Update continuity, go-winio and hcsshim

Update dependencies and remove the local bindfilter files. Those have
been moved to go-winio.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>

vendor/github.com/Microsoft/go-winio/.golangci.yml

@@ -8,12 +8,8 @@ linters:
     - containedctx # struct contains a context
     - dupl # duplicate code
     - errname # erorrs are named correctly
-    - goconst # strings that should be constants
-    - godot # comments end in a period
-    - misspell
     - nolintlint # "//nolint" directives are properly explained
     - revive # golint replacement
-    - stylecheck # golint replacement, less configurable than revive
     - unconvert # unnecessary conversions
     - wastedassign
 
@@ -23,10 +19,7 @@ linters:
     - exhaustive # check exhaustiveness of enum switch statements
     - gofmt # files are gofmt'ed
     - gosec # security
-    - nestif # deeply nested ifs
     - nilerr # returns nil even with non-nil error
-    - prealloc # slices that can be pre-allocated
-    - structcheck # unused struct fields
     - unparam # unused function params
 
 issues:
@@ -56,6 +49,8 @@ issues:
 
 
 linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
   govet:
     enable-all: true
     disable:
@@ -98,6 +93,8 @@ linters-settings:
         disabled: true
       - name: flag-parameter # excessive, and a common idiom we use
         disabled: true
+      - name: unhandled-error # warns over common fmt.Print* and io.Close; rely on errcheck instead
+        disabled: true
       # general config
       - name: line-length-limit
         arguments:
@@ -138,7 +135,3 @@ linters-settings:
             - VPCI
             - WCOW
             - WIM
-  stylecheck:
-    checks:
-      - "all"
-      - "-ST1003" # use revive's var naming

vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go

@@ -0,0 +1,308 @@
+//go:build windows
+// +build windows
+
+package bindfilter
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+//go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go ./bind_filter.go
+//sys bfSetupFilter(jobHandle windows.Handle, flags uint32, virtRootPath string, virtTargetPath string, virtExceptions **uint16, virtExceptionPathCount uint32) (hr error) = bindfltapi.BfSetupFilter?
+//sys bfRemoveMapping(jobHandle windows.Handle, virtRootPath string)  (hr error) = bindfltapi.BfRemoveMapping?
+//sys bfGetMappings(flags uint32, jobHandle windows.Handle, virtRootPath *uint16, sid *windows.SID, bufferSize *uint32, outBuffer *byte)  (hr error) = bindfltapi.BfGetMappings?
+
+// BfSetupFilter flags. See:
+// https://github.com/microsoft/BuildXL/blob/a6dce509f0d4f774255e5fbfb75fa6d5290ed163/Public/Src/Utilities/Native/Processes/Windows/NativeContainerUtilities.cs#L193-L240
+//
+//nolint:revive // var-naming: ALL_CAPS
+const (
+	BINDFLT_FLAG_READ_ONLY_MAPPING uint32 = 0x00000001
+	// Tells bindflt to fail mapping with STATUS_INVALID_PARAMETER if a mapping produces
+	// multiple targets.
+	BINDFLT_FLAG_NO_MULTIPLE_TARGETS uint32 = 0x00000040
+)
+
+//nolint:revive // var-naming: ALL_CAPS
+const (
+	BINDFLT_GET_MAPPINGS_FLAG_VOLUME uint32 = 0x00000001
+	BINDFLT_GET_MAPPINGS_FLAG_SILO   uint32 = 0x00000002
+	BINDFLT_GET_MAPPINGS_FLAG_USER   uint32 = 0x00000004
+)
+
+// ApplyFileBinding creates a global mount of the source in root, with an optional
+// read only flag.
+// The bind filter allows us to create mounts of directories and volumes. By default it allows
+// us to mount multiple sources inside a single root, acting as an overlay. Files from the
+// second source will superscede the first source that was mounted.
+// This function disables this behavior and sets the BINDFLT_FLAG_NO_MULTIPLE_TARGETS flag
+// on the mount.
+func ApplyFileBinding(root, source string, readOnly bool) error {
+	// The parent directory needs to exist for the bind to work. MkdirAll stats and
+	// returns nil if the directory exists internally so we should be fine to mkdirall
+	// every time.
+	if err := os.MkdirAll(filepath.Dir(root), 0); err != nil {
+		return err
+	}
+
+	if strings.Contains(source, "Volume{") && !strings.HasSuffix(source, "\\") {
+		// Add trailing slash to volumes, otherwise we get an error when binding it to
+		// a folder.
+		source = source + "\\"
+	}
+
+	flags := BINDFLT_FLAG_NO_MULTIPLE_TARGETS
+	if readOnly {
+		flags |= BINDFLT_FLAG_READ_ONLY_MAPPING
+	}
+
+	// Set the job handle to 0 to create a global mount.
+	if err := bfSetupFilter(
+		0,
+		flags,
+		root,
+		source,
+		nil,
+		0,
+	); err != nil {
+		return fmt.Errorf("failed to bind target %q to root %q: %w", source, root, err)
+	}
+	return nil
+}
+
+// RemoveFileBinding removes a mount from the root path.
+func RemoveFileBinding(root string) error {
+	if err := bfRemoveMapping(0, root); err != nil {
+		return fmt.Errorf("removing file binding: %w", err)
+	}
+	return nil
+}
+
+// GetBindMappings returns a list of bind mappings that have their root on a
+// particular volume. The volumePath parameter can be any path that exists on
+// a volume. For example, if a number of mappings are created in C:\ProgramData\test,
+// to get a list of those mappings, the volumePath parameter would have to be set to
+// C:\ or the VOLUME_NAME_GUID notation of C:\ (\\?\Volume{GUID}\), or any child
+// path that exists.
+func GetBindMappings(volumePath string) ([]BindMapping, error) {
+	rootPtr, err := windows.UTF16PtrFromString(volumePath)
+	if err != nil {
+		return nil, err
+	}
+
+	flags := BINDFLT_GET_MAPPINGS_FLAG_VOLUME
+	// allocate a large buffer for results
+	var outBuffSize uint32 = 256 * 1024
+	buf := make([]byte, outBuffSize)
+
+	if err := bfGetMappings(flags, 0, rootPtr, nil, &outBuffSize, &buf[0]); err != nil {
+		return nil, err
+	}
+
+	if outBuffSize < 12 {
+		return nil, fmt.Errorf("invalid buffer returned")
+	}
+
+	result := buf[:outBuffSize]
+
+	// The first 12 bytes are the three uint32 fields in getMappingsResponseHeader{}
+	headerBuffer := result[:12]
+	// The alternative to using unsafe and casting it to the above defined structures, is to manually
+	// parse the fields. Not too terrible, but not sure it'd worth the trouble.
+	header := *(*getMappingsResponseHeader)(unsafe.Pointer(&headerBuffer[0]))
+
+	if header.MappingCount == 0 {
+		// no mappings
+		return []BindMapping{}, nil
+	}
+
+	mappingsBuffer := result[12 : int(unsafe.Sizeof(mappingEntry{}))*int(header.MappingCount)]
+	// Get a pointer to the first mapping in the slice
+	mappingsPointer := (*mappingEntry)(unsafe.Pointer(&mappingsBuffer[0]))
+	// Get slice of mappings
+	mappings := unsafe.Slice(mappingsPointer, header.MappingCount)
+
+	mappingEntries := make([]BindMapping, header.MappingCount)
+	for i := 0; i < int(header.MappingCount); i++ {
+		bindMapping, err := getBindMappingFromBuffer(result, mappings[i])
+		if err != nil {
+			return nil, fmt.Errorf("fetching bind mappings: %w", err)
