diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 77fca1d4b082..5764278b8167 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,7 @@ on: pull_request: branches: - 'master' + - 'v*' env: REPO_SLUG_ORIGIN: "moby/buildkit:v0.9.0-rc1" diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e7c2d2de9794..ba5d757b7fb2 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -11,6 +11,7 @@ on: pull_request: branches: - 'master' + - 'v*' env: REPO_SLUG_ORIGIN: "moby/buildkit:latest" diff --git a/go.mod b/go.mod index d8803f4c31d8..1100eb6c3b49 100644 --- a/go.mod +++ b/go.mod @@ -74,7 +74,7 @@ require ( google.golang.org/grpc v1.38.0 ) -replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20210609100121-ef4d47340142+incompatible +replace github.com/docker/docker => github.com/tonistiigi/docker v0.10.1-0.20210928031959-5fec36db36f9 replace go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => github.com/tonistiigi/opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.0.0-20210714055410-d010b05b4939 diff --git a/go.sum b/go.sum index 9d5345b641f5..1b5165f204ba 100644 --- a/go.sum +++ b/go.sum @@ -381,8 +381,6 @@ github.com/docker/distribution v2.6.0-rc.1.0.20180327202408-83389a148052+incompa github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.3-0.20210609100121-ef4d47340142+incompatible h1:CKSQs5KedtaAdusBPAJQS7cN1PibFX4RuThbwHgJrJE= -github.com/docker/docker v20.10.3-0.20210609100121-ef4d47340142+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -1068,6 +1066,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tommy-muehle/go-mnd v1.1.1/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig= github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig= +github.com/tonistiigi/docker v0.10.1-0.20210928031959-5fec36db36f9 h1:neMDMp2okzCLnzjJK1isTgCWc0GdNgqjyazmf/cKT7g= +github.com/tonistiigi/docker v0.10.1-0.20210928031959-5fec36db36f9/go.mod h1:v9W/4hjeg+54O4ffkt1Dnh7nOIE9uHi9F0W9clN3nTQ= github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85/go.mod h1:a7cilN64dG941IOXfhJhlH0qB92hxJ9A1ewrdUmJ6xo= github.com/tonistiigi/fsutil v0.0.0-20210609172227-d72af97c0eaf h1:L0ixhsTk9j+dVnIvF6aiVCxPiaFvwTOyJxqimPq44p8= github.com/tonistiigi/fsutil v0.0.0-20210609172227-d72af97c0eaf/go.mod h1:lJAxK//iyZ3yGbQswdrPTxugZIDM7sd4bEsD0x3XMHk= diff --git a/vendor/github.com/docker/docker/profiles/seccomp/default.json b/vendor/github.com/docker/docker/profiles/seccomp/default.json index 786e5658ffd3..bd06fa45b163 100644 --- a/vendor/github.com/docker/docker/profiles/seccomp/default.json +++ b/vendor/github.com/docker/docker/profiles/seccomp/default.json @@ -393,11 +393,7 @@ "write", "writev" ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": {}, - "excludes": {} + "action": "SCMP_ACT_ALLOW" }, { "names": [ @@ -406,12 +402,9 @@ "ptrace" ], "action": "SCMP_ACT_ALLOW", - "args": null, - "comment": "", "includes": { "minKernel": "4.8" - }, - "excludes": {} + } }, { "names": [ @@ -424,10 +417,7 @@ "value": 0, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -440,10 +430,7 @@ "value": 8, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -456,10 +443,7 @@ "value": 131072, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -472,10 +456,7 @@ "value": 131080, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ @@ -488,24 +469,18 @@ "value": 4294967295, "op": "SCMP_CMP_EQ" } - ], - "comment": "", - "includes": {}, - "excludes": {} + ] }, { "names": [ "sync_file_range2" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "arches": [ "ppc64le" ] - }, - "excludes": {} + } }, { "names": [ @@ -517,46 +492,37 @@ "set_tls" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "arches": [ "arm", "arm64" ] - }, - "excludes": {} + } }, { "names": [ "arch_