opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-01 18:49:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

build(deps): bump github.com/container-orchestrated-devices/container-device-interface

Browse Source 
Bumps [github.com/container-orchestrated-devices/container-device-interface](https://github.com/container-orchestrated-devices/container-device-interface) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/container-orchestrated-devices/container-device-interface/releases)
- [Commits](https://github.com/container-orchestrated-devices/container-device-interface/compare/v0.5.3...v0.5.4)

---
updated-dependencies:
- dependency-name: github.com/container-orchestrated-devices/container-device-interface
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

[NO NEW TESTS NEEDED]

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This commit is contained in:
dependabot[bot]
2023-02-06 20:09:41 +00:00
committed by Valentin Rothberg
parent a9ec6492e8
commit e9942c61dd
68 changed files with 364 additions and 8752 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
vendor/github.com/opencontainers/runtime-tools/generate/generate.go generated vendored
View File

@@ -10,7 +10,7 @@ import (
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate/seccomp"
"github.com/opencontainers/runtime-tools/validate"
capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
"github.com/syndtr/gocapability/capability"
)
@@ -264,10 +264,6 @@ func New(os string) (generator Generator, err error) {
// NewFromSpec creates a configuration Generator from a given
// configuration.
//
// Deprecated: Replace with:
//
// generator := Generator{Config: config}
func NewFromSpec(config *rspec.Spec) Generator {
envCache := map[string]int{}
if config != nil && config.Process != nil {
@@ -1140,7 +1136,7 @@ func (g *Generator) SetupPrivileged(privileged bool) {
if privileged { // Add all capabilities in privileged mode.
var finalCapList []string
for _, cap := range capability.List() {
if g.HostSpecific && cap > validate.LastCap() {
if g.HostSpecific && cap > capsCheck.LastCap() {
continue
}
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
@@ -1174,7 +1170,7 @@ func (g *Generator) ClearProcessCapabilities() {
// AddProcessCapability adds a process capability into all 5 capability sets.
func (g *Generator) AddProcessCapability(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
return err
}
@@ -1237,7 +1233,7 @@ func (g *Generator) AddProcessCapability(c string) error {
// AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.
func (g *Generator) AddProcessCapabilityAmbient(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
return err
}
@@ -1261,7 +1257,7 @@ func (g *Generator) AddProcessCapabilityAmbient(c string) error {
// AddProcessCapabilityBounding adds a process capability into g.Config.Process.Capabilities.Bounding.
func (g *Generator) AddProcessCapabilityBounding(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
return err
}
@@ -1284,7 +1280,7 @@ func (g *Generator) AddProcessCapabilityBounding(c string) error {
// AddProcessCapabilityEffective adds a process capability into g.Config.Process.Capabilities.Effective.
func (g *Generator) AddProcessCapabilityEffective(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
return err
}
@@ -1307,7 +1303,7 @@ func (g *Generator) AddProcessCapabilityEffective(c string) error {
// AddProcessCapabilityInheritable adds a process capability into g.Config.Process.Capabilities.Inheritable.
func (g *Generator) AddProcessCapabilityInheritable(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
return err
}
@@ -1330,7 +1326,7 @@ func (g *Generator) AddProcessCapabilityInheritable(c string) error {
// AddProcessCapabilityPermitted adds a process capability into g.Config.Process.Capabilities.Permitted.
func (g *Generator) AddProcessCapabilityPermitted(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
return err
}
@@ -1383,7 +1379,7 @@ func (g *Generator) DropProcessCapability(c string) error {
}
}
return validate.CapValid(cp, false)
return capsCheck.CapValid(cp, false)
}
// DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.
@@ -1399,7 +1395,7 @@ func (g *Generator) DropProcessCapabilityAmbient(c string) error {
}
}
return validate.CapValid(cp, false)
return capsCheck.CapValid(cp, false)
}
// DropProcessCapabilityBounding drops a process capability from g.Config.Process.Capabilities.Bounding.
@@ -1415,7 +1411,7 @@ func (g *Generator) DropProcessCapabilityBounding(c string) error {
}
}
return validate.CapValid(cp, false)
return capsCheck.CapValid(cp, false)
}
// DropProcessCapabilityEffective drops a process capability from g.Config.Process.Capabilities.Effective.
@@ -1431,7 +1427,7 @@ func (g *Generator) DropProcessCapabilityEffective(c string) error {
}
}
return validate.CapValid(cp, false)
return capsCheck.CapValid(cp, false)
}
// DropProcessCapabilityInheritable drops a process capability from g.Config.Process.Capabilities.Inheritable.
@@ -1447,7 +1443,7 @@ func (g *Generator) DropProcessCapabilityInheritable(c string) error {
}
}
return validate.CapValid(cp, false)
return capsCheck.CapValid(cp, false)
}
// DropProcessCapabilityPermitted drops a process capability from g.Config.Process.Capabilities.Permitted.
@@ -1463,7 +1459,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {
}
}
return validate.CapValid(cp, false)
return capsCheck.CapValid(cp, false)
}
func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {

17
vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go generated vendored
View File

@@ -151,6 +151,9 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
"io_submit",
"ipc",
"kill",
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
"lchown",
"lchown32",
"lgetxattr",
@@ -354,11 +357,23 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
Value: 0x0,
Op: rspec.OpEqualTo,
},
},
},
{
Names: []string{"personality"},
Action: rspec.ActAllow,
Args: []rspec.LinuxSeccompArg{
{
Index: 0,
Value: 0x0008,
Op: rspec.OpEqualTo,
},
},
},
{
Names: []string{"personality"},
Action: rspec.ActAllow,
Args: []rspec.LinuxSeccompArg{
{
Index: 0,
Value: 0xffffffff,
@@ -513,7 +528,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
Args: []rspec.LinuxSeccompArg{
{
Index: sysCloneFlagsIndex,
Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet,
Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet | CloneNewCgroup,
ValueTwo: 0,
Op: rspec.OpMaskedEqual,
},

15
vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go generated vendored
View File

@@ -3,14 +3,15 @@
package seccomp
import "syscall"
import "golang.org/x/sys/unix"
// System values passed through on linux
const (
CloneNewIPC = syscall.CLONE_NEWIPC
CloneNewNet = syscall.CLONE_NEWNET
CloneNewNS = syscall.CLONE_NEWNS
CloneNewPID = syscall.CLONE_NEWPID
CloneNewUser = syscall.CLONE_NEWUSER
CloneNewUTS = syscall.CLONE_NEWUTS
CloneNewIPC = unix.CLONE_NEWIPC
CloneNewNet = unix.CLONE_NEWNET
CloneNewNS = unix.CLONE_NEWNS
CloneNewPID = unix.CLONE_NEWPID
CloneNewUser = unix.CLONE_NEWUSER
CloneNewUTS = unix.CLONE_NEWUTS
CloneNewCgroup = unix.CLONE_NEWCGROUP
)