mirror of
https://github.com/containers/podman.git
synced 2025-12-01 10:38:05 +08:00
Update vendor or containers/buildah
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
84
vendor/github.com/containers/buildah/chroot/run_linux.go
generated
vendored
84
vendor/github.com/containers/buildah/chroot/run_linux.go
generated
vendored
@@ -158,7 +158,7 @@ func setApparmorProfile(spec *specs.Spec) error {
|
||||
return nil
|
||||
}
|
||||
if err := apparmor.ApplyProfile(spec.Process.ApparmorProfile); err != nil {
|
||||
return fmt.Errorf("error setting apparmor profile to %q: %w", spec.Process.ApparmorProfile, err)
|
||||
return fmt.Errorf("setting apparmor profile to %q: %w", spec.Process.ApparmorProfile, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -167,14 +167,14 @@ func setApparmorProfile(spec *specs.Spec) error {
|
||||
func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
|
||||
currentCaps, err := capability.NewPid2(0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading capabilities of current process: %w", err)
|
||||
return fmt.Errorf("reading capabilities of current process: %w", err)
|
||||
}
|
||||
if err := currentCaps.Load(); err != nil {
|
||||
return fmt.Errorf("error loading capabilities: %w", err)
|
||||
return fmt.Errorf("loading capabilities: %w", err)
|
||||
}
|
||||
caps, err := capability.NewPid2(0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading capabilities of current process: %w", err)
|
||||
return fmt.Errorf("reading capabilities of current process: %w", err)
|
||||
}
|
||||
capMap := map[capability.CapType][]string{
|
||||
capability.BOUNDING: spec.Process.Capabilities.Bounding,
|
||||
@@ -195,7 +195,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
|
||||
}
|
||||
}
|
||||
if cap == noCap {
|
||||
return fmt.Errorf("error mapping capability %q to a number", capToSet)
|
||||
return fmt.Errorf("mapping capability %q to a number", capToSet)
|
||||
}
|
||||
caps.Set(capType, cap)
|
||||
}
|
||||
@@ -208,7 +208,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
|
||||
}
|
||||
}
|
||||
if cap == noCap {
|
||||
return fmt.Errorf("error mapping capability %q to a number", capToSet)
|
||||
return fmt.Errorf("mapping capability %q to a number", capToSet)
|
||||
}
|
||||
if currentCaps.Get(capType, cap) {
|
||||
caps.Set(capType, cap)
|
||||
@@ -216,7 +216,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
|
||||
}
|
||||
}
|
||||
if err = caps.Apply(capability.CAPS | capability.BOUNDS | capability.AMBS); err != nil {
|
||||
return fmt.Errorf("error setting capabilities: %w", err)
|
||||
return fmt.Errorf("setting capabilities: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -233,11 +233,11 @@ func makeReadOnly(mntpoint string, flags uintptr) error {
|
||||
var fs unix.Statfs_t
|
||||
// Make sure it's read-only.
|
||||
if err := unix.Statfs(mntpoint, &fs); err != nil {
|
||||
return fmt.Errorf("error checking if directory %q was bound read-only: %w", mntpoint, err)
|
||||
return fmt.Errorf("checking if directory %q was bound read-only: %w", mntpoint, err)
|
||||
}
|
||||
if fs.Flags&unix.ST_RDONLY == 0 {
|
||||
if err := unix.Mount(mntpoint, mntpoint, "bind", flags|unix.MS_REMOUNT, ""); err != nil {
|
||||
return fmt.Errorf("error remounting %s in mount namespace read-only: %w", mntpoint, err)
|
||||
return fmt.Errorf("remounting %s in mount namespace read-only: %w", mntpoint, err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
@@ -283,16 +283,16 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
return undoBinds, fmt.Errorf("error bind mounting /dev from host into mount namespace: %w", err)
|
||||
return undoBinds, fmt.Errorf("bind mounting /dev from host into mount namespace: %w", err)
|
||||
}
|
||||
}
|
||||
// Make sure it's read-only.
|
||||
if err = unix.Statfs(subDev, &fs); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q was bound read-only: %w", subDev, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q was bound read-only: %w", subDev, err)
|
||||
}
|
||||
if fs.Flags&unix.ST_RDONLY == 0 {
|
||||
if err := unix.Mount(subDev, subDev, "bind", devFlags|unix.MS_REMOUNT, ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error remounting /dev in mount namespace read-only: %w", err)
|
||||
return undoBinds, fmt.Errorf("remounting /dev in mount namespace read-only: %w", err)
|
||||
}
|
||||
}
|
||||
logrus.Debugf("bind mounted %q to %q", "/dev", filepath.Join(spec.Root.Path, "/dev"))
|
||||
@@ -307,7 +307,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
return undoBinds, fmt.Errorf("error bind mounting /proc from host into mount namespace: %w", err)
|
||||
return undoBinds, fmt.Errorf("bind mounting /proc from host into mount namespace: %w", err)
|
||||
}
|
||||
}
|
||||
logrus.Debugf("bind mounted %q to %q", "/proc", filepath.Join(spec.Root.Path, "/proc"))
|
||||
@@ -322,7 +322,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
return undoBinds, fmt.Errorf("error bind mounting /sys from host into mount namespace: %w", err)
|
||||
return undoBinds, fmt.Errorf("bind mounting /sys from host into mount namespace: %w", err)
|
||||
}
|
||||
}
|
||||
if err := makeReadOnly(subSys, sysFlags); err != nil {
|
||||
@@ -380,14 +380,14 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
case "bind":
|
||||
srcinfo, err = os.Stat(m.Source)
|
||||
if err != nil {
|
||||
return undoBinds, fmt.Errorf("error examining %q for mounting in mount namespace: %w", m.Source, err)
|
||||
return undoBinds, fmt.Errorf("examining %q for mounting in mount namespace: %w", m.Source, err)
|
||||
}
|
||||
case "overlay":
|
||||
fallthrough
|
||||
case "tmpfs":
|
||||
srcinfo, err = os.Stat("/")
|
||||
if err != nil {
|
||||
return undoBinds, fmt.Errorf("error examining / to use as a template for a %s: %w", m.Type, err)
|
||||
return undoBinds, fmt.Errorf("examining / to use as a template for a %s: %w", m.Type, err)
|
||||
}
|
||||
}
|
||||
target := filepath.Join(spec.Root.Path, m.Destination)
|
||||
@@ -405,20 +405,20 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
if err != nil {
|
||||
// If the target can't be stat()ted, check the error.
|
||||
if !errors.Is(err, os.ErrNotExist) {
|
||||
return undoBinds, fmt.Errorf("error examining %q for mounting in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("examining %q for mounting in mount namespace: %w", target, err)
|
||||
}
|
||||
// The target isn't there yet, so create it.
|
||||
if srcinfo.IsDir() {
|
||||
if err = os.MkdirAll(target, 0755); err != nil {
|
||||
return undoBinds, fmt.Errorf("error creating mountpoint %q in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("creating mountpoint %q in mount namespace: %w", target, err)
|
||||
}
|
||||
} else {
|
||||
if err = os.MkdirAll(filepath.Dir(target), 0755); err != nil {
|
||||
return undoBinds, fmt.Errorf("error ensuring parent of mountpoint %q (%q) is present in mount namespace: %w", target, filepath.Dir(target), err)
|
||||
return undoBinds, fmt.Errorf("ensuring parent of mountpoint %q (%q) is present in mount namespace: %w", target, filepath.Dir(target), err)
|
||||
}
|
||||
var file *os.File
|
||||
if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0755); err != nil {
|
||||
return undoBinds, fmt.Errorf("error creating mountpoint %q in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("creating mountpoint %q in mount namespace: %w", target, err)
|
||||
}
|
||||
file.Close()
|
||||
}
|
||||
@@ -458,28 +458,28 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
// Do the bind mount.
|
||||
logrus.Debugf("bind mounting %q on %q", m.Destination, filepath.Join(spec.Root.Path, m.Destination))
|
||||
if err := unix.Mount(m.Source, target, "", requestFlags, ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error bind mounting %q from host to %q in mount namespace (%q): %w", m.Source, m.Destination, target, err)
|
||||
return undoBinds, fmt.Errorf("bind mounting %q from host to %q in mount namespace (%q): %w", m.Source, m.Destination, target, err)
|
||||
}
|
||||
logrus.Debugf("bind mounted %q to %q", m.Source, target)
|
||||
case "tmpfs":
|
||||
// Mount a tmpfs.
|
||||
if err := mount.Mount(m.Source, target, m.Type, strings.Join(append(m.Options, "private"), ",")); err != nil {
|
||||
return undoBinds, fmt.Errorf("error mounting tmpfs to %q in mount namespace (%q, %q): %w", m.Destination, target, strings.Join(m.Options, ","), err)
|
||||
return undoBinds, fmt.Errorf("mounting tmpfs to %q in mount namespace (%q, %q): %w", m.Destination, target, strings.Join(m.Options, ","), err)
|
||||
}
|
||||
logrus.Debugf("mounted a tmpfs to %q", target)
|
||||
case "overlay":
|
||||
// Mount a overlay.
|
||||
if err := mount.Mount(m.Source, target, m.Type, strings.Join(append(m.Options, "private"), ",")); err != nil {
|
||||
return undoBinds, fmt.Errorf("error mounting overlay to %q in mount namespace (%q, %q): %w", m.Destination, target, strings.Join(m.Options, ","), err)
|
||||
return undoBinds, fmt.Errorf("mounting overlay to %q in mount namespace (%q, %q): %w", m.Destination, target, strings.Join(m.Options, ","), err)
|
||||
}
|
||||
logrus.Debugf("mounted a overlay to %q", target)
|
||||
}
|
||||
if err = unix.Statfs(target, &fs); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q was bound read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q was bound read-only: %w", target, err)
|
||||
}
|
||||
if uintptr(fs.Flags)&expectedFlags != expectedFlags {
|
||||
if err := unix.Mount(target, target, "bind", requestFlags|unix.MS_REMOUNT, ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error remounting %q in mount namespace with expected flags: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("remounting %q in mount namespace with expected flags: %w", target, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -494,7 +494,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
// No target, no problem.
|
||||
continue
|
||||
}
|
||||
return undoBinds, fmt.Errorf("error checking %q for symlinks before marking it read-only: %w", r, err)
|
||||
return undoBinds, fmt.Errorf("checking %q for symlinks before marking it read-only: %w", r, err)
|
||||
}
|
||||
// Check if the location is already read-only.
|
||||
var fs unix.Statfs_t
|
||||
@@ -503,7 +503,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
// No target, no problem.
|
||||
continue
|
||||
}
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q is already read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q is already read-only: %w", target, err)
|
||||
}
|
||||
if fs.Flags&unix.ST_RDONLY != 0 {
|
||||
continue
|
||||
@@ -515,23 +515,23 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
// No target, no problem.
|
||||
continue
|
||||
}
|
||||
return undoBinds, fmt.Errorf("error bind mounting %q onto itself in preparation for making it read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("bind mounting %q onto itself in preparation for making it read-only: %w", target, err)
|
||||
}
|
||||
// Remount the location read-only.
|
||||
if err = unix.Statfs(target, &fs); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q was bound read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q was bound read-only: %w", target, err)
|
||||
}
|
||||
if fs.Flags&unix.ST_RDONLY == 0 {
|
||||
if err := unix.Mount(target, target, "", roFlags|unix.MS_BIND|unix.MS_REMOUNT, ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error remounting %q in mount namespace read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("remounting %q in mount namespace read-only: %w", target, err)
|
||||
}
|
||||
}
|
||||
// Check again.
|
||||
if err = unix.Statfs(target, &fs); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q was remounted read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q was remounted read-only: %w", target, err)
|
||||
}
|
||||
if fs.Flags&unix.ST_RDONLY == 0 {
|
||||
return undoBinds, fmt.Errorf("error verifying that %q in mount namespace was remounted read-only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("verifying that %q in mount namespace was remounted read-only: %w", target, err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -539,7 +539,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
roEmptyDir := filepath.Join(bundlePath, "empty")
|
||||
if len(spec.Linux.MaskedPaths) > 0 {
|
||||
if err := os.Mkdir(roEmptyDir, 0700); err != nil {
|
||||
return undoBinds, fmt.Errorf("error creating empty directory %q: %w", roEmptyDir, err)
|
||||
return undoBinds, fmt.Errorf("creating empty directory %q: %w", roEmptyDir, err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -560,19 +560,19 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
// No target, no problem.
|
||||
continue
|
||||
}
|
||||
return undoBinds, fmt.Errorf("error examining %q for masking in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("examining %q for masking in mount namespace: %w", target, err)
|
||||
}
|
||||
if targetinfo.IsDir() {
|
||||
// The target's a directory. Check if it's a read-only filesystem.
|
||||
var statfs unix.Statfs_t
|
||||
if err = unix.Statfs(target, &statfs); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q is a mountpoint: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q is a mountpoint: %w", target, err)
|
||||
}
|
||||
isReadOnly := statfs.Flags&unix.MS_RDONLY != 0
|
||||
// Check if any of the IDs we're mapping could read it.
|
||||
var stat unix.Stat_t
|
||||
if err = unix.Stat(target, &stat); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking permissions on directory %q: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking permissions on directory %q: %w", target, err)
|
||||
}
|
||||
isAccessible := false
|
||||
if stat.Mode&unix.S_IROTH|unix.S_IXOTH != 0 {
|
||||
@@ -603,13 +603,13 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
directory, err := os.Open(target)
|
||||
if err != nil {
|
||||
if !os.IsPermission(err) {
|
||||
return undoBinds, fmt.Errorf("error opening directory %q: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("opening directory %q: %w", target, err)
|
||||
}
|
||||
} else {
|
||||
names, err := directory.Readdirnames(0)
|
||||
directory.Close()
|
||||
if err != nil {
|
||||
return undoBinds, fmt.Errorf("error reading contents of directory %q: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("reading contents of directory %q: %w", target, err)
|
||||
}
|
||||
hasContent = false
|
||||
for _, name := range names {
|
||||
@@ -628,14 +628,14 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
roFlags := uintptr(syscall.MS_BIND | syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_RDONLY)
|
||||
if !isReadOnly || (hasContent && isAccessible) {
|
||||
if err = unix.Mount(roEmptyDir, target, "bind", roFlags, ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error masking directory %q in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("masking directory %q in mount namespace: %w", target, err)
|
||||
}
|
||||
if err = unix.Statfs(target, &fs); err != nil {
|
||||
return undoBinds, fmt.Errorf("error checking if directory %q was mounted read-only in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("checking if directory %q was mounted read-only in mount namespace: %w", target, err)
|
||||
}
|
||||
if fs.Flags&unix.ST_RDONLY == 0 {
|
||||
if err = unix.Mount(target, target, "", roFlags|syscall.MS_REMOUNT, ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error making sure directory %q in mount namespace is read only: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("making sure directory %q in mount namespace is read only: %w", target, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -643,7 +643,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
|
||||
// If the target's is not a directory or os.DevNull, bind mount os.DevNull over it.
|
||||
if !isDevNull(targetinfo) {
|
||||
if err = unix.Mount(os.DevNull, target, "", uintptr(syscall.MS_BIND|syscall.MS_RDONLY|syscall.MS_PRIVATE), ""); err != nil {
|
||||
return undoBinds, fmt.Errorf("error masking non-directory %q in mount namespace: %w", target, err)
|
||||
return undoBinds, fmt.Errorf("masking non-directory %q in mount namespace: %w", target, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user