From d163c38a26f893b130fc64f66d74d465bf1c5b0b Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 21 Nov 2025 14:24:29 +0100 Subject: [PATCH] vendor: update common, image, storage to main This also then bumps github.com/opencontainers/runtime-spec to v1.3.0 which contains breaking changes of the pid type as such we had to update all the podman callers. And tags.cncf.io/container-device-interface also used some changed types from it and they have been updated in main so bump to the latest commit there as well in order to get podman to compile properly. Signed-off-by: Paul Holzinger --- go.mod | 16 +- go.sum | 36 ++-- libpod/container_inspect_linux.go | 4 +- libpod/oci_conmon_linux.go | 2 +- pkg/api/handlers/compat/containers.go | 2 +- pkg/specgen/generate/kube/kube.go | 2 +- pkg/specgen/resources_linux.go | 2 +- pkg/specgenutil/specgen.go | 2 +- .../cyphar/filepath-securejoin/CHANGELOG.md | 88 +++++----- .../cyphar/filepath-securejoin/VERSION | 2 +- .../pathrs-lite/internal/fd/openat2_linux.go | 4 +- .../gocompat/gocompat_atomic_go119.go | 19 ++ .../gocompat/gocompat_atomic_unsupported.go | 48 +++++ .../internal/gopathrs/lookup_linux.go | 9 +- .../internal/gopathrs/openat2_linux.go | 1 + .../internal/linux/openat2_linux.go | 16 +- .../runtime-spec/specs-go/config.go | 166 +++++++++++++++++- .../runtime-spec/specs-go/version.go | 4 +- .../runtime-tools/generate/generate.go | 30 ++-- .../generate/seccomp/seccomp_default.go | 3 +- .../generate/seccomp/seccomp_default_linux.go | 1 - .../seccomp/seccomp_default_unsupported.go | 1 - .../v5/signature/internal/sequoia/gosequoia.c | 12 +- .../v5/signature/internal/sequoia/gosequoia.h | 12 +- .../image/v5/signature/policy_eval.go | 25 ++- .../v5/signature/policy_eval_baselayer.go | 4 + .../v5/signature/policy_eval_signedby.go | 4 + .../v5/signature/policy_eval_sigstore.go | 4 + .../image/v5/signature/policy_eval_simple.go | 8 + vendor/modules.txt | 18 +- .../pkg/cdi/cache.go | 2 +- .../pkg/cdi/cache_test_darwin.go | 26 --- .../pkg/cdi/cache_test_unix.go | 26 --- .../pkg/cdi/cache_test_windows.go | 22 --- .../pkg/cdi/container-edits.go | 6 +- .../pkg/cdi/container-edits_unix.go | 1 - .../pkg/cdi/container-edits_windows.go | 1 - .../container-device-interface/pkg/cdi/oci.go | 10 +- .../pkg/cdi/spec.go | 4 +- .../pkg/cdi/spec_linux.go | 4 +- .../pkg/cdi/spec_other.go | 1 - .../specs-go/config.go | 10 +- .../specs-go/version.go | 21 +++ 43 files changed, 454 insertions(+), 225 deletions(-) create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go delete mode 100644 vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go delete mode 100644 vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go delete mode 100644 vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_windows.go diff --git a/go.mod b/go.mod index 7d9f224747..85a5fd9eec 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/containers/winquit v1.1.0 github.com/coreos/go-systemd/v22 v22.6.0 github.com/crc-org/vfkit v0.6.1 - github.com/cyphar/filepath-securejoin v0.6.0 + github.com/cyphar/filepath-securejoin v0.6.1 github.com/digitalocean/go-qemu v0.0.0-20250212194115-ee9b0668d242 github.com/docker/distribution v2.8.3+incompatible github.com/docker/docker v28.5.2+incompatible @@ -52,8 +52,8 @@ require ( github.com/opencontainers/cgroups v0.0.6 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.1 - github.com/opencontainers/runtime-spec v1.2.1 - github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 + github.com/opencontainers/runtime-spec v1.3.0 + github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116 github.com/opencontainers/selinux v1.13.1 github.com/openshift/imagebuilder v1.2.19 github.com/rootless-containers/rootlesskit/v2 v2.3.5 @@ -64,9 +64,9 @@ require ( github.com/stretchr/testify v1.11.1 github.com/vbauerster/mpb/v8 v8.11.2 github.com/vishvananda/netlink v1.3.1 - go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66 - go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66 - go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66 + go.podman.io/common v0.66.1-0.20251120131032-23712697ddda + go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda + go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda golang.org/x/crypto v0.45.0 golang.org/x/net v0.47.0 golang.org/x/sync v0.18.0 @@ -77,7 +77,7 @@ require ( gopkg.in/inf.v0 v0.9.1 gopkg.in/yaml.v3 v3.0.1 sigs.k8s.io/yaml v1.6.0 - tags.cncf.io/container-device-interface v1.0.1 + tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210 ) require ( @@ -193,5 +193,5 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect - tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect + tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 // indirect ) diff --git a/go.sum b/go.sum index 6b7a47c284..d1c9c628f6 100644 --- a/go.sum +++ b/go.sum @@ -94,8 +94,8 @@ github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q= github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is= -github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= +github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE= +github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -108,8 +108,8 @@ github.com/disiqueira/gotree/v3 v3.0.2 h1:ik5iuLQQoufZBNPY518dXhiO5056hyNBIK9lWh github.com/disiqueira/gotree/v3 v3.0.2/go.mod h1:ZuyjE4+mUQZlbpkI24AmruZKhg3VHEgPLDY8Qk+uUu8= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v29.0.0+incompatible h1:KgsN2RUFMNM8wChxryicn4p46BdQWpXOA1XLGBGPGAw= -github.com/docker/cli v29.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.0.2+incompatible h1:iLuKy2GWOSLXGp8feLYBJQVDv7m/8xoofz6lPq41x6A= +github.com/docker/cli v29.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= @@ -316,10 +316,10 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= github.com/opencontainers/runc v1.3.3 h1:qlmBbbhu+yY0QM7jqfuat7M1H3/iXjju3VkP9lkFQr4= github.com/opencontainers/runc v1.3.3/go.mod h1:D7rL72gfWxVs9cJ2/AayxB0Hlvn9g0gaF1R7uunumSI= -github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= -github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 h1:2xZEHOdeQBV6PW8ZtimN863bIOl7OCW/X10K0cnxKeA= -github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2/go.mod h1:MXdPzqAA8pHC58USHqNCSjyLnRQ6D+NjbpP+02Z1U/0= +github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= +github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116 h1:tAKu3NkKWZYpqBSOJKwTxT1wIGueiF7gcmcNgr5pNTY= +github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116/go.mod h1:DKDEfzxvRkoQ6n9TGhxQgg2IM1lY4aM0eaQP4e3oElw= github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE= github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg= github.com/openshift/imagebuilder v1.2.19 h1:Xqq36KMJgsRU2MPaLRML23Myvk+AaY8pE8VJ6m6Vmy4= @@ -471,12 +471,12 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= -go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66 h1:C0U9hTxFs0cG6dWb1u7/IFwv2O7NEMivyPnqh/k/9Z8= -go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66/go.mod h1:H5zW6J35uvTzKtELI3lf4aj1QLxFY5wry/o78adU7+Q= -go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66 h1:YOTQaRJjUfS+LKrw31G7pF2oY/ReOV6n0fVZez5f0Ic= -go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66/go.mod