+		}
+		mappingEntries[i] = bindMapping
+	}
+
+	return mappingEntries, nil
+}
+
+// mappingEntry holds information about where in the response buffer we can
+// find information about the virtual root (the mount point) and the targets (sources)
+// that get mounted, as well as the flags used to bind the targets to the virtual root.
+type mappingEntry struct {
+	VirtRootLength      uint32
+	VirtRootOffset      uint32
+	Flags               uint32
+	NumberOfTargets     uint32
+	TargetEntriesOffset uint32
+}
+
+type mappingTargetEntry struct {
+	TargetRootLength uint32
+	TargetRootOffset uint32
+}
+
+// getMappingsResponseHeader represents the first 12 bytes of the BfGetMappings() response.
+// It gives us the size of the buffer, the status of the call and the number of mappings.
+// A response
+type getMappingsResponseHeader struct {
+	Size         uint32
+	Status       uint32
+	MappingCount uint32
+}
+
+type BindMapping struct {
+	MountPoint string
+	Flags      uint32
+	Targets    []string
+}
+
+func decodeEntry(buffer []byte) (string, error) {
+	name := make([]uint16, len(buffer)/2)
+	err := binary.Read(bytes.NewReader(buffer), binary.LittleEndian, &name)
+	if err != nil {
+		return "", fmt.Errorf("decoding name: %w", err)
+	}
+	return windows.UTF16ToString(name), nil
+}
+
+func getTargetsFromBuffer(buffer []byte, offset, count int) ([]string, error) {
+	if len(buffer) < offset+count*6 {
+		return nil, fmt.Errorf("invalid buffer")
+	}
+
+	targets := make([]string, count)
+	for i := 0; i < count; i++ {
+		entryBuf := buffer[offset+i*8 : offset+i*8+8]
+		tgt := *(*mappingTargetEntry)(unsafe.Pointer(&entryBuf[0]))
+		if len(buffer) < int(tgt.TargetRootOffset)+int(tgt.TargetRootLength) {
+			return nil, fmt.Errorf("invalid buffer")
+		}
+		decoded, err := decodeEntry(buffer[tgt.TargetRootOffset : tgt.TargetRootOffset+tgt.TargetRootLength])
+		if err != nil {
+			return nil, fmt.Errorf("decoding name: %w", err)
+		}
+		decoded, err = getFinalPath(decoded)
+		if err != nil {
+			return nil, fmt.Errorf("fetching final path: %w", err)
+		}
+
+		targets[i] = decoded
+	}
+	return targets, nil
+}
+
+func getFinalPath(pth string) (string, error) {
+	// BfGetMappings returns VOLUME_NAME_NT paths like \Device\HarddiskVolume2\ProgramData.
+	// These can be accessed by prepending \\.\GLOBALROOT to the path. We use this to get the
+	// DOS paths for these files.
+	if strings.HasPrefix(pth, `\Device`) {
+		pth = `\\.\GLOBALROOT` + pth
+	}
+
+	han, err := openPath(pth)
+	if err != nil {
+		return "", fmt.Errorf("fetching file handle: %w", err)
+	}
+	defer func() {
+		_ = windows.CloseHandle(han)
+	}()
+
+	buf := make([]uint16, 100)
+	var flags uint32 = 0x0
+	for {
+		n, err := windows.GetFinalPathNameByHandle(han, &buf[0], uint32(len(buf)), flags)
+		if err != nil {
+			// if we mounted a volume that does not also have a drive letter assigned, attempting to
+			// fetch the VOLUME_NAME_DOS will fail with os.ErrNotExist. Attempt to get the VOLUME_NAME_GUID.
+			if errors.Is(err, os.ErrNotExist) && flags != 0x1 {
+				flags = 0x1
+				continue
+			}
+			return "", fmt.Errorf("getting final path name: %w", err)
+		}
+		if n < uint32(len(buf)) {
+			break
+		}
+		buf = make([]uint16, n)
+	}
+	finalPath := syscall.UTF16ToString(buf)
+	// We got VOLUME_NAME_DOS, we need to strip away some leading slashes.
+	// Leave unchanged if we ended up requesting VOLUME_NAME_GUID
+	if len(finalPath) > 4 && finalPath[:4] == `\\?\` && flags == 0x0 {
+		finalPath = finalPath[4:]
+		if len(finalPath) > 3 && finalPath[:3] == `UNC` {
+			// return path like \\server\share\...
+			finalPath = `\` + finalPath[3:]
+		}
+	}
+
+	return finalPath, nil
+}
+
+func getBindMappingFromBuffer(buffer []byte, entry mappingEntry) (BindMapping, error) {
+	if len(buffer) < int(entry.VirtRootOffset)+int(entry.VirtRootLength) {
+		return BindMapping{}, fmt.Errorf("invalid buffer")
+	}
+
+	src, err := decodeEntry(buffer[entry.VirtRootOffset : entry.VirtRootOffset+entry.VirtRootLength])
+	if err != nil {
+		return BindMapping{}, fmt.Errorf("decoding entry: %w", err)
+	}
+	targets, err := getTargetsFromBuffer(buffer, int(entry.TargetEntriesOffset), int(entry.NumberOfTargets))
+	if err != nil {
+		return BindMapping{}, fmt.Errorf("fetching targets: %w", err)
+	}
+
+	src, err = getFinalPath(src)
+	if err != nil {
+		return BindMapping{}, fmt.Errorf("fetching final path: %w", err)
+	}
+
+	return BindMapping{
+		Flags:      entry.Flags,
+		Targets:    targets,
+		MountPoint: src,
+	}, nil
+}
+
+func openPath(path string) (windows.Handle, error) {
+	u16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return 0, err
+	}
+	h, err := windows.CreateFile(
+		u16,
+		0,
+		windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE|windows.FILE_SHARE_DELETE,
+		nil,
+		windows.OPEN_EXISTING,
+		windows.FILE_FLAG_BACKUP_SEMANTICS, // Needed to open a directory handle.
+		0)
+	if err != nil {
+		return 0, &os.PathError{
+			Op:   "CreateFile",
+			Path: path,
+			Err:  err,
+		}
+	}
+	return h, nil
+}

vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go

@@ -0,0 +1,116 @@
+//go:build windows
+
+// Code generated by 'go generate' using "github.com/Microsoft/go-winio/tools/mkwinsyscall"; DO NOT EDIT.
+
+package bindfilter
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modbindfltapi = windows.NewLazySystemDLL("bindfltapi.dll")
+
+	procBfGetMappings   = modbindfltapi.NewProc("BfGetMappings")
+	procBfRemoveMapping = modbindfltapi.NewProc("BfRemoveMapping")
+	procBfSetupFilter   = modbindfltapi.NewProc("BfSetupFilter")
+)
+
+func bfGetMappings(flags uint32, jobHandle windows.Handle, virtRootPath *uint16, sid *windows.SID, bufferSize *uint32, outBuffer *byte) (hr error) {
+	hr = procBfGetMappings.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procBfGetMappings.Addr(), 6, uintptr(flags), uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(bufferSize)), uintptr(unsafe.Pointer(outBuffer)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func bfRemoveMapping(jobHandle windows.Handle, virtRootPath string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(virtRootPath)
+	if hr != nil {
+		return
+	}
+	return _bfRemoveMapping(jobHandle, _p0)
+}
+
+func _bfRemoveMapping(jobHandle windows.Handle, virtRootPath *uint16) (hr error) {
+	hr = procBfRemoveMapping.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procBfRemoveMapping.Addr(), 2, uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func bfSetupFilter(jobHandle windows.Handle, flags uint32, virtRootPath string, virtTargetPath string, virtExceptions **uint16, virtExceptionPathCount uint32) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(virtRootPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(virtTargetPath)
+	if hr != nil {
+		return
+	}
+	return _bfSetupFilter(jobHandle, flags, _p0, _p1, virtExceptions, virtExceptionPathCount)
+}
+
+func _bfSetupFilter(jobHandle windows.Handle, flags uint32, virtRootPath *uint16, virtTargetPath *uint16, virtExceptions **uint16, virtExceptionPathCount uint32) (hr error) {
+	hr = procBfSetupFilter.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procBfSetupFilter.Addr(), 6, uintptr(jobHandle), uintptr(flags), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(virtTargetPath)), uintptr(unsafe.Pointer(virtExceptions)), uintptr(virtExceptionPathCount))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}

vendor/github.com/containerd/continuity/.golangci.yml

@@ -1,7 +1,5 @@
 linters:
   enable:
-    - structcheck
-    - varcheck
     - staticcheck
     - unconvert
     - gofmt

vendor/github.com/containerd/continuity/context.go

@@ -18,6 +18,7 @@ package continuity
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -151,7 +152,7 @@ func (c *context) Resource(p string, fi os.FileInfo) (Resource, error) {
 	}
 
 	base.xattrs, err = c.resolveXAttrs(fp, fi, base)
-	if err != nil && err != ErrNotSupported {
+	if err != nil && !errors.Is(err, ErrNotSupported) {
 		return nil, err
 	}
 
@@ -410,7 +411,7 @@ func (c *context) Apply(resource Resource) error {
 		return fmt.Errorf("resource %v escapes root", resource)
 	}
 
-	var chmod = true
+	chmod := true
 	fi, err := c.driver.Lstat(fp)
 	if err != nil {
 		if !os.IsNotExist(err) {

vendor/github.com/containerd/continuity/driver/utils.go

@@ -56,7 +56,7 @@ func WriteFile(r Driver, filename string, data []byte, perm os.FileMode) error {
 	return nil
 }
 
-// ReadDir works the same as ioutil.ReadDir with the Driver abstraction
+// ReadDir works the same as os.ReadDir with the Driver abstraction
 func ReadDir(r Driver, dirname string) ([]os.FileInfo, error) {
 	f, err := r.Open(dirname)
 	if err != nil {

vendor/github.com/containerd/continuity/fs/copy.go

@@ -18,7 +18,6 @@ package fs
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sync"
@@ -111,7 +110,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 		}
 	}
 
-	fis, err := ioutil.ReadDir(src)
+	entries, err := os.ReadDir(src)
 	if err != nil {
 		return fmt.Errorf("failed to read %s: %w", src, err)
 	}
@@ -124,18 +123,23 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 		return fmt.Errorf("failed to copy xattrs: %w", err)
 	}
 
