matching the version that's used by containerd 1.0.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
... | ... |
@@ -3,7 +3,7 @@ |
3 | 3 |
TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a |
4 | 4 |
|
5 | 5 |
# When updating RUNC_COMMIT, also update runc in vendor.conf accordingly |
6 |
-RUNC_COMMIT=b2567b37d7b75eb4cf325b77297b140ea686ce8f |
|
6 |
+RUNC_COMMIT=7f24b40cc5423969b4554ef04ba0b00e2b4ba010 |
|
7 | 7 |
|
8 | 8 |
# containerd is also pinned in vendor.conf. When updating the binary |
9 | 9 |
# version you may also need to update the vendor version to pick up bug |
... | ... |
@@ -66,7 +66,7 @@ github.com/pborman/uuid v1.0 |
66 | 66 |
google.golang.org/grpc v1.3.0 |
67 | 67 |
|
68 | 68 |
# When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly |
69 |
-github.com/opencontainers/runc b2567b37d7b75eb4cf325b77297b140ea686ce8f |
|
69 |
+github.com/opencontainers/runc 7f24b40cc5423969b4554ef04ba0b00e2b4ba010 |
|
70 | 70 |
github.com/opencontainers/runtime-spec v1.0.1 |
71 | 71 |
github.com/opencontainers/image-spec v1.0.1 |
72 | 72 |
github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 |
... | ... |
@@ -56,7 +56,7 @@ make BUILDTAGS='seccomp apparmor' |
56 | 56 |
|-----------|------------------------------------|-------------| |
57 | 57 |
| seccomp | Syscall filtering | libseccomp | |
58 | 58 |
| selinux | selinux process and mount labeling | <none> | |
59 |
-| apparmor | apparmor profile support | libapparmor | |
|
59 |
+| apparmor | apparmor profile support | <none> | |
|
60 | 60 |
| ambient | ambient capability support | kernel 4.3 | |
61 | 61 |
|
62 | 62 |
|
... | ... |
@@ -2,15 +2,10 @@ |
2 | 2 |
|
3 | 3 |
package apparmor |
4 | 4 |
|
5 |
-// #cgo LDFLAGS: -lapparmor |
|
6 |
-// #include <sys/apparmor.h> |
|
7 |
-// #include <stdlib.h> |
|
8 |
-import "C" |
|
9 | 5 |
import ( |
10 | 6 |
"fmt" |
11 | 7 |
"io/ioutil" |
12 | 8 |
"os" |
13 |
- "unsafe" |
|
14 | 9 |
) |
15 | 10 |
|
16 | 11 |
// IsEnabled returns true if apparmor is enabled for the host. |
... | ... |
@@ -24,16 +19,36 @@ func IsEnabled() bool { |
24 | 24 |
return false |
25 | 25 |
} |
26 | 26 |
|
27 |
+func setprocattr(attr, value string) error { |
|
28 |
+ // Under AppArmor you can only change your own attr, so use /proc/self/ |
|
29 |
+ // instead of /proc/<tid>/ like libapparmor does |
|
30 |
+ path := fmt.Sprintf("/proc/self/attr/%s", attr) |
|
31 |
+ |
|
32 |
+ f, err := os.OpenFile(path, os.O_WRONLY, 0) |
|
33 |
+ if err != nil { |
|
34 |
+ return err |
|
35 |
+ } |
|
36 |
+ defer f.Close() |
|
37 |
+ |
|
38 |
+ _, err = fmt.Fprintf(f, "%s", value) |
|
39 |
+ return err |
|
40 |
+} |
|
41 |
+ |
|
42 |
+// changeOnExec reimplements aa_change_onexec from libapparmor in Go |
|
43 |
+func changeOnExec(name string) error { |
|
44 |
+ value := "exec " + name |
|
45 |
+ if err := setprocattr("exec", value); err != nil { |
|
46 |
+ return fmt.Errorf("apparmor failed to apply profile: %s", err) |
|
47 |
+ } |
|
48 |
+ return nil |
|
49 |
+} |
|
50 |
+ |
|
27 | 51 |
// ApplyProfile will apply the profile with the specified name to the process after |
28 | 52 |
// the next exec. |
29 | 53 |
func ApplyProfile(name string) error { |
30 | 54 |
if name == "" { |
31 | 55 |
return nil |
32 | 56 |
} |
33 |
- cName := C.CString(name) |
|
34 |
- defer C.free(unsafe.Pointer(cName)) |
|
35 |
- if _, err := C.aa_change_onexec(cName); err != nil { |
|
36 |
- return fmt.Errorf("apparmor failed to apply profile: %s", err) |
|
37 |
- } |
|
38 |
- return nil |
|
57 |
+ |
|
58 |
+ return changeOnExec(name) |
|
39 | 59 |
} |
5 | 5 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,104 @@ |
0 |