h1:ycRSRkCZDb+EOojdmG67HARjAojZ/ERUNbFuORg3KZU= -go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66 h1:u9vVRYZwZgPY8a/yxKTI4C3uwZHMa5GjXZEDHIwe9P4= -go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66/go.mod h1:inOm1g24NqCjTY6aPC11MMHtj8Asgi+3aOvKOPldnCI= +go.podman.io/common v0.66.1-0.20251120131032-23712697ddda h1:Ib1vIEYB5eCSz3G09sROyY/j09jztFlWRm4G52vWj3k= +go.podman.io/common v0.66.1-0.20251120131032-23712697ddda/go.mod h1:8qbjUhjwp4i5u1O19vzwYW2qwIuPdFXIuv4nl3Z8px8= +go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda h1:YySc/E4bpD5b5y4kFN/7ZDo5JcXnOpPfwU78kH9D+EU= +go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda/go.mod h1:9DniP9NaGH03kzwNKYEtOXgRJwO+cQHENH+G4sOwLNc= +go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda h1:bC4fEguil4pwVp2U2zKWUC5ouqIwRDdtyJxtX1bPY+0= +go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda/go.mod h1:4p18A5ymiiJTllTu2Eo7CX88SO+V110TMzi31pXsb1s= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= @@ -625,7 +625,7 @@ sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f h1:pjVeIo9Ba6K1Wy+rlwX91zT7A+xGEmxiNRBdN04gDTQ= src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f/go.mod h1:kPbhv5+fBeUh85nET3wWhHGUaUQ64nZMJ8FwA5v5Olg= -tags.cncf.io/container-device-interface v1.0.1 h1:KqQDr4vIlxwfYh0Ed/uJGVgX+CHAkahrgabg6Q8GYxc= -tags.cncf.io/container-device-interface v1.0.1/go.mod h1:JojJIOeW3hNbcnOH2q0NrWNha/JuHoDZcmYxAZwb2i0= -tags.cncf.io/container-device-interface/specs-go v1.0.0 h1:8gLw29hH1ZQP9K1YtAzpvkHCjjyIxHZYzBAvlQ+0vD8= -tags.cncf.io/container-device-interface/specs-go v1.0.0/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ= +tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210 h1:ucIvxFr8UEFjsROkGrjxb3BKqZZpfifkRT9nLgeMD9U= +tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210/go.mod h1:kIlIMADdgOVbyLj4ZvEtCvHXqFXqxfbVKKKgBZt8NgQ= +tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 h1:SDIHrIFfJP54QHSdPS0VfwcVYodmkp6y/OPL/ceoejs= +tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ= diff --git a/libpod/container_inspect_linux.go b/libpod/container_inspect_linux.go index 7882ca4669..0a2c37e598 100644 --- a/libpod/container_inspect_linux.go +++ b/libpod/container_inspect_linux.go @@ -70,8 +70,8 @@ func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostC hostConfig.OomKillDisable = *ctrSpec.Linux.Resources.Memory.DisableOOMKiller } } - if ctrSpec.Linux.Resources.Pids != nil { - hostConfig.PidsLimit = ctrSpec.Linux.Resources.Pids.Limit + if ctrSpec.Linux.Resources.Pids != nil && ctrSpec.Linux.Resources.Pids.Limit != nil { + hostConfig.PidsLimit = *ctrSpec.Linux.Resources.Pids.Limit } hostConfig.CgroupConf = ctrSpec.Linux.Resources.Unified if ctrSpec.Linux.Resources.BlockIO != nil { diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 5a6f511f9e..29678b50e4 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -375,7 +375,7 @@ func GetLimits(resource *spec.LinuxResources) (runcconfig.Resources, error) { // Pids if resource.Pids != nil { - final.PidsLimit = &resource.Pids.Limit + final.PidsLimit = resource.Pids.Limit } // Networking diff --git a/pkg/api/handlers/compat/containers.go b/pkg/api/handlers/compat/containers.go index 35216fadd1..ef829c7f9e 100644 --- a/pkg/api/handlers/compat/containers.go +++ b/pkg/api/handlers/compat/containers.go @@ -801,7 +801,7 @@ func UpdateContainer(w http.ResponseWriter, r *http.Request) { if resources.Pids == nil { resources.Pids = new(spec.LinuxPids) } - resources.Pids.Limit = *options.PidsLimit + resources.Pids.Limit = options.PidsLimit } // Blkio Weight diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index d74f4ddd23..4bb16f87c5 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -397,7 +397,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener s.ResourceLimits = &spec.LinuxResources{} } s.ResourceLimits.Pids = &spec.LinuxPids{ - Limit: pidslimitAsInt, + Limit: &pidslimitAsInt, } } diff --git a/pkg/specgen/resources_linux.go b/pkg/specgen/resources_linux.go index 4b329d346a..eae1d0805b 100644 --- a/pkg/specgen/resources_linux.go +++ b/pkg/specgen/resources_linux.go @@ -14,7 +14,7 @@ func (s *SpecGenerator) InitResourceLimits(rtc *config.Config) { s.ResourceLimits = &spec.LinuxResources{} } s.ResourceLimits.Pids = &spec.LinuxPids{ - Limit: limit, + Limit: &limit, } } } diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 73a2f0dbf9..6ab83ce6d3 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -1292,7 +1292,7 @@ func GetResources(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) } if c.PIDsLimit != nil { pids := specs.LinuxPids{ - Limit: *c.PIDsLimit, + Limit: c.PIDsLimit, } s.ResourceLimits.Pids = &pids diff --git a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md index 734cf61e32..6d016d05c0 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md +++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md @@ -6,62 +6,52 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] ## +## [0.6.1] - 2025-11-19 ## + +> At last up jumped the cunning spider, and fiercely held her fast. + +### Fixed ### +- Our logic for deciding whether to use `openat2(2)` or fallback to an `O_PATH` + resolver would cache the result to avoid doing needless test runs of + `openat2(2)`. However, this causes issues when `pathrs-lite` is being used by + a program that applies new seccomp-bpf filters onto itself -- if the filter + denies `openat2(2)` then we would return that error rather than falling back + to the `O_PATH` resolver. To resolve this issue, we no longer cache the + result if `openat2(2)` was successful, only if there was an error. +- A file descriptor leak in our `openat2` wrapper (when doing the necessary + `dup` for `RESOLVE_IN_ROOT`) has been removed. + +## [0.5.2] - 2025-11-19 ## + +> "Will you walk into my parlour?" said a spider to a fly. + +### Fixed ### +- Our logic for deciding whether to use `openat2(2)` or fallback to an `O_PATH` + resolver would cache the result to avoid doing needless test runs of + `openat2(2)`. However, this causes issues when `pathrs-lite` is being used by + a program that applies new seccomp-bpf filters onto itself -- if the filter + denies `openat2(2)` then we would return that error rather than falling back + to the `O_PATH` resolver. To resolve this issue, we no longer cache the + result if `openat2(2)` was successful, only if there was an error. +- A file descriptor leak in our `openat2` wrapper (when doing the necessary + `dup` for `RESOLVE_IN_ROOT`) has been removed. + ## [0.6.0] - 2025-11-03 ## > By the Power of Greyskull! -While quite small code-wise, this release marks a very key point in the -development of filepath-securejoin. - -filepath-securejoin was originally intended (back in 2017) to simply be a -single-purpose library that would take some common code used in container -runtimes (specifically, Docker's `FollowSymlinksInScope`) and make it more -general-purpose (with the eventual goals of it ending up in the Go stdlib). - -Of course, I quickly discovered that this problem was actually far more -complicated to solve when dealing with racing attackers, which lead to me -developing `openat2(2)` and [libpathrs][]. I had originally