opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-09 23:27:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

vendor: update c/{buildah,common,image,storage} to main

Browse Source 
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
2025-05-28 14:53:37 +02:00
parent e98e128012
commit b551939be6
123 changed files with 2454 additions and 1568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

242
vendor/github.com/seccomp/libseccomp-golang/seccomp.go generated vendored
View File

@@ -17,8 +17,28 @@ import (
"unsafe"
)
// #include <stdlib.h>
// #include <seccomp.h>
/*
#include <errno.h>
#include <stdlib.h>
#include <seccomp.h>
// The following functions were added in libseccomp v2.6.0.
#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 6
int seccomp_precompute(scmp_filter_ctx ctx) {
return -EOPNOTSUPP;
}
int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf, size_t *len) {
return -EOPNOTSUPP;
}
int seccomp_transaction_start(const scmp_filter_ctx ctx) {
return -EOPNOTSUPP;
}
int seccomp_transaction_commit(const scmp_filter_ctx ctx) {
return -EOPNOTSUPP;
}
void seccomp_transaction_reject(const scmp_filter_ctx ctx) {}
#endif
*/
import "C"
// Exported types
@@ -33,8 +53,9 @@ type VersionError struct {
func init() {
// This forces the cgo libseccomp to initialize its internal API support state,
// which is necessary on older versions of libseccomp in order to work
// which is necessary on older versions of libseccomp (< 2.5.0) in order to work
// correctly.
// TODO: remove once libseccomp < v2.5.0 is not supported.
_, _ = getAPI()
}
@@ -78,49 +99,44 @@ type ScmpSyscall int32
type ScmpFd int32
// ScmpNotifData describes the system call context that triggered a notification.
//
// Syscall: the syscall number
// Arch: the filter architecture
// InstrPointer: address of the instruction that triggered a notification
// Args: arguments (up to 6) for the syscall
//
type ScmpNotifData struct {
Syscall ScmpSyscall `json:"syscall,omitempty"`
Arch ScmpArch `json:"arch,omitempty"`
InstrPointer uint64 `json:"instr_pointer,omitempty"`
Args []uint64 `json:"args,omitempty"`
// Syscall is the syscall number.
Syscall ScmpSyscall `json:"syscall,omitempty"`
// Arch is the filter architecture.
Arch ScmpArch `json:"arch,omitempty"`
// InstrPointer is the address of the instruction that triggered a notification.
InstrPointer uint64 `json:"instr_pointer,omitempty"`
// Args are the arguments (up to 6) for the syscall.
Args []uint64 `json:"args,omitempty"`
}
// ScmpNotifReq represents a seccomp userspace notification. See NotifReceive() for
// info on how to pull such a notification.
//
// ID: notification ID
// Pid: process that triggered the notification event
// Flags: filter flags (see seccomp(2))
// Data: system call context that triggered the notification
//
type ScmpNotifReq struct {
ID uint64 `json:"id,omitempty"`
Pid uint32 `json:"pid,omitempty"`
Flags uint32 `json:"flags,omitempty"`
Data ScmpNotifData `json:"data,omitempty"`
// ID is the notification ID.
ID uint64 `json:"id,omitempty"`
// Pid is the process that triggered the notification event.
Pid uint32 `json:"pid,omitempty"`
// Flags is filter flags (see seccomp(2)).
Flags uint32 `json:"flags,omitempty"`
// Data is system call context that triggered the notification.
Data ScmpNotifData `json:"data,omitempty"`
}
// ScmpNotifResp represents a seccomp userspace notification response. See NotifRespond()
// for info on how to push such a response.
//
// ID: notification ID (must match the corresponding ScmpNotifReq ID)
// Error: must be 0 if no error occurred, or an error constant from package
// syscall (e.g., syscall.EPERM, etc). In the latter case, it's used
// as an error return from the syscall that created the notification.
// Val: return value for the syscall that created the notification. Only
// relevant if Error is 0.
// Flags: userspace notification response flag (e.g., NotifRespFlagContinue)
//
type ScmpNotifResp struct {
ID uint64 `json:"id,omitempty"`
Error int32 `json:"error,omitempty"`
Val uint64 `json:"val,omitempty"`
// ID is the notification ID (must match the corresponding ScmpNotifReq ID).
ID uint64 `json:"id,omitempty"`
// Error must be 0 if no error occurred, or an error constant from
// package syscall (e.g., syscall.EPERM, etc). In the latter case, it
// is used as an error return from the syscall that created the
// notification.
Error int32 `json:"error,omitempty"`
// Val is a return value for the syscall that created the notification.
// Only relevant if Error is 0.
Val uint64 `json:"val,omitempty"`
// Flags is userspace notification response flag (e.g., NotifRespFlagContinue).
Flags uint32 `json:"flags,omitempty"`
}
@@ -175,6 +191,14 @@ const (
ArchPARISC64
// ArchRISCV64 represents RISCV64
ArchRISCV64
// ArchLOONGARCH64 represents 64-bit LoongArch.
ArchLOONGARCH64
// ArchM68K represents 32-bit Motorola 68000.
ArchM68K
// ArchSH represents SuperH.
ArchSH
// ArchSHEB represents Big-endian SuperH.
ArchSHEB
)
const (