+package devices |
|
1 |
+ |
|
2 |
+import ( |
|
3 |
+ "errors" |
|
4 |
+ "io/ioutil" |
|
5 |
+ "os" |
|
6 |
+ "path/filepath" |
|
7 |
+ |
|
8 |
+ "github.com/opencontainers/runc/libcontainer/configs" |
|
9 |
+ |
|
10 |
+ "golang.org/x/sys/unix" |
|
11 |
+) |
|
12 |
+ |
|
13 |
+var ( |
|
14 |
+ ErrNotADevice = errors.New("not a device node") |
|
15 |
+) |
|
16 |
+ |
|
17 |
+// Testing dependencies |
|
18 |
+var ( |
|
19 |
+ unixLstat = unix.Lstat |
|
20 |
+ ioutilReadDir = ioutil.ReadDir |
|
21 |
+) |
|
22 |
+ |
|
23 |
+// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct. |
|
24 |
+func DeviceFromPath(path, permissions string) (*configs.Device, error) { |
|
25 |
+ var stat unix.Stat_t |
|
26 |
+ err := unixLstat(path, &stat) |
|
27 |
+ if err != nil { |
|
28 |
+ return nil, err |
|
29 |
+ } |
|
30 |
+ |
|
31 |
+ var ( |
|
32 |
+ devNumber = stat.Rdev |
|
33 |
+ major = unix.Major(devNumber) |
|
34 |
+ ) |
|
35 |
+ if major == 0 { |
|
36 |
+ return nil, ErrNotADevice |
|
37 |
+ } |
|
38 |
+ |
|
39 |
+ var ( |
|
40 |
+ devType rune |
|
41 |
+ mode = stat.Mode |
|
42 |
+ ) |
|
43 |
+ switch { |
|
44 |
+ case mode&unix.S_IFBLK == unix.S_IFBLK: |
|
45 |
+ devType = 'b' |
|
46 |
+ case mode&unix.S_IFCHR == unix.S_IFCHR: |
|
47 |
+ devType = 'c' |
|
48 |
+ } |
|
49 |
+ return &configs.Device{ |
|
50 |
+ Type: devType, |
|
51 |
+ Path: path, |
|
52 |
+ Major: int64(major), |
|
53 |
+ Minor: int64(unix.Minor(devNumber)), |
|
54 |
+ Permissions: permissions, |
|
55 |
+ FileMode: os.FileMode(mode), |
|
56 |
+ Uid: stat.Uid, |
|
57 |
+ Gid: stat.Gid, |
|
58 |
+ }, nil |
|
59 |
+} |
|
60 |
+ |
|
61 |
+func HostDevices() ([]*configs.Device, error) { |
|
62 |
+ return getDevices("/dev") |
|
63 |
+} |
|
64 |
+ |
|
65 |
+func getDevices(path string) ([]*configs.Device, error) { |
|
66 |
+ files, err := ioutilReadDir(path) |
|
67 |
+ if err != nil { |
|
68 |
+ return nil, err |
|
69 |
+ } |
|
70 |
+ out := []*configs.Device{} |
|
71 |
+ for _, f := range files { |
|
72 |
+ switch { |
|
73 |
+ case f.IsDir(): |
|
74 |
+ switch f.Name() { |
|
75 |
+ // ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825 |
|
76 |
+ case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts": |
|
77 |
+ continue |
|
78 |
+ default: |
|
79 |
+ sub, err := getDevices(filepath.Join(path, f.Name())) |
|
80 |
+ if err != nil { |
|
81 |
+ return nil, err |
|
82 |
+ } |
|
83 |
+ |
|
84 |
+ out = append(out, sub...) |
|
85 |
+ continue |
|
86 |
+ } |
|
87 |
+ case f.Name() == "console": |
|
88 |
+ continue |
|
89 |
+ } |
|
90 |
+ device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm") |
|
91 |
+ if err != nil { |
|
92 |
+ if err == ErrNotADevice { |
|
93 |
+ continue |
|
94 |
+ } |
|
95 |
+ if os.IsNotExist(err) { |
|
96 |
+ continue |
|
97 |
+ } |
|
98 |
+ return nil, err |
|
99 |
+ } |
|
100 |
+ out = append(out, device) |
|
101 |
+ } |
|
102 |
+ return out, nil |
|
103 |
+} |
0 | 104 |
deleted file mode 100644 |
... | ... |
@@ -1,104 +0,0 @@ |
1 |
-package devices |
|
2 |
- |
|
3 |
-import ( |
|
4 |
- "errors" |
|
5 |
- "io/ioutil" |
|
6 |
- "os" |
|
7 |
- "path/filepath" |
|
8 |
- |
|
9 |
- "github.com/opencontainers/runc/libcontainer/configs" |
|
10 |
- |
|
11 |
- "golang.org/x/sys/unix" |
|
12 |
-) |
|
13 |
- |
|
14 |
-var ( |
|
15 |
- ErrNotADevice = errors.New("not a device node") |
|
16 |
-) |
|
17 |
- |
|
18 |
-// Testing dependencies |
|
19 |
-var ( |
|
20 |
- unixLstat = unix.Lstat |
|
21 |
- ioutilReadDir = ioutil.ReadDir |
|
22 |
-) |
|
23 |
- |
|
24 |
-// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct. |
|
25 |
-func DeviceFromPath(path, permissions string) (*configs.Device, error) { |