planned for -libpathrs to completely replace filepath-securejoin "once it was ready" but in -the interim we needed to fix several race attacks in runc as part of security -advisories. Obviously we couldn't require the usage of a pre-0.1 Rust library -in runc so it was necessary to port bits of libpathrs into filepath-securejoin. -(Ironically the first prototypes of libpathrs were originally written in Go and -then rewritten to Rust, so the code in filepath-securejoin is actually Go code -that was rewritten to Rust then re-rewritten to Go.) - -It then became clear that pure-Go libraries will likely not be willing to -require CGo for all of their builds, so it was necessary to accept that -filepath-securejoin will need to stay. As such, in v0.5.0 we provided more -pure-Go implementations of features from libpathrs but moved them into -`pathrs-lite` subpackage to clarify what purpose these helpers serve. - -This release finally closes the loop and makes it so that pathrs-lite can -transparently use libpathrs (via a `libpathrs` build-tag). This means that -upstream libraries can use the pure Go version if they prefer, but downstreams -(either downstream library users or even downstream distributions) are able to -migrate to libpathrs for all usages of pathrs-lite in an entire Go binary. - -I should make it clear that I do not plan to port the rest of libpathrs to Go, -as I do not wish to maintain two copies of the same codebase. pathrs-lite -already provides the core essentials necessary to operate on paths safely for -most modern systems. Users who want additional hardening or more ergonomic APIs -are free to use [`cyphar.com/go-pathrs`][go-pathrs] (libpathrs's Go bindings). - -[libpathrs]: https://github.com/cyphar/libpathrs -[go-pathrs]: https://cyphar.com/go-pathrs - ### Breaking ### - The deprecated `MkdirAll`, `MkdirAllHandle`, `OpenInRoot`, `OpenatInRoot` and `Reopen` wrappers have been removed. Please switch to using `pathrs-lite` directly. ### Added ### -- `pathrs-lite` now has support for using [libpathrs][libpathrs] as a backend. - This is opt-in and can be enabled at build time with the `libpathrs` build - tag. The intention is to allow for downstream libraries and other projects to - make use of the pure-Go `github.com/cyphar/filepath-securejoin/pathrs-lite` - package and distributors can then opt-in to using `libpathrs` for the entire - binary if they wish. +- `pathrs-lite` now has support for using libpathrs as a backend. This is + opt-in and can be enabled at build time with the `libpathrs` build tag. The + intention is to allow for downstream libraries and other projects to make use + of the pure-Go `github.com/cyphar/filepath-securejoin/pathrs-lite` package + and distributors can then opt-in to using `libpathrs` for the entire binary + if they wish. ## [0.5.1] - 2025-10-31 ## @@ -440,8 +430,10 @@ This is our first release of `github.com/cyphar/filepath-securejoin`, containing a full implementation with a coverage of 93.5% (the only missing cases are the error cases, which are hard to mocktest at the moment). -[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.0...HEAD -[0.6.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.1...v0.6.0 +[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.1...HEAD +[0.6.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.0...v0.6.1 +[0.6.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.6.0 +[0.5.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.1...v0.5.2 [0.5.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.5.1 [0.5.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...v0.5.0 [0.4.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.0...v0.4.1 diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION index a918a2aa18..ee6cdce3c2 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/VERSION +++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION @@ -1 +1 @@ -0.6.0 +0.6.1 diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go index 3e937fe3c1..63863647d5 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go @@ -39,7 +39,9 @@ const scopedLookupMaxRetries = 128 // Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry // logic in case of EAGAIN errors. -func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) { +// +// NOTE: This is a variable so that the lookup tests can force openat2 to fail. +var Openat2 = func(dir Fd, path string, how *unix.OpenHow) (*os.File, error) { dirFd, fullPath := prepareAt(dir, path) // Make sure we always set O_CLOEXEC. how.Flags |= unix.O_CLOEXEC diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go new file mode 100644 index 0000000000..ac93cb045e --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: BSD-3-Clause + +//go:build linux && go1.19 + +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gocompat + +import ( + "sync/atomic" +) + +// A Bool is an atomic boolean value. +// The zero value is false. +// +// Bool must not be copied after first use. +type Bool = atomic.Bool diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go new file mode 100644 index 0000000000..21b5b29ada --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: BSD-3-Clause + +//go:build linux && !go1.19 + +// Copyright (C) 2024-2025 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gocompat + +import ( + "sync/atomic" +) + +// noCopy may be added to structs which must not be copied +// after the first use. +// +// See https://golang.org/issues/8005#issuecomment-190753527 +// for details. +// +// Note that it must not be embedded, due to the Lock and Unlock methods. +type noCopy struct{} + +// Lock is a no-op used by -copylocks checker from `go vet`. +func (*noCopy) Lock() {} + +// b32 returns a uint32 0 or 1 representing b. +func b32(b bool) uint32 { + if b { + return 1 + } + return 0 +} + +// A Bool is an atomic boolean value. +// The zero value is false. +// +// Bool must not be copied after first use. +type Bool struct { + _ noCopy + v uint32 +} + +// Load atomically loads and returns the value stored in x. +func (x *Bool) Load() bool { return atomic.LoadUint32(&x.v) != 0 } + +// Store atomically stores val into x. +func (x *Bool) Store(val bool) { atomic.StoreUint32(&x.v, b32(val)) } diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go index 56480f0cee..ad233f1405 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go @@ -193,8 +193,13 @@ func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File, // managed open, along with the remaining path components not opened. // Try to use openat2 if possible. - if linux.HasOpenat2() { - return lookupOpenat2(root, unsafePath, partial) + // + // NOTE: If openat2(2) works normally but fails for this lookup, it is + // probably not a good idea to fall-back to the O_PATH resolver. An + // attacker could find a bug in the O_PATH resolver and uncontionally + // falling back to the O_PATH resolver would form a downgrade attack. + if handle, remainingPath, err := lookupOpenat2(root, unsafePath, partial); err == nil || linux.HasOpenat2() { + return handle, remainingPath, err } // Get the "actual" root path from /proc/self/fd. This is necessary if the diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go