github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vendor: bump runc to 1.1.3

Browse Source 
Release notes:
 https://github.com/opencontainers/runc/releases/tag/v1.1.3

In particular, this one is important:

 * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now
   works as intended; this fix does not affect runc binary itself but
   is important for libcontainer users such as Kubernetes. (#3476)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin
2022-06-09 16:18:21 -07:00
parent 5f40fb05cb
commit 865c9e8fb9
20 changed files with 408 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
vendor/github.com/seccomp/libseccomp-golang/seccomp.go generated vendored
View File

@@ -1,5 +1,3 @@
// +build linux
// Public API specification for libseccomp Go bindings
// Contains public API for the bindings
@@ -18,48 +16,36 @@ import (
"unsafe"
)
// C wrapping code
// To compile libseccomp-golang against a specific version of libseccomp:
// cd ../libseccomp && mkdir -p prefix
// ./configure --prefix=$PWD/prefix && make && make install
// cd ../libseccomp-golang
// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make
// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test
// #cgo pkg-config: libseccomp
// #include <stdlib.h>
// #include <seccomp.h>
import "C"
// Exported types
// VersionError denotes that the system libseccomp version is incompatible
// with this package.
// VersionError represents an error when either the system libseccomp version
// or the kernel version is too old to perform the operation requested.
type VersionError struct {
message string
minimum string
op string // operation that failed or would fail
major, minor, micro uint // minimally required libseccomp version
curAPI, minAPI uint // current and minimally required API versions
}
func init() {
// This forces the cgo libseccomp to initialize its internal API support state,
// which is necessary on older versions of libseccomp in order to work
// correctly.
GetAPI()
_, _ = getAPI()
}
func (e VersionError) Error() string {
messageStr := ""
if e.message != "" {
messageStr = e.message + ": "
if e.minAPI != 0 {
return fmt.Sprintf("%s requires libseccomp >= %d.%d.%d and API level >= %d "+
"(current version: %d.%d.%d, API level: %d)",
e.op, e.major, e.minor, e.micro, e.minAPI,
verMajor, verMinor, verMicro, e.curAPI)
}
minimumStr := ""
if e.minimum != "" {
minimumStr = e.minimum
} else {
minimumStr = "2.2.0"
}
return fmt.Sprintf("Libseccomp version too low: %sminimum supported is %s: detected %d.%d.%d", messageStr, minimumStr, verMajor, verMinor, verMicro)
return fmt.Sprintf("%s requires libseccomp >= %d.%d.%d (current version: %d.%d.%d)",
e.op, e.major, e.minor, e.micro, verMajor, verMinor, verMicro)
}
// ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
@@ -148,44 +134,46 @@ const (
// variables are invalid
ArchInvalid ScmpArch = iota
// ArchNative is the native architecture of the kernel
ArchNative ScmpArch = iota
ArchNative
// ArchX86 represents 32-bit x86 syscalls
ArchX86 ScmpArch = iota
ArchX86
// ArchAMD64 represents 64-bit x86-64 syscalls
ArchAMD64 ScmpArch = iota
ArchAMD64
// ArchX32 represents 64-bit x86-64 syscalls (32-bit pointers)
ArchX32 ScmpArch = iota
ArchX32
// ArchARM represents 32-bit ARM syscalls
ArchARM ScmpArch = iota
ArchARM
// ArchARM64 represents 64-bit ARM syscalls
ArchARM64 ScmpArch = iota
ArchARM64
// ArchMIPS represents 32-bit MIPS syscalls
ArchMIPS ScmpArch = iota
ArchMIPS
// ArchMIPS64 represents 64-bit MIPS syscalls
ArchMIPS64 ScmpArch = iota
ArchMIPS64
// ArchMIPS64N32 represents 64-bit MIPS syscalls (32-bit pointers)
ArchMIPS64N32 ScmpArch = iota
ArchMIPS64N32
// ArchMIPSEL represents 32-bit MIPS syscalls (little endian)
ArchMIPSEL ScmpArch = iota
ArchMIPSEL
// ArchMIPSEL64 represents 64-bit MIPS syscalls (little endian)
ArchMIPSEL64 ScmpArch = iota
ArchMIPSEL64
