containerd.io" - var ( mu sync.Mutex registry = make(map[reflect.Type]string) ) +var ErrNotFound = errors.New("not found") + // Register a type with the base url of the type func Register(v interface{}, args ...string) { var ( t = tryDereference(v) - p = path.Join(append([]string{Prefix}, args...)...) + p = path.Join(args...) ) mu.Lock() defer mu.Unlock() @@ -46,9 +44,9 @@ func TypeURL(v interface{}) (string, error) { // fallback to the proto registry if it is a proto message pb, ok := v.(proto.Message) if !ok { - return "", errors.Wrapf(errdefs.ErrNotFound, "type %s", reflect.TypeOf(v)) + return "", errors.Wrapf(ErrNotFound, "type %s", reflect.TypeOf(v)) } - return path.Join(Prefix, proto.MessageName(pb)), nil + return proto.MessageName(pb), nil } return u, nil } @@ -123,7 +121,7 @@ func getTypeByUrl(url string) (urlType, error) { } } // fallback to proto registry - t := proto.MessageType(strings.TrimPrefix(url, Prefix+"/")) + t := proto.MessageType(url) if t != nil { return urlType{ // get the underlying Elem because proto returns a pointer to the type @@ -131,7 +129,7 @@ func getTypeByUrl(url string) (urlType, error) { isProto: true, }, nil } - return urlType{}, errors.Wrapf(errdefs.ErrNotFound, "type with url %s", url) + return urlType{}, errors.Wrapf(ErrNotFound, "type with url %s", url) } func tryDereference(v interface{}) reflect.Type {