-	for _, fi := range fis {
-		source := filepath.Join(src, fi.Name())
-		target := filepath.Join(dst, fi.Name())
+	for _, entry := range entries {
+		source := filepath.Join(src, entry.Name())
+		target := filepath.Join(dst, entry.Name())
+
+		fileInfo, err := entry.Info()
+		if err != nil {
+			return fmt.Errorf("failed to get file info for %s: %w", entry.Name(), err)
+		}
 
 		switch {
-		case fi.IsDir():
+		case entry.IsDir():
 			if err := copyDirectory(target, source, inodes, o); err != nil {
 				return err
 			}
 			continue
-		case (fi.Mode() & os.ModeType) == 0:
-			link, err := getLinkSource(target, fi, inodes)
+		case (fileInfo.Mode() & os.ModeType) == 0:
+			link, err := getLinkSource(target, fileInfo, inodes)
 			if err != nil {
 				return fmt.Errorf("failed to get hardlink: %w", err)
 			}
@@ -146,7 +150,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 			} else if err := CopyFile(target, source); err != nil {
 				return fmt.Errorf("failed to copy files: %w", err)
 			}
-		case (fi.Mode() & os.ModeSymlink) == os.ModeSymlink:
+		case (fileInfo.Mode() & os.ModeSymlink) == os.ModeSymlink:
 			link, err := os.Readlink(source)
 			if err != nil {
 				return fmt.Errorf("failed to read link: %s: %w", source, err)
@@ -154,18 +158,18 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 			if err := os.Symlink(link, target); err != nil {
 				return fmt.Errorf("failed to create symlink: %s: %w", target, err)
 			}
-		case (fi.Mode() & os.ModeDevice) == os.ModeDevice,
-			(fi.Mode() & os.ModeNamedPipe) == os.ModeNamedPipe,
-			(fi.Mode() & os.ModeSocket) == os.ModeSocket:
-			if err := copyIrregular(target, fi); err != nil {
+		case (fileInfo.Mode() & os.ModeDevice) == os.ModeDevice,
+			(fileInfo.Mode() & os.ModeNamedPipe) == os.ModeNamedPipe,
+			(fileInfo.Mode() & os.ModeSocket) == os.ModeSocket:
+			if err := copyIrregular(target, fileInfo); err != nil {
 				return fmt.Errorf("failed to create irregular file: %w", err)
 			}
 		default:
-			logrus.Warnf("unsupported mode: %s: %s", source, fi.Mode())
+			logrus.Warnf("unsupported mode: %s: %s", source, fileInfo.Mode())
 			continue
 		}
 
-		if err := copyFileInfo(fi, source, target); err != nil {
+		if err := copyFileInfo(fileInfo, source, target); err != nil {
 			return fmt.Errorf("failed to copy file info: %w", err)
 		}
 

vendor/github.com/containerd/continuity/fs/copy_windows.go

@@ -49,7 +49,6 @@ func copyFileInfo(fi os.FileInfo, src, name string) error {
 	secInfo, err := windows.GetNamedSecurityInfo(
 		src, windows.SE_FILE_OBJECT,
 		windows.OWNER_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION)
-
 	if err != nil {
 		return err
 	}
@@ -68,7 +67,6 @@ func copyFileInfo(fi os.FileInfo, src, name string) error {
 		name, windows.SE_FILE_OBJECT,
 		windows.OWNER_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION,
 		sid, nil, dacl, nil); err != nil {
-
 		return err
 	}
 	return nil

vendor/github.com/containerd/continuity/fs/diff.go

@@ -80,12 +80,13 @@ type ChangeFunc func(ChangeKind, string, os.FileInfo, error) error
 //
 // The change callback is called by the order of path names and
 // should be appliable in that order.
-//  Due to this apply ordering, the following is true
-//  - Removed directory trees only create a single change for the root
-//    directory removed. Remaining changes are implied.
-//  - A directory which is modified to become a file will not have
-//    delete entries for sub-path items, their removal is implied
-//    by the removal of the parent directory.
+//
+//	Due to this apply ordering, the following is true
+//	- Removed directory trees only create a single change for the root
+//	  directory removed. Remaining changes are implied.
+//	- A directory which is modified to become a file will not have
+//	  delete entries for sub-path items, their removal is implied
+//	  by the removal of the parent directory.
 //
 // Opaque directories will not be treated specially and each file
 // removed from the base directory will show up as a removal.