|
26 |
- var stat unix.Stat_t |
|
27 |
- err := unixLstat(path, &stat) |
|
28 |
- if err != nil { |
|
29 |
- return nil, err |
|
30 |
- } |
|
31 |
- |
|
32 |
- var ( |
|
33 |
- devNumber = stat.Rdev |
|
34 |
- major = unix.Major(devNumber) |
|
35 |
- ) |
|
36 |
- if major == 0 { |
|
37 |
- return nil, ErrNotADevice |
|
38 |
- } |
|
39 |
- |
|
40 |
- var ( |
|
41 |
- devType rune |
|
42 |
- mode = stat.Mode |
|
43 |
- ) |
|
44 |
- switch { |
|
45 |
- case mode&unix.S_IFBLK == unix.S_IFBLK: |
|
46 |
- devType = 'b' |
|
47 |
- case mode&unix.S_IFCHR == unix.S_IFCHR: |
|
48 |
- devType = 'c' |
|
49 |
- } |
|
50 |
- return &configs.Device{ |
|
51 |
- Type: devType, |
|
52 |
- Path: path, |
|
53 |
- Major: int64(major), |
|
54 |
- Minor: int64(unix.Minor(devNumber)), |
|
55 |
- Permissions: permissions, |
|
56 |
- FileMode: os.FileMode(mode), |
|
57 |
- Uid: stat.Uid, |
|
58 |
- Gid: stat.Gid, |
|
59 |
- }, nil |
|
60 |
-} |
|
61 |
- |
|
62 |
-func HostDevices() ([]*configs.Device, error) { |
|
63 |
- return getDevices("/dev") |
|
64 |
-} |
|
65 |
- |
|
66 |
-func getDevices(path string) ([]*configs.Device, error) { |
|
67 |
- files, err := ioutilReadDir(path) |
|
68 |
- if err != nil { |
|
69 |
- return nil, err |
|
70 |
- } |
|
71 |
- out := []*configs.Device{} |
|
72 |
- for _, f := range files { |
|
73 |
- switch { |
|
74 |
- case f.IsDir(): |
|
75 |
- switch f.Name() { |
|
76 |
- // ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825 |
|
77 |
- case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts": |
|
78 |
- continue |
|
79 |
- default: |
|
80 |
- sub, err := getDevices(filepath.Join(path, f.Name())) |
|
81 |
- if err != nil { |
|
82 |
- return nil, err |
|
83 |
- } |
|
84 |
- |
|
85 |
- out = append(out, sub...) |
|
86 |
- continue |
|
87 |
- } |
|
88 |
- case f.Name() == "console": |
|
89 |
- continue |
|
90 |
- } |
|
91 |
- device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm") |
|
92 |
- if err != nil { |
|
93 |
- if err == ErrNotADevice { |
|
94 |
- continue |
|
95 |
- } |
|
96 |
- if os.IsNotExist(err) { |
|
97 |
- continue |
|
98 |
- } |
|
99 |
- return nil, err |
|
100 |
- } |
|
101 |
- out = append(out, device) |
|
102 |
- } |
|
103 |
- return out, nil |
|
104 |
-} |
5 | 5 |
deleted file mode 100644 |
... | ... |
@@ -1,38 +0,0 @@ |
1 |
-// +build !darwin,!dragonfly,!freebsd,!linux,!netbsd,!openbsd,!solaris |
|
2 |
- |
|
3 |
-package user |
|
4 |
- |
|
5 |
-import ( |
|
6 |
- "io" |
|
7 |
- "syscall" |
|
8 |
-) |
|
9 |
- |
|
10 |
-func GetPasswdPath() (string, error) { |
|
11 |
- return "", ErrUnsupported |
|
12 |
-} |
|
13 |
- |
|
14 |
-func GetPasswd() (io.ReadCloser, error) { |
|
15 |
- return nil, ErrUnsupported |
|
16 |
-} |
|
17 |
- |
|
18 |
-func GetGroupPath() (string, error) { |
|
19 |
- return "", ErrUnsupported |
|
20 |
-} |
|
21 |
- |
|
22 |
-func GetGroup() (io.ReadCloser, error) { |
|
23 |
- return nil, ErrUnsupported |
|
24 |
-} |
|
25 |
- |
|
26 |
-// CurrentUser looks up the current user by their user id in /etc/passwd. If the |
|
27 |
-// user cannot be found (or there is no /etc/passwd file on the filesystem), |
|
28 |
-// then CurrentUser returns an error. |
|
29 |
-func CurrentUser() (User, error) { |
|
30 |
- return LookupUid(syscall.Getuid()) |
|
31 |
-} |
|
32 |
- |
|
33 |
-// CurrentGroup looks up the current user's group by their primary group id's |
|
34 |
-// entry in /etc/passwd. If the group cannot be found (or there is no |
|
35 |
-// /etc/group file on the filesystem), then CurrentGroup returns an error. |
|
36 |
-func CurrentGroup() (Group, error) { |
|
37 |
- return LookupGid(syscall.Getgid()) |
|
38 |
-} |