// ArchMIPSEL64N32 represents 64-bit MIPS syscalls (little endian,
// 32-bit pointers)
ArchMIPSEL64N32 ScmpArch = iota
ArchMIPSEL64N32
// ArchPPC represents 32-bit POWERPC syscalls
ArchPPC ScmpArch = iota
ArchPPC
// ArchPPC64 represents 64-bit POWER syscalls (big endian)
ArchPPC64 ScmpArch = iota
ArchPPC64
// ArchPPC64LE represents 64-bit POWER syscalls (little endian)
ArchPPC64LE ScmpArch = iota
ArchPPC64LE
// ArchS390 represents 31-bit System z/390 syscalls
ArchS390 ScmpArch = iota
ArchS390
// ArchS390X represents 64-bit System z/390 syscalls
ArchS390X ScmpArch = iota
ArchS390X
// ArchPARISC represents 32-bit PA-RISC
ArchPARISC ScmpArch = iota
ArchPARISC
// ArchPARISC64 represents 64-bit PA-RISC
ArchPARISC64 ScmpArch = iota
ArchPARISC64
// ArchRISCV64 represents RISCV64
ArchRISCV64
)
const (
@@ -194,34 +182,36 @@ const (
// ActInvalid is a placeholder to ensure uninitialized ScmpAction
// variables are invalid
ActInvalid ScmpAction = iota
// ActKill kills the thread that violated the rule. It is the same as ActKillThread.
// ActKillThread kills the thread that violated the rule.
// All other threads from the same thread group will continue to execute.
ActKill ScmpAction = iota
ActKillThread
// ActTrap throws SIGSYS
ActTrap ScmpAction = iota
ActTrap
// ActNotify triggers a userspace notification. This action is only usable when
// libseccomp API level 6 or higher is supported.
ActNotify ScmpAction = iota
ActNotify
// ActErrno causes the syscall to return a negative error code. This
// code can be set with the SetReturnCode method
ActErrno ScmpAction = iota
ActErrno
// ActTrace causes the syscall to notify tracing processes with the
// given error code. This code can be set with the SetReturnCode method
ActTrace ScmpAction = iota
ActTrace
// ActAllow permits the syscall to continue execution
ActAllow ScmpAction = iota
ActAllow
// ActLog permits the syscall to continue execution after logging it.
// This action is only usable when libseccomp API level 3 or higher is
// supported.
ActLog ScmpAction = iota
// ActKillThread kills the thread that violated the rule. It is the same as ActKill.
// All other threads from the same thread group will continue to execute.
ActKillThread ScmpAction = iota
ActLog
// ActKillProcess kills the process that violated the rule.
// All threads in the thread group are also terminated.
// This action is only usable when libseccomp API level 3 or higher is
// supported.
ActKillProcess ScmpAction = iota
ActKillProcess
// ActKill kills the thread that violated the rule.
// All other threads from the same thread group will continue to execute.
//
// Deprecated: use ActKillThread
ActKill = ActKillThread
)
const (
@@ -234,36 +224,35 @@ const (
CompareInvalid ScmpCompareOp = iota
// CompareNotEqual returns true if the argument is not equal to the
// given value
CompareNotEqual ScmpCompareOp = iota
CompareNotEqual
// CompareLess returns true if the argument is less than the given value
CompareLess ScmpCompareOp = iota
CompareLess
// CompareLessOrEqual returns true if the argument is less than or equal
// to the given value
CompareLessOrEqual ScmpCompareOp = iota
CompareLessOrEqual
// CompareEqual returns true if the argument is equal to the given value
CompareEqual ScmpCompareOp = iota
CompareEqual
// CompareGreaterEqual returns true if the argument is greater than or
// equal to the given value
CompareGreaterEqual ScmpCompareOp = iota
CompareGreaterEqual
// CompareGreater returns true if the argument is greater than the given
// value
CompareGreater ScmpCompareOp = iota
// CompareMaskedEqual returns true if the argument is equal to the given
// value, when masked (bitwise &) against the second given value
CompareMaskedEqual ScmpCompareOp = iota
CompareGreater
// CompareMaskedEqual returns true if the masked argument value is
// equal to the masked datum value. Mask is the first argument, and
// datum is the second one.