vendor/github.com/containerd/continuity/fs/dtype_linux.go

@@ -21,14 +21,13 @@ package fs
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"syscall"
 	"unsafe"
 )
 
 func locateDummyIfEmpty(path string) (string, error) {
-	children, err := ioutil.ReadDir(path)
+	children, err := os.ReadDir(path)
 	if err != nil {
 		return "", err
 	}

vendor/github.com/containerd/continuity/fs/du_unix.go

@@ -28,10 +28,11 @@ import (
 
 // blocksUnitSize is the unit used by `st_blocks` in `stat` in bytes.
 // See https://man7.org/linux/man-pages/man2/stat.2.html
-//   st_blocks
-//     This field indicates the number of blocks allocated to the
-//     file, in 512-byte units.  (This may be smaller than
-//     st_size/512 when the file has holes.)
+//
+//	st_blocks
+//	  This field indicates the number of blocks allocated to the
+//	  file, in 512-byte units.  (This may be smaller than
+//	  st_size/512 when the file has holes.)
 const blocksUnitSize = 512
 
 type inode struct {
@@ -48,7 +49,6 @@ func newInode(stat *syscall.Stat_t) inode {
 }
 
 func diskUsage(ctx context.Context, roots ...string) (Usage, error) {
-
 	var (
 		size   int64
 		inodes = map[inode]struct{}{} // expensive!

vendor/github.com/containerd/continuity/fs/du_windows.go

@@ -26,9 +26,7 @@ import (
 )
 
 func diskUsage(ctx context.Context, roots ...string) (Usage, error) {
-	var (
-		size int64
-	)
+	var size int64
 
 	// TODO(stevvooe): Support inodes (or equivalent) for windows.
 
@@ -57,9 +55,7 @@ func diskUsage(ctx context.Context, roots ...string) (Usage, error) {
 }
 
 func diffUsage(ctx context.Context, a, b string) (Usage, error) {
-	var (
-		size int64
-	)
+	var size int64
 
 	if err := Changes(ctx, a, b, func(kind ChangeKind, _ string, fi os.FileInfo, err error) error {
 		if err != nil {

vendor/github.com/containerd/continuity/fs/fstest/compare_windows.go

@@ -16,9 +16,15 @@
 
 package fstest
 
-// TODO: Any more metadata files generated by Windows layers?
-// TODO: Also skip Recycle Bin contents in Windows layers which is used to store deleted files in some cases
 var metadataFiles = map[string]bool{
-	"\\System Volume Information": true,
-	"\\WcSandboxState":            true,
+	"\\System Volume Information":           true,
+	"\\WcSandboxState":                      true,
+	"\\Windows":                             true,
+	"\\Windows\\System32":                   true,
+	"\\Windows\\System32\\config":           true,
+	"\\Windows\\System32\\config\\DEFAULT":  true,
+	"\\Windows\\System32\\config\\SAM":      true,
+	"\\Windows\\System32\\config\\SECURITY": true,
+	"\\Windows\\System32\\config\\SOFTWARE": true,
+	"\\Windows\\System32\\config\\SYSTEM":   true,
 }

vendor/github.com/containerd/continuity/fs/fstest/continuity_util.go

@@ -129,7 +129,6 @@ func compareResource(r1, r2 continuity.Resource) bool {
 	// TODO(dmcgowan): Check if is XAttrer
 
 	return compareResourceTypes(r1, r2)
-
 }
 
 func compareResourceTypes(r1, r2 continuity.Resource) bool {

vendor/github.com/containerd/continuity/fs/fstest/file_windows.go

@@ -32,13 +32,13 @@ func Lchtimes(name string, atime, mtime time.Time) Applier {
 // that the filter will mount. It is used for testing the snapshotter
 func Base() Applier {
 	return Apply(
-		CreateDir("Windows", 0755),
-		CreateDir("Windows/System32", 0755),
-		CreateDir("Windows/System32/Config", 0755),
-		CreateFile("Windows/System32/Config/SYSTEM", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/SOFTWARE", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/SAM", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/SECURITY", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/DEFAULT", []byte("foo\n"), 0777),
+		CreateDir("Windows", 0o755),
+		CreateDir("Windows/System32", 0o755),
+		CreateDir("Windows/System32/Config", 0o755),
+		CreateFile("Windows/System32/Config/SYSTEM", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/SOFTWARE", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/SAM", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/SECURITY", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/DEFAULT", []byte("foo\n"), 0o777),
 	)
 }

