go.mod doesn't always do a great job on keeping the dependencies grouped in the
right block; 2b60770c4b added an extra "require"
block, after which things went downward.
This patch is grouping them back in the right block to nudge it in the right
direction.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes https://github.com/containerd/containerd/issues/7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks.
Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com>
Upgrade actions/github-script from v3 to v6 to resolve Node.js 12
and `set-output` command warnings.
Upgrade google-github-actions/upload-cloud-storage from v0.8.0 to
v0.10.4 to resolve `set-output` command warnings.
Upgrade actions/checkout from v2 to v3 to resolve Node.js 12 warnings.
Remove references to `set-output` command from workflow.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
All pause container object references must be removed
from sbserver. This is an implementation detail of
podsandbox package.
Added TODOs for remaining work.
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Fixes an edge case where `WithLabels` would overwrite `WithExpiration`
on a lease when using client options.
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
WithModTimeUpperBound sets the upper bound value of the ModTime property
of the tar entry structs.
WithSourceDateEpoch now implies WithModTimeUpperBound too,
in addition to WithWhiteoutTime.
For moby/buildkit issue 3296
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Follow up to 94faa70df4. The commit referenced allowed `ptrace` calls in the default seccomp profile following the usual tracing security checks in for Kernels newer than 4.8. Kernels prior to this version are susceptible to [CVE-2019-2054](https://github.com/advisories/GHSA-qgfr-27qf-f323). Moby's default had allowed for `ptrace` for kernels newer than 4.8 at the time the commit was created. The current [seccomp default](https://github.com/moby/moby/blob/master/profiles/seccomp/default_linux.go#L405-L417) has been updated to include `process_vm_read` and `process_vm_write`. Mirror that policy to complete the classic ptrace set of APIs.
Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com>