index b80ecd0895..9c5c268f66 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go @@ -41,6 +41,7 @@ func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) { if err != nil { return nil, err } + _ = file.Close() file = newFile } } diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go index 399609dc36..dc5f65cef7 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go @@ -17,15 +17,27 @@ import ( "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ) +// sawOpenat2Error stores whether we have seen an error from HasOpenat2. This +// is a one-way toggle, so as soon as we see an error we "lock" into that mode. +// We cannot use sync.OnceValue to store the success/fail state once because it +// is possible for the program we are running in to apply a seccomp-bpf filter +// and thus disable openat2 during execution. +var sawOpenat2Error gocompat.Bool + // HasOpenat2 returns whether openat2(2) is supported on the running kernel. -var HasOpenat2 = gocompat.SyncOnceValue(func() bool { +var HasOpenat2 = func() bool { + if sawOpenat2Error.Load() { + return false + } + fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{ Flags: unix.O_PATH | unix.O_CLOEXEC, Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT, }) if err != nil { + sawOpenat2Error.Store(true) // doesn't matter if we race here return false } _ = unix.Close(fd) return true -}) +} diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 1aa0693b57..3ef333387b 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -31,6 +31,8 @@ type Spec struct { VM *VM `json:"vm,omitempty" platform:"vm"` // ZOS is platform-specific configuration for z/OS based containers. ZOS *ZOS `json:"zos,omitempty" platform:"zos"` + // FreeBSD is platform-specific configuration for FreeBSD based containers. + FreeBSD *FreeBSD `json:"freebsd,omitempty" platform:"freebsd"` } // Scheduler represents the scheduling attributes for a process. It is based on @@ -170,7 +172,7 @@ type Mount struct { // Destination is the absolute path where the mount will be placed in the container. Destination string `json:"destination"` // Type specifies the mount kind. - Type string `json:"type,omitempty" platform:"linux,solaris,zos"` + Type string `json:"type,omitempty" platform:"linux,solaris,zos,freebsd"` // Source specifies the source path of the mount. Source string `json:"source,omitempty"` // Options are fstab style mount options. @@ -236,6 +238,8 @@ type Linux struct { Namespaces []LinuxNamespace `json:"namespaces,omitempty"` // Devices are a list of device nodes that are created for the container Devices []LinuxDevice `json:"devices,omitempty"` + // NetDevices are key-value pairs, keyed by network device name on the host, moved to the container's network namespace. + NetDevices map[string]LinuxNetDevice `json:"netDevices,omitempty"` // Seccomp specifies the seccomp security settings for the container. Seccomp *LinuxSeccomp `json:"seccomp,omitempty"` // RootfsPropagation is the rootfs mount propagation mode for the container. @@ -249,6 +253,8 @@ type Linux struct { // IntelRdt contains Intel Resource Director Technology (RDT) information for // handling resource constraints and monitoring metrics (e.g., L3 cache, memory bandwidth) for the container IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` + // MemoryPolicy contains NUMA memory policy for the container. + MemoryPolicy *LinuxMemoryPolicy `json:"memoryPolicy,omitempty"` // Personality contains configuration for the Linux personality syscall Personality *LinuxPersonality `json:"personality,omitempty"` // TimeOffsets specifies the offset for supporting time namespaces. @@ -430,7 +436,7 @@ type LinuxCPU struct { // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3) type LinuxPids struct { // Maximum number of PIDs. Default is "no limit". - Limit int64 `json:"limit"` + Limit *int64 `json:"limit,omitempty"` } // LinuxNetwork identification and priority configuration @@ -491,6 +497,12 @@ type LinuxDevice struct { GID *uint32 `json:"gid,omitempty"` } +// LinuxNetDevice represents a single network device to be added to the container's network namespace +type LinuxNetDevice struct { + // Name of the device in the container namespace + Name string `json:"name,omitempty"` +} + // LinuxDeviceCgroup represents a device rule for the devices specified to // the device controller type LinuxDeviceCgroup struct { @@ -678,6 +690,32 @@ type WindowsHyperV struct { UtilityVMPath string `json:"utilityVMPath,omitempty"` } +// IOMems contains information about iomem addresses that should be passed to the VM. +type IOMems struct { + // Guest Frame Number to map the iomem range. If GFN is not specified, the mapping will be done to the same Frame Number as was provided in FirstMFN. + FirstGFN *uint64 `json:"firstGFN,omitempty"` + // Physical page number of iomem regions. + FirstMFN *uint64 `json:"firstMFN"` + // Number of pages to be mapped. + NrMFNs *uint64 `json:"nrMFNs"` +} + +// Hardware configuration for the VM image +type HWConfig struct { + // Path to the container device-tree file that should be passed to the VM configuration. + DeviceTree string `json:"deviceTree,omitempty"` + // Number of virtual cpus for the VM. + VCPUs *uint32 `json:"vcpus,omitempty"` + // Maximum memory in bytes allocated to the VM. + Memory *uint64 `json:"memory,omitempty"` + // Host device tree nodes to passthrough to the VM. + DtDevs []string `json:"dtdevs,omitempty"` + // Allow auto-translated domains to access specific hardware I/O memory pages. + IOMems []IOMems `json:"iomems,omitempty"` + // Allows VM to access specific physical IRQs. + Irqs []uint32 `json:"irqs,omitempty"` +} + // VM contains information for virtual-machine-based containers. type VM struct { // Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers. @@ -686,6 +724,8 @@ type VM struct { Kernel VMKernel `json:"kernel"` // Image specifies guest image related configuration for virtual-machine-based containers. Image VMImage `json:"image,omitempty"` + // Hardware configuration that should be passed to the VM. + HwConfig *HWConfig `json:"hwconfig,omitempty"` } // VMHypervisor contains information about the hypervisor to use for a virtual machine. @@ -828,23 +868,41 @@ type LinuxSyscall struct { type LinuxIntelRdt struct { // The identity for RDT Class of Service ClosID string `json:"closID,omitempty"` + + // Schemata specifies the complete schemata to be written as is to the + // schemata file in resctrl fs. Each element represents a single line in the schemata file. + // NOTE: This will overwrite schemas specified in the L3CacheSchema and/or + // MemBwSchema fields. + Schemata []string `json:"schemata,omitempty"` + // The schema for L3 cache id and capacity bitmask (CBM) // Format: "L3:=;=;..." + // NOTE: Should not be specified if Schemata is non-empty. L3CacheSchema string `json:"l3CacheSchema,omitempty"` // The schema of memory bandwidth per L3 cache id // Format: "MB:=bandwidth0;=bandwidth1;..." // The unit of memory bandwidth is specified in "percentages" by // default, and in "MBps" if MBA Software Controller is enabled. + // NOTE: Should not be specified if Schemata is non-empty. MemBwSchema string `json:"memBwSchema,omitempty"` - // EnableCMT is the flag to indicate if the Intel RDT CMT is enabled. CMT (Cache Monitoring Technology) supports monitoring of - // the last-level cache (LLC) occupancy for the container. - EnableCMT bool `json:"enableCMT,omitempty"` + // EnableMonitoring enables resctrl monitoring for the container. This will + // create a dedicated resctrl monitoring group for the container. + EnableMonitoring bool `json:"enableMonitoring,omitempty"` +} - // EnableMBM is the flag to indicate if the Intel RDT MBM is enabled. MBM (Memory Bandwidth Monitoring) supports monitoring of - // total and local memory bandwidth for the container. - EnableMBM bool `json:"enableMBM,omitempty"` +// LinuxMemoryPolicy represents input for the set_mempolicy syscall. +type LinuxMemoryPolicy struct { + // Mode for the set_mempolicy syscall. + Mode MemoryPolicyModeType `json:"mode"` + + // Nodes representing the nodemask for the set_mempolicy syscall in comma separated ranges format. + // Format: "-,,-,..." + Nodes string `json:"nodes"` + + // Flags for the set_mempolicy syscall. + Flags []MemoryPolicyFlagType `json:"flags,omitempty"` } // ZOS contains platform-specific configuration for z/OS based containers. @@ -876,6 +934,26 @@ const ( ZOSUTSNamespace ZOSNamespaceType = "uts" ) +type MemoryPolicyModeType string + +const ( + MpolDefault MemoryPolicyModeType = "MPOL_DEFAULT" + MpolBind MemoryPolicyModeType = "MPOL_BIND" + MpolInterleave MemoryPolicyModeType = "MPOL_INTERLEAVE" + MpolWeightedInterleave MemoryPolicyModeType = "MPOL_WEIGHTED_INTERLEAVE" + MpolPreferred MemoryPolicyModeType = "MPOL_PREFERRED" + MpolPreferredMany MemoryPolicyModeType = "MPOL_PREFERRED_MANY" + MpolLocal MemoryPolicyModeType = "MPOL_LOCAL" +) + +type MemoryPolicyFlagType string + +const ( + MpolFNumaBalancing MemoryPolicyFlagType = "MPOL_F_NUMA_BALANCING" + MpolFRelativeNodes MemoryPolicyFlagType = "MPOL_F_RELATIVE_NODES" + MpolFStaticNodes MemoryPolicyFlagType = "MPOL_F_STATIC_NODES" +) + // LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler type LinuxSchedulerPolicy string @@ -915,3 +993,75 @@ const ( // SchedFlagUtilClampMin represents the utilization clamp maximum scheduling flag SchedFlagUtilClampMax LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MAX" ) + +// FreeBSD contains platform-specific configuration for FreeBSD based containers. +type FreeBSD struct { + // Devices which are accessible in the container + Devices []FreeBSDDevice `json:"devices,omitempty"` + // Jail definition for this container + Jail *FreeBSDJail `json:"jail,omitempty"` +} + +type FreeBSDDevice struct { + // Path to the device, relative to /dev. + Path string `json:"path"` + // FileMode permission bits for the device. + Mode *os.FileMode `json:"mode,omitempty"` +} + +// FreeBSDJail describes how to configure the container's jail +type FreeBSDJail struct { + // Parent jail name - this can be used to share a single vnet + // across several containers + Parent string `json:"parent,omitempty"` + // Whether to use parent UTS names or override in the container + Host FreeBSDSharing `json:"host,omitempty"` + // IPv4 address sharing for the container + Ip4 FreeBSDSharing `json:"ip4,omitempty"` + // IPv4 addresses for the container + Ip4Addr []string `json:"ip4Addr,omitempty"` + // IPv6 address sharing for the container + Ip6 FreeBSDSharing `json:"ip6,omitempty"` + // IPv6 addresses for the container + Ip6Addr []string `json:"ip6Addr,omitempty"` + // Which network stack to use for the container + Vnet FreeBSDSharing `json:"vnet,omitempty"` + // If set, Ip4Addr and Ip6Addr addresses will be added to this interface + Interface string `json:"interface,omitempty"` + // List interfaces to be moved to the container's vnet + VnetInterfaces []string `json:"vnetInterfaces,omitempty"` + // SystemV IPC message sharing for the container + SysVMsg FreeBSDSharing `json:"sysvmsg,omitempty"` + // SystemV semaphore message sharing for the container + SysVSem FreeBSDSharing `json:"sysvsem,omitempty"` + // SystemV memory sharing for the container + SysVShm FreeBSDSharing `json:"sysvshm,omitempty"` + // Mount visibility (see jail(8) for details) + EnforceStatfs *int `json:"enforceStatfs,omitempty"` + // Jail capabilities + Allow *FreeBSDJailAllow `json:"allow,omitempty"` +} + +// These values are used to control access to features in the container, either +// disabling the feature, sharing state with the parent or creating new private +// state in the container. +type FreeBSDSharing string + +const ( + FreeBSDShareDisable FreeBSDSharing = "disable" + FreeBSDShareNew FreeBSDSharing = "new" + FreeBSDShareInherit FreeBSDSharing = "inherit" +) + +// FreeBSDJailAllow describes jail capabilities +type FreeBSDJailAllow struct { + SetHostname bool `json:"setHostname,omitempty"` + RawSockets bool `json:"rawSockets,omitempty"` + Chflags bool `json:"chflags,omitempty"` + Mount []string `json:"mount,omitempty"` + Quotas bool `json:"quotas,omitempty"` + SocketAf bool `json:"socketAf,omitempty"` + Mlock bool `json:"mlock,omitempty"` + ReservedPorts bool `json:"reservedPorts,omitempty"` + Suser bool `json:"suser,omitempty"` +} diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index 23234a9c58..0257dba3e7 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -6,9 +6,9 @@ const ( // VersionMajor is for an API incompatible changes VersionMajor = 1 // VersionMinor is for functionality in a backwards-compatible manner - VersionMinor = 2 + VersionMinor = 3 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 1 + VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "" diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go index ae5a9984bc..44c199e147 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "os" + "slices" "strings" "github.com/moby/sys/capability" @@ -25,6 +26,12 @@ var ( } ) +const ( + // UnlimitedPidsLimit can be passed to SetLinuxResourcesPidsLimit to + // request unlimited PIDs. + UnlimitedPidsLimit int64 = -1 +) + // Generator represents a generator for a container config. type Generator struct { Config *rspec.Spec @@ -88,7 +95,8 @@ func New(os string) (generator Generator, err error) { } } - if os == "linux" { + switch os { + case "linux": config.Process.Capabilities = &rspec.LinuxCapabilities{ Bounding: []string{ "CAP_CHOWN", @@ -237,7 +245,7 @@ func New(os string) (generator Generator, err error) { }, Seccomp: seccomp.DefaultProfile(&config), } - } else if os == "freebsd" { + case "freebsd": config.Mounts = []rspec.Mount{ { Destination: "/dev", @@ -593,12 +601,10 @@ func (g *Generator) ClearProcessAdditionalGids() { } // AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids. -func (g *Generator) AddProcessAdditionalGid(gid uint32) { +func (g *Generator) AddProcessAdditionalGid(gid uint32) { //nolint:staticcheck // Ignore ST1003: method AddProcessAdditionalGid should be AddProcessAdditionalGID g.initConfigProcess() - for _, group := range g.Config.Process.User.AdditionalGids { - if group == gid { - return - } + if slices.Contains(g.Config.Process.User.AdditionalGids, gid) { + return } g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid) } @@ -868,7 +874,7 @@ func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) { } } -// AddLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified +// SetLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified. func (g *Generator) SetLinuxResourcesUnified(unified map[string]string) { g.initConfigLinuxResourcesUnified() for k, v := range unified { @@ -911,7 +917,7 @@ func (g *Generator) SetLinuxResourcesMemorySwap(swap int64) { // SetLinuxResourcesMemoryKernel sets g.Config.Linux.Resources.Memory.Kernel. func (g *Generator) SetLinuxResourcesMemoryKernel(kernel int64) { g.initConfigLinuxResourcesMemory() - g.Config.Linux.Resources.Memory.Kernel = &kernel + g.Config.Linux.Resources.Memory.Kernel = &kernel //nolint:staticcheck // Ignore SA1019: g.Config.Linux.Resources.Memory.Kernel is deprecated } // SetLinuxResourcesMemoryKernelTCP sets g.Config.Linux.Resources.Memory.KernelTCP. @@ -970,7 +976,7 @@ func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) { // SetLinuxResourcesPidsLimit sets g.Config.Linux.Resources.Pids.Limit. func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) { g.initConfigLinuxResourcesPids() - g.Config.Linux.Resources.Pids.Limit = limit + g.Config.Linux.Resources.Pids.Limit = &limit } // ClearLinuxSysctl clears g.Config.Linux.Sysctl. @@ -1060,13 +1066,13 @@ func (g *Generator) ClearPreStartHooks() { if g.Config == nil || g.Config.Hooks == nil { return } - g.Config.Hooks.Prestart = []rspec.Hook{} + g.Config.Hooks.Prestart = []rspec.Hook{} //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated } // AddPreStartHook add a prestart hook into g.Config.Hooks.Prestart. func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) { g.initConfigHooks() - g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook) + g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook) //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated } // ClearPostStopHooks clear g.Config.Hooks.Poststop. diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go index 12aa482c2c..64ec8a1fac 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go @@ -3,7 +3,6 @@ package seccomp import ( "runtime" - "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go" ) @@ -31,7 +30,7 @@ func arches() []rspec.Arch { } // DefaultProfile defines the whitelist for the default seccomp profile. -func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp { +func DefaultProfile(rs *rspec.Spec) *rspec.LinuxSeccomp { syscalls := []rspec.LinuxSyscall{ { Names: []string{ diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go index 5ca9a6daee..aac5c2bbe0 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go @@ -1,5 +1,4 @@ //go:build linux -// +build linux package seccomp diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go index b8c1bc26e2..a8d582672c 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go @@ -1,5 +1,4 @@ //go:build !linux -// +build !linux package seccomp diff --git a/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.c b/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.c index d5314016a6..1f4636c8bd 100644 --- a/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.c +++ b/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.c @@ -1,8 +1,12 @@ /* - * Copying and distribution of this file, with or without modification, - * are permitted in any medium without royalty provided the copyright - * notice and this notice are preserved. This file is offered as-is, - * without any warranty. + * SPDX-License-Identifier: Apache-2.0 OR FSFAP + * SPDX-FileCopyrightText: 2025 Daiki Ueno + * + * You can redistribute and/or modify this file under the terms of either + * Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html), or + * FSF All Permissive License + * (https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html), + * or both in parallel, as here. */ #ifdef HAVE_CONFIG_H diff --git a/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.h b/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.h index 477b985bad..b5f2e83140 100644 --- a/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.h +++ b/vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.h @@ -1,8 +1,12 @@ /* - * Copying and distribution of this file, with or without modification, - * are permitted in any medium without royalty provided the copyright - * notice and this notice are preserved. This file is offered as-is, - * without any warranty. + * SPDX-License-Identifier: Apache-2.0 OR FSFAP + * SPDX-FileCopyrightText: 2025 Daiki Ueno + * + * You can redistribute and/or modify this file under the terms of either + * Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html), or + * FSF All Permissive License + * (https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html), + * or both in parallel, as here. */ #ifndef GO_SEQUOIA_H_ diff --git a/vendor/go.podman.io/image/v5/signature/policy_eval.go b/vendor/go.podman.io/image/v5/signature/policy_eval.go index 2d0db05ae4..746298f56f 100644 --- a/vendor/go.podman.io/image/v5/signature/policy_eval.go +++ b/vendor/go.podman.io/image/v5/signature/policy_eval.go @@ -65,6 +65,10 @@ type PolicyRequirement interface { // WARNING: This validates signatures and the manifest, but does not download or validate the // layers. Users must validate that the layers match their expected digests. isRunningImageAllowed(ctx context.Context, image private.UnparsedImage) (bool, error) + + // verifiesSignatures returns true if and only if the requirement performs cryptographic + // signature verification on the entire contents of the image before allowing it. + verifiesSignatures() bool } // PolicyReferenceMatch specifies a set of image identities accepted in PolicyRequirement. @@ -79,8 +83,9 @@ type PolicyReferenceMatch interface { // PolicyContext encapsulates a policy and possible cached state // for speeding up its evaluation. type PolicyContext struct { - Policy *Policy - state policyContextState // Internal consistency checking + Policy *Policy + state policyContextState // Internal consistency checking + requireSigned bool } // policyContextState is used internally to verify the users are not misusing a PolicyContext. @@ -132,6 +137,13 @@ func policyIdentityLogName(ref types.ImageReference) string { return ref.Transport().Name() + ":" + ref.PolicyConfigurationIdentity() } +// RequireSignatureVerification modifies policy requirement handling. If passed +// `true`, at least one policy requirement which performs signature verification +// on the entire image contents must be present. +func (pc *PolicyContext) RequireSignatureVerification(val bool) { + pc.requireSigned = val +} + // requirementsForImageRef selects the appropriate requirements for ref. func (pc *PolicyContext) requirementsForImageRef(ref types.ImageReference) PolicyRequirements { // Do we have a PolicyTransportScopes for this transport? @@ -278,6 +290,7 @@ func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, publicImage return false, PolicyRequirementError("List of verification policy requirements must not be empty") } + wasSignatureVerified := false for reqNumber, req := range reqs { // FIXME: supply state allowed, err := req.isRunningImageAllowed(ctx, image) @@ -286,7 +299,15 @@ func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, publicImage