vendor/github.com/containerd/continuity/fs/fstest/testsuite.go

@@ -81,14 +81,14 @@ var (
 	// baseApplier creates a basic filesystem layout
 	// with multiple types of files for basic tests.
 	baseApplier = Apply(
-		CreateDir("/etc/", 0755),
-		CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0644),
+		CreateDir("/etc/", 0o755),
+		CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0o644),
 		Link("/etc/hosts", "/etc/hosts.allow"),
-		CreateDir("/usr/local/lib", 0755),
-		CreateFile("/usr/local/lib/libnothing.so", []byte{0x00, 0x00}, 0755),
+		CreateDir("/usr/local/lib", 0o755),
+		CreateFile("/usr/local/lib/libnothing.so", []byte{0x00, 0x00}, 0o755),
 		Symlink("libnothing.so", "/usr/local/lib/libnothing.so.2"),
-		CreateDir("/home", 0755),
-		CreateDir("/home/derek", 0700),
+		CreateDir("/home", 0o755),
+		CreateDir("/home/derek", 0o700),
 		// TODO: CreateSocket: how should Sockets be handled in continuity?
 	)
 
@@ -96,10 +96,10 @@ var (
 	basicTest = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
-			CreateFile("/etc/fstab", []byte("/dev/sda1\t/\text4\tdefaults 1 1\n"), 0600),
-			CreateFile("/etc/badfile", []byte(""), 0666),
-			CreateFile("/home/derek/.zshrc", []byte("#ZSH is just better\n"), 0640),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
+			CreateFile("/etc/fstab", []byte("/dev/sda1\t/\text4\tdefaults 1 1\n"), 0o600),
+			CreateFile("/etc/badfile", []byte(""), 0o666),
+			CreateFile("/home/derek/.zshrc", []byte("#ZSH is just better\n"), 0o640),
 		),
 		Apply(
 			Remove("/etc/badfile"),
@@ -111,8 +111,8 @@ var (
 		),
 		Apply(
 			RemoveAll("/home"),
-			CreateDir("/home/derek", 0700),
-			CreateFile("/home/derek/.bashrc", []byte("#not going away\n"), 0640),
+			CreateDir("/home/derek", 0o700),
+			CreateFile("/home/derek/.bashrc", []byte("#not going away\n"), 0o640),
 			Link("/etc/hosts", "/etc/hosts.allow"),
 		),
 	}
@@ -121,58 +121,58 @@ var (
 	// deletions are properly picked up and applied
 	deletionTest = []Applier{
 		Apply(
-			CreateDir("/test/somedir", 0755),
-			CreateDir("/lib", 0700),
-			CreateFile("/lib/hidden", []byte{}, 0644),
+			CreateDir("/test/somedir", 0o755),
+			CreateDir("/lib", 0o700),
+			CreateFile("/lib/hidden", []byte{}, 0o644),
 		),
 		Apply(
-			CreateFile("/test/a", []byte{}, 0644),
-			CreateFile("/test/b", []byte{}, 0644),
-			CreateDir("/test/otherdir", 0755),
-			CreateFile("/test/otherdir/.empty", []byte{}, 0644),
+			CreateFile("/test/a", []byte{}, 0o644),
+			CreateFile("/test/b", []byte{}, 0o644),
+			CreateDir("/test/otherdir", 0o755),
+			CreateFile("/test/otherdir/.empty", []byte{}, 0o644),
 			RemoveAll("/lib"),
-			CreateDir("/lib", 0700),
-			CreateFile("/lib/not-hidden", []byte{}, 0644),
+			CreateDir("/lib", 0o700),
+			CreateFile("/lib/not-hidden", []byte{}, 0o644),
 		),
 		Apply(
 			Remove("/test/a"),
 			Remove("/test/b"),
 			RemoveAll("/test/otherdir"),
-			CreateFile("/lib/newfile", []byte{}, 0644),
+			CreateFile("/lib/newfile", []byte{}, 0o644),
 		),
 	}
 
 	// updateTest covers file updates for content and permission
 	updateTest = []Applier{
 		Apply(
-			CreateDir("/d1", 0755),
-			CreateDir("/d2", 0700),
-			CreateFile("/d1/f1", []byte("something..."), 0644),
-			CreateFile("/d1/f2", []byte("else..."), 0644),
-			CreateFile("/d1/f3", []byte("entirely..."), 0644),
+			CreateDir("/d1", 0o755),
+			CreateDir("/d2", 0o700),
+			CreateFile("/d1/f1", []byte("something..."), 0o644),
+			CreateFile("/d1/f2", []byte("else..."), 0o644),
+			CreateFile("/d1/f3", []byte("entirely..."), 0o644),
 		),
 		Apply(
-			CreateFile("/d1/f1", []byte("file content of a different length"), 0664),
+			CreateFile("/d1/f1", []byte("file content of a different length"), 0o664),
 			Remove("/d1/f3"),
-			CreateFile("/d1/f3", []byte("updated content"), 0664),
-			Chmod("/d1/f2", 0766),
-			Chmod("/d2", 0777),
+			CreateFile("/d1/f3", []byte("updated content"), 0o664),
+			Chmod("/d1/f2", 0o766),
+			Chmod("/d2", 0o777),
 		),
 	}
 