CompareMaskedEqual
)
var (
// ErrSyscallDoesNotExist represents an error condition where
// libseccomp is unable to resolve the syscall
ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name")
)
// ErrSyscallDoesNotExist represents an error condition where
// libseccomp is unable to resolve the syscall
var ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name")
const (
// Userspace notification response flags
// NotifRespFlagContinue tells the kernel to continue executing the system
// call that triggered the notification. Must only be used when the notication
// call that triggered the notification. Must only be used when the notification
// response's error is 0.
NotifRespFlagContinue uint32 = 1
)
@@ -314,6 +303,8 @@ func GetArchFromString(arch string) (ScmpArch, error) {
return ArchPARISC, nil
case "parisc64":
return ArchPARISC64, nil
case "riscv64":
return ArchRISCV64, nil
default:
return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch)
}
@@ -358,6 +349,8 @@ func (a ScmpArch) String() string {
return "parisc"
case ArchPARISC64:
return "parisc64"
case ArchRISCV64:
return "riscv64"
case ArchNative:
return "native"
case ArchInvalid:
@@ -394,7 +387,7 @@ func (a ScmpCompareOp) String() string {
// String returns a string representation of a seccomp match action
func (a ScmpAction) String() string {
switch a & 0xFFFF {
case ActKill, ActKillThread:
case ActKillThread:
return "Action: Kill thread"
case ActKillProcess:
return "Action: Kill process"
@@ -556,8 +549,8 @@ func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCo
return condStruct, err
}
if comparison == CompareInvalid {
return condStruct, fmt.Errorf("invalid comparison operator")
if err := sanitizeCompareOp(comparison); err != nil {
return condStruct, err
} else if arg > 5 {
return condStruct, fmt.Errorf("syscalls only have up to 6 arguments (%d given)", arg)
} else if len(values) > 2 {
@@ -874,10 +867,8 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
func (f *ScmpFilter) GetLogBit() (bool, error) {
log, err := f.getFilterAttr(filterAttrLog)
if err != nil {
// Ignore error, if not supported returns apiLevel == 0
apiLevel, _ := GetAPI()
if apiLevel < 3 {
return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
if e := checkAPI("GetLogBit", 3, 2, 4, 0); e != nil {
err = e
}
return false, err
@@ -899,9 +890,8 @@ func (f *ScmpFilter) GetLogBit() (bool, error) {
func (f *ScmpFilter) GetSSB() (bool, error) {
ssb, err := f.getFilterAttr(filterAttrSSB)
if err != nil {
api, apiErr := getAPI()
if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
return false, fmt.Errorf("getting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
if e := checkAPI("GetSSB", 4, 2, 5, 0); e != nil {
err = e
}
return false, err
@@ -914,6 +904,42 @@ func (f *ScmpFilter) GetSSB() (bool, error) {
return true, nil
}
// GetOptimize returns the current optimization level of the filter,
// or an error if an issue was encountered retrieving the value.
// See SetOptimize for more details.
func (f *ScmpFilter) GetOptimize() (int, error) {
level, err := f.getFilterAttr(filterAttrOptimize)
if err != nil {
if e := checkAPI("GetOptimize", 4, 2, 5, 0); e != nil {
err = e
}
return 0, err
}
return int(level), nil
}
// GetRawRC returns the current state of RawRC flag, or an error
// if an issue was encountered retrieving the value.