return false, err } logrus.Debugf(" Requirement %d: allowed", reqNumber) + if req.verifiesSignatures() { + wasSignatureVerified = true + } } + + if pc.requireSigned && !wasSignatureVerified { + return false, PolicyRequirementError(fmt.Sprintf("No signature verification policy found for image %s", policyIdentityLogName(image.Reference()))) + } + // We have tested that len(reqs) != 0, so at least one req must have explicitly allowed this image. logrus.Debugf("Overall: allowed") return true, nil diff --git a/vendor/go.podman.io/image/v5/signature/policy_eval_baselayer.go b/vendor/go.podman.io/image/v5/signature/policy_eval_baselayer.go index f310342d10..8f074b47c1 100644 --- a/vendor/go.podman.io/image/v5/signature/policy_eval_baselayer.go +++ b/vendor/go.podman.io/image/v5/signature/policy_eval_baselayer.go @@ -18,3 +18,7 @@ func (pr *prSignedBaseLayer) isRunningImageAllowed(ctx context.Context, image pr logrus.Errorf("signedBaseLayer not implemented yet!") return false, PolicyRequirementError("signedBaseLayer not implemented yet!") } + +func (pr *prSignedBaseLayer) verifiesSignatures() bool { + return false +} diff --git a/vendor/go.podman.io/image/v5/signature/policy_eval_signedby.go b/vendor/go.podman.io/image/v5/signature/policy_eval_signedby.go index 21ed59494d..149545da8f 100644 --- a/vendor/go.podman.io/image/v5/signature/policy_eval_signedby.go +++ b/vendor/go.podman.io/image/v5/signature/policy_eval_signedby.go @@ -114,3 +114,7 @@ func (pr *prSignedBy) isRunningImageAllowed(ctx context.Context, image private.U } return false, summary } + +func (pr *prSignedBy) verifiesSignatures() bool { + return true +} diff --git a/vendor/go.podman.io/image/v5/signature/policy_eval_sigstore.go b/vendor/go.podman.io/image/v5/signature/policy_eval_sigstore.go index eb29bd8b57..7069506b81 100644 --- a/vendor/go.podman.io/image/v5/signature/policy_eval_sigstore.go +++ b/vendor/go.podman.io/image/v5/signature/policy_eval_sigstore.go @@ -432,3 +432,7 @@ func (pr *prSigstoreSigned) isRunningImageAllowed(ctx context.Context, image pri } return false, summary } + +func (pr *prSigstoreSigned) verifiesSignatures() bool { + return true +} diff --git a/vendor/go.podman.io/image/v5/signature/policy_eval_simple.go b/vendor/go.podman.io/image/v5/signature/policy_eval_simple.go index 4ef35e3ad5..75a83bd579 100644 --- a/vendor/go.podman.io/image/v5/signature/policy_eval_simple.go +++ b/vendor/go.podman.io/image/v5/signature/policy_eval_simple.go @@ -20,6 +20,10 @@ func (pr *prInsecureAcceptAnything) isRunningImageAllowed(ctx context.Context, i return true, nil } +func (pr *prInsecureAcceptAnything) verifiesSignatures() bool { + return false +} + func (pr *prReject) isSignatureAuthorAccepted(ctx context.Context, image private.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) { return sarRejected, nil, PolicyRequirementError(fmt.Sprintf("Any signatures for image %s are rejected by policy.", transports.ImageName(image.Reference()))) } @@ -27,3 +31,7 @@ func (pr *prReject) isSignatureAuthorAccepted(ctx context.Context, image private func (pr *prReject) isRunningImageAllowed(ctx context.Context, image private.UnparsedImage) (bool, error) { return false, PolicyRequirementError(fmt.Sprintf("Running image %s is rejected by policy.", transports.ImageName(image.Reference()))) } + +func (pr *prReject) verifiesSignatures() bool { + return false +} diff --git a/vendor/modules.txt b/vendor/modules.txt index cae7988c6d..c162fe30dd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -197,7 +197,7 @@ github.com/crc-org/vfkit/pkg/util # github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 ## explicit github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer -# github.com/cyphar/filepath-securejoin v0.6.0 +# github.com/cyphar/filepath-securejoin v0.6.1 ## explicit; go 1.18 github.com/cyphar/filepath-securejoin github.com/cyphar/filepath-securejoin/internal/consts @@ -589,10 +589,10 @@ github.com/opencontainers/runc/internal/pathrs github.com/opencontainers/runc/libcontainer/apparmor github.com/opencontainers/runc/libcontainer/devices github.com/opencontainers/runc/libcontainer/utils -# github.com/opencontainers/runtime-spec v1.2.1 +# github.com/opencontainers/runtime-spec v1.3.0 ## explicit github.com/opencontainers/runtime-spec/specs-go -# github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 +# github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116 ## explicit; go 1.21 github.com/opencontainers/runtime-tools/generate github.com/opencontainers/runtime-tools/generate/seccomp @@ -787,7 +787,7 @@ go.opentelemetry.io/otel/trace go.opentelemetry.io/otel/trace/embedded go.opentelemetry.io/otel/trace/internal/telemetry go.opentelemetry.io/otel/trace/noop -# go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66 +# go.podman.io/common v0.66.1-0.20251120131032-23712697ddda ## explicit; go 1.24.2 go.podman.io/common/internal go.podman.io/common/internal/attributedstring @@ -857,7 +857,7 @@ go.podman.io/common/pkg/umask go.podman.io/common/pkg/util go.podman.io/common/pkg/version go.podman.io/common/version -# go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66 +# go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda ## explicit; go 1.24.0 go.podman.io/image/v5/copy go.podman.io/image/v5/directory @@ -931,7 +931,7 @@ go.podman.io/image/v5/transports go.podman.io/image/v5/transports/alltransports go.podman.io/image/v5/types go.podman.io/image/v5/version -# go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66 +# go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda ## explicit; go 1.24.0 go.podman.io/storage go.podman.io/storage/drivers @@ -1225,12 +1225,12 @@ gopkg.in/yaml.v3 # sigs.k8s.io/yaml v1.6.0 ## explicit; go 1.22 sigs.k8s.io/yaml -# tags.cncf.io/container-device-interface v1.0.1 -## explicit; go 1.20 +# tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210 +## explicit; go 1.21 tags.cncf.io/container-device-interface/internal/validation tags.cncf.io/container-device-interface/internal/validation/k8s tags.cncf.io/container-device-interface/pkg/cdi tags.cncf.io/container-device-interface/pkg/parser -# tags.cncf.io/container-device-interface/specs-go v1.0.0 +# tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 ## explicit; go 1.19 tags.cncf.io/container-device-interface/specs-go diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go index 7095f27dae..ba817a55b1 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go @@ -520,7 +520,7 @@ func (w *watch) stop() { return } - w.watcher.Close() + _ = w.watcher.Close() w.tracked = nil } diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go deleted file mode 100644 index b09ea6ff97..0000000000 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go +++ /dev/null @@ -1,26 +0,0 @@ -//go:build darwin -// +build darwin - -/* - Copyright © 2021 The CDI Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package cdi - -import "syscall" - -func osSync() { - _ = syscall.Sync() -} diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go deleted file mode 100644 index b7c44129fb..0000000000 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go +++ /dev/null @@ -1,26 +0,0 @@ -//go:build !windows && !darwin -// +build !windows,!darwin - -/* - Copyright © 2021 The CDI Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package cdi - -import "syscall" - -func osSync() { - syscall.Sync() -} diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_windows.