 	// directoryPermissionsTest covers directory permissions on update
 	directoryPermissionsTest = []Applier{
 		Apply(
-			CreateDir("/d1", 0700),
-			CreateDir("/d2", 0751),
-			CreateDir("/d3", 0777),
+			CreateDir("/d1", 0o700),
+			CreateDir("/d2", 0o751),
+			CreateDir("/d3", 0o777),
 		),
 		Apply(
-			CreateFile("/d1/f", []byte("irrelevant"), 0644),
-			CreateDir("/d1/d", 0700),
-			CreateFile("/d1/d/f", []byte("irrelevant"), 0644),
-			CreateFile("/d2/f", []byte("irrelevant"), 0644),
-			CreateFile("/d3/f", []byte("irrelevant"), 0644),
+			CreateFile("/d1/f", []byte("irrelevant"), 0o644),
+			CreateDir("/d1/d", 0o700),
+			CreateFile("/d1/d/f", []byte("irrelevant"), 0o644),
+			CreateFile("/d2/f", []byte("irrelevant"), 0o644),
+			CreateFile("/d3/f", []byte("irrelevant"), 0o644),
 		),
 	}
 
@@ -180,28 +180,28 @@ var (
 	// files
 	parentDirectoryPermissionsTest = []Applier{
 		Apply(
-			CreateDir("/d1", 0700),
-			CreateDir("/d1/a", 0700),
-			CreateDir("/d1/a/b", 0700),
-			CreateDir("/d1/a/b/c", 0700),
-			CreateFile("/d1/a/b/f", []byte("content1"), 0644),
-			CreateDir("/d2", 0751),
-			CreateDir("/d2/a/b", 0751),
-			CreateDir("/d2/a/b/c", 0751),
-			CreateFile("/d2/a/b/f", []byte("content1"), 0644),
+			CreateDir("/d1", 0o700),
+			CreateDir("/d1/a", 0o700),
+			CreateDir("/d1/a/b", 0o700),
+			CreateDir("/d1/a/b/c", 0o700),
+			CreateFile("/d1/a/b/f", []byte("content1"), 0o644),
+			CreateDir("/d2", 0o751),
+			CreateDir("/d2/a/b", 0o751),
+			CreateDir("/d2/a/b/c", 0o751),
+			CreateFile("/d2/a/b/f", []byte("content1"), 0o644),
 		),
 		Apply(
-			CreateFile("/d1/a/b/f", []byte("content1"), 0644),
-			Chmod("/d1/a/b/c", 0700),
-			CreateFile("/d2/a/b/f", []byte("content2"), 0644),
-			Chmod("/d2/a/b/c", 0751),
+			CreateFile("/d1/a/b/f", []byte("content1"), 0o644),
+			Chmod("/d1/a/b/c", 0o700),
+			CreateFile("/d2/a/b/f", []byte("content2"), 0o644),
+			Chmod("/d2/a/b/c", 0o751),
 		),
 	}
 
 	hardlinkUnmodified = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
 		),
 		Apply(
 			Link("/etc/hosts", "/etc/hosts.deny"),
@@ -213,7 +213,7 @@ var (
 	hardlinkBeforeUnmodified = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
 		),
 		Apply(
 			Link("/etc/hosts", "/etc/before-hosts"),
@@ -225,11 +225,11 @@ var (
 	hardlinkBeforeModified = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
 		),
 		Apply(
 			Remove("/etc/hosts"),
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0o644),
 			Link("/etc/hosts", "/etc/before-hosts"),
 		),
 	}

vendor/github.com/containerd/continuity/fs/path.go

@@ -25,9 +25,7 @@ import (
 	"path/filepath"
 )
 
-var (
-	errTooManyLinks = errors.New("too many links")
-)
+var errTooManyLinks = errors.New("too many links")
 
 type currentPath struct {
 	path     string

vendor/github.com/containerd/continuity/hardlinks.go

@@ -21,9 +21,7 @@ import (
 	"os"
 )
 
-var (
-	errNotAHardLink = fmt.Errorf("invalid hardlink")
-)
+var errNotAHardLink = fmt.Errorf("invalid hardlink")
 
 type hardlinkManager struct {
 	hardlinks map[hardlinkKey][]Resource