// See SetRawRC for more details.
func (f *ScmpFilter) GetRawRC() (bool, error) {
rawrc, err := f.getFilterAttr(filterAttrRawRC)
if err != nil {
if e := checkAPI("GetRawRC", 4, 2, 5, 0); e != nil {
err = e
}
return false, err
}
if rawrc == 0 {
return false, nil
}
return true, nil
}
// SetBadArchAction sets the default action taken on a syscall for an
// architecture not in the filter, or an error if an issue was encountered
// setting the value.
@@ -953,10 +979,8 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
err := f.setFilterAttr(filterAttrLog, toSet)
if err != nil {
// Ignore error, if not supported returns apiLevel == 0
apiLevel, _ := GetAPI()
if apiLevel < 3 {
return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
if e := checkAPI("SetLogBit", 3, 2, 4, 0); e != nil {
err = e
}
}
@@ -976,9 +1000,52 @@ func (f *ScmpFilter) SetSSB(state bool) error {
err := f.setFilterAttr(filterAttrSSB, toSet)
if err != nil {
api, apiErr := getAPI()
if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
return fmt.Errorf("setting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
if e := checkAPI("SetSSB", 4, 2, 5, 0); e != nil {
err = e
}
}
return err
}
// SetOptimize sets optimization level of the seccomp filter. By default
// libseccomp generates a set of sequential "if" statements for each rule in
// the filter. SetSyscallPriority can be used to prioritize the order for the
// default cause. The binary tree optimization sorts by syscall numbers and
// generates consistent O(log n) filter traversal for every rule in the filter.
// The binary tree may be advantageous for large filters. Note that
// SetSyscallPriority is ignored when level == 2.
//
// The different optimization levels are:
// 0: Reserved value, not currently used.
// 1: Rules sorted by priority and complexity (DEFAULT).
// 2: Binary tree sorted by syscall number.
func (f *ScmpFilter) SetOptimize(level int) error {
cLevel := C.uint32_t(level)
err := f.setFilterAttr(filterAttrOptimize, cLevel)
if err != nil {
if e := checkAPI("SetOptimize", 4, 2, 5, 0); e != nil {
err = e
}
}
return err
}
// SetRawRC sets whether libseccomp should pass system error codes back to the
// caller, instead of the default ECANCELED. Defaults to false.
func (f *ScmpFilter) SetRawRC(state bool) error {
var toSet C.uint32_t = 0x0
if state {
toSet = 0x1
}
err := f.setFilterAttr(filterAttrRawRC, toSet)
if err != nil {
if e := checkAPI("SetRawRC", 4, 2, 5, 0); e != nil {
err = e
}
}
@@ -1029,9 +1096,6 @@ func (f *ScmpFilter) AddRuleExact(call ScmpSyscall, action ScmpAction) error {
// AddRuleConditional adds a single rule for a conditional action on a syscall.
// Returns an error if an issue was encountered adding the rule.
// All conditions must match for the rule to match.
// There is a bug in library versions below v2.2.1 which can, in some cases,
// cause conditions to be lost when more than one are used. Consequently,
// AddRuleConditional is disabled on library versions lower than v2.2.1
func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error {
return f.addRuleGeneric(call, action, false, conds)
}
@@ -1043,9 +1107,6 @@ func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, con
// The rule will function exactly as described, but it may not function identically
// (or be able to be applied to) all architectures.
// Returns an error if an issue was encountered adding the rule.
// There is a bug in library versions below v2.2.1 which can, in some cases,
// cause conditions to be lost when more than one are used. Consequently,
// AddRuleConditionalExact is disabled on library versions lower than v2.2.1
func (f *ScmpFilter) AddRuleConditionalExact(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error {
return f.addRuleGeneric(call, action, true, conds)
}