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_windows.go deleted file mode 100644 index c6dabf5fa8..0000000000 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_windows.go +++ /dev/null @@ -1,22 +0,0 @@ -//go:build windows -// +build windows - -/* - Copyright © 2021 The CDI Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package cdi - -func osSync() {} diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go index 4744eff8fa..450a84f695 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go @@ -337,8 +337,10 @@ func ValidateIntelRdt(i *cdi.IntelRdt) error { // Validate validates the IntelRdt configuration. func (i *IntelRdt) Validate() error { - // ClosID must be a valid Linux filename - if len(i.ClosID) >= 4096 || i.ClosID == "." || i.ClosID == ".." || strings.ContainsAny(i.ClosID, "/\n") { + // ClosID must be a valid Linux filename. Exception: "/" refers to the root CLOS. + switch c := i.ClosID; { + case c == "/": + case len(c) >= 4096, c == ".", c == "..", strings.ContainsAny(c, "/\n"): return errors.New("invalid ClosID") } return nil diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_unix.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_unix.go index 59977b2171..e0d41a6815 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_unix.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_unix.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows /* Copyright © 2021 The CDI Authors diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_windows.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_windows.go index fd91afa926..5515f62cea 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_windows.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_windows.go @@ -1,5 +1,4 @@ //go:build windows -// +build windows /* Copyright © 2021 The CDI Authors diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/oci.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/oci.go index 4d62c41f9d..d8fa14a2f1 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/oci.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/oci.go @@ -56,10 +56,10 @@ func (d *DeviceNode) toOCI() spec.LinuxDevice { // toOCI returns the opencontainers runtime Spec LinuxIntelRdt for this IntelRdt config. func (i *IntelRdt) toOCI() *spec.LinuxIntelRdt { return &spec.LinuxIntelRdt{ - ClosID: i.ClosID, - L3CacheSchema: i.L3CacheSchema, - MemBwSchema: i.MemBwSchema, - EnableCMT: i.EnableCMT, - EnableMBM: i.EnableMBM, + ClosID: i.ClosID, + L3CacheSchema: i.L3CacheSchema, + MemBwSchema: i.MemBwSchema, + Schemata: i.Schemata, + EnableMonitoring: i.EnableMonitoring, } } diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go index 8d295a83ff..fdaa268498 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go @@ -156,7 +156,7 @@ func (s *Spec) write(overwrite bool) error { return fmt.Errorf("failed to create Spec file: %w", err) } _, err = tmp.Write(data) - tmp.Close() + _ = tmp.Close() if err != nil { return fmt.Errorf("failed to write Spec file: %w", err) } @@ -164,7 +164,7 @@ func (s *Spec) write(overwrite bool) error { err = renameIn(dir, filepath.Base(tmp.Name()), filepath.Base(s.path), overwrite) if err != nil { - os.Remove(tmp.Name()) + _ = os.Remove(tmp.Name()) err = fmt.Errorf("failed to write Spec file: %w", err) } diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_linux.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_linux.go index 9ad2739256..88fd9bbf52 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_linux.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_linux.go @@ -32,7 +32,9 @@ func renameIn(dir, src, dst string, overwrite bool) error { if err != nil { return fmt.Errorf("rename failed: %w", err) } - defer dirf.Close() + defer func() { + _ = dirf.Close() + }() if !overwrite { flags = unix.RENAME_NOREPLACE diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_other.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_other.go index 285e04e27a..f102c46bda 100644 --- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_other.go +++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_other.go @@ -1,5 +1,4 @@ //go:build !linux -// +build !linux /* Copyright © 2022 The CDI Authors diff --git a/vendor/tags.cncf.io/container-device-interface/specs-go/config.go b/vendor/tags.cncf.io/container-device-interface/specs-go/config.go index f28657b865..577331f05b 100644 --- a/vendor/tags.cncf.io/container-device-interface/specs-go/config.go +++ b/vendor/tags.cncf.io/container-device-interface/specs-go/config.go @@ -64,9 +64,9 @@ type Hook struct { // IntelRdt describes the Linux IntelRdt parameters to set in the OCI spec. type IntelRdt struct { - ClosID string `json:"closID,omitempty" yaml:"closID,omitempty"` - L3CacheSchema string `json:"l3CacheSchema,omitempty" yaml:"l3CacheSchema,omitempty"` - MemBwSchema string `json:"memBwSchema,omitempty" yaml:"memBwSchema,omitempty"` - EnableCMT bool `json:"enableCMT,omitempty" yaml:"enableCMT,omitempty"` - EnableMBM bool `json:"enableMBM,omitempty" yaml:"enableMBM,omitempty"` + ClosID string `json:"closID,omitempty" yaml:"closID,omitempty"` + L3CacheSchema string `json:"l3CacheSchema,omitempty" yaml:"l3CacheSchema,omitempty"` + MemBwSchema string `json:"memBwSchema,omitempty" yaml:"memBwSchema,omitempty"` + Schemata []string `json:"schemata,omitempty" yaml:"schemata,omitempty"` + EnableMonitoring bool `json:"enableMonitoring,omitempty" yaml:"enableMonitoring,omitempty"` } diff --git a/vendor/tags.cncf.io/container-device-interface/specs-go/version.go b/vendor/tags.cncf.io/container-device-interface/specs-go/version.go index 002e035059..4e5d736625 100644 --- a/vendor/tags.cncf.io/container-device-interface/specs-go/version.go +++ b/vendor/tags.cncf.io/container-device-interface/specs-go/version.go @@ -40,6 +40,7 @@ const ( v070 version = "v0.7.0" v080 version = "v0.8.0" v100 version = "v1.0.0" + v110 version = "v1.1.0" // vEarliest is the earliest supported version of the CDI specification vEarliest version = v030 @@ -58,6 +59,7 @@ var validSpecVersions = requiredVersionMap{ v070: requiresV070, v080: requiresV080, v100: requiresV100, + v110: requiresV110, } // ValidateVersion checks whether the specified spec version is valid. @@ -140,6 +142,25 @@ func (r requiredVersionMap) requiredVersion(spec *Spec) version { return minVersion } +// requiresV110 returns true if the spec uses v1.1.0 features. +func requiresV110(spec *Spec) bool { + if i := spec.ContainerEdits.IntelRdt; i != nil { + if i.Schemata != nil || i.EnableMonitoring { + return true + } + } + + for _, dev := range spec.Devices { + if i := dev.ContainerEdits.IntelRdt; i != nil { + if i.Schemata != nil || i.EnableMonitoring { + return true + } + } + } + + return false +} + // requiresV100 returns true if the spec uses v1.0.0 features. // Since the v1.0.0 spec bump was due to moving the minimum version checks to // the spec package, there are no explicit spec changes.