@@ -306,6 +330,14 @@ func GetArchFromString(arch string) (ScmpArch, error) {
return ArchPARISC64, nil
case "riscv64":
return ArchRISCV64, nil
case "loongarch64":
return ArchLOONGARCH64, nil
case "m68k":
return ArchM68K, nil
case "sh":
return ArchSH, nil
case "sheb":
return ArchSHEB, nil
default:
return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch)
}
@@ -352,6 +384,14 @@ func (a ScmpArch) String() string {
return "parisc64"
case ArchRISCV64:
return "riscv64"
case ArchLOONGARCH64:
return "loong64"
case ArchM68K:
return "m68k"
case ArchSH:
return "sh"
case ArchSHEB:
return "sheb"
case ArchNative:
return "native"
case ArchInvalid:
@@ -798,6 +838,26 @@ func (f *ScmpFilter) RemoveArch(arch ScmpArch) error {
return nil
}
// Precompute precomputes the seccomp filter for later use by [Load] and
// similar functions. Not only does this improve performance of [Load],
// it also ensures that the seccomp filter can be loaded in an
// async-signal-safe manner if no changes have been made to the filter
// since it was precomputed.
func (f *ScmpFilter) Precompute() error {
f.lock.Lock()
defer f.lock.Unlock()
if !f.valid {
return errBadFilter
}
if retCode := C.seccomp_precompute(f.filterCtx); retCode != 0 {
return errRc(retCode)
}
return nil
}
// Load loads a filter context into the kernel.
// Returns an error if the filter context is invalid or the syscall failed.
func (f *ScmpFilter) Load() error {
@@ -941,6 +1001,25 @@ func (f *ScmpFilter) GetRawRC() (bool, error) {
return true, nil
}
// GetWaitKill returns the current state of WaitKill flag,
// or an error if an issue was encountered retrieving the value.
// See SetWaitKill for more details.
func (f *ScmpFilter) GetWaitKill() (bool, error) {
val, err := f.getFilterAttr(filterAttrWaitKill)
if err != nil {
if e := checkAPI("GetWaitKill", 7, 2, 6, 0); e != nil {
err = e
}
return false, err
}
if val == 0 {
return false, nil
}
return true, nil
}
// SetBadArchAction sets the default action taken on a syscall for an
// architecture not in the filter, or an error if an issue was encountered
// setting the value.
@@ -1053,6 +1132,25 @@ func (f *ScmpFilter) SetRawRC(state bool) error {
return err
}
// SetWaitKill sets whether libseccomp should request wait killable semantics
// when possible. Defaults to false.
func (f *ScmpFilter) SetWaitKill(state bool) error {
var toSet C.uint32_t = 0x0
if state {
toSet = 0x1
}
err := f.setFilterAttr(filterAttrWaitKill, toSet)
if err != nil {
if e := checkAPI("SetWaitKill", 7, 2, 6, 0); e != nil {
err = e
}
}
return err
}
// SetSyscallPriority sets a syscall's priority.
// This provides a hint to the filter generator in libseccomp about the
// importance of this syscall. High-priority syscalls are placed
@@ -1154,6 +1252,30 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error {
return nil
}
// ExportBPFMem is similar to [ExportBPF], except the data is written into
// a memory and returned as []byte.
func (f *ScmpFilter) ExportBPFMem() ([]byte, error) {
f.lock.Lock()
defer f.lock.Unlock()
if !f.valid {
return nil, errBadFilter
}
var len C.size_t
// Get the size required.
if retCode := C.seccomp_export_bpf_mem(f.filterCtx, unsafe.Pointer(nil), &len); retCode < 0 {
return nil, errRc(retCode)
}
// Get the data.
buf := make([]byte, int(len))
if retCode := C.seccomp_export_bpf_mem(f.filterCtx, unsafe.Pointer(&buf[0]), &len); retCode < 0 {
return nil, errRc(retCode)
}
return buf, nil
}
// Userspace Notification API
// GetNotifFd returns the userspace notification file descriptor associated with the given
@@ -1186,3 +1308,53 @@ func NotifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
func NotifIDValid(fd ScmpFd, id uint64) error {
return notifIDValid(fd, id)
}
// TransactionStart starts a new seccomp filter transaction that the caller can
// use to perform any number of filter modifications which can then be
// committed to the filter using [TransactionCommit] or rejected using
// [TransactionReject]. It is important to note that transactions only affect
// the seccomp filter state while it is being managed by libseccomp; seccomp
// filters which have been loaded into the kernel can not be modified, only new
// seccomp filters can be added on top of the existing loaded filter stack.
func (f *ScmpFilter) TransactionStart() error {
f.lock.Lock()
defer f.lock.Unlock()
if !f.valid {
return errBadFilter
}
if retCode := C.seccomp_transaction_start(f.filterCtx); retCode < 0 {
return errRc(retCode)
}
return nil
}
// TransactionReject rejects a transaction started by [TransactionStart].
func (f *ScmpFilter) TransactionReject() {
f.lock.Lock()
defer f.lock.Unlock()
if !f.valid {
return
}
C.seccomp_transaction_reject(f.filterCtx)
}
// TransactionCommit commits a transaction started by [TransactionStart].
func (f *ScmpFilter) TransactionCommit() error {
f.lock.Lock()
defer f.lock.Unlock()
if !f.valid {
return errBadFilter
}
if retCode := C.seccomp_transaction_commit(f.filterCtx); retCode < 0 {
return errRc(retCode)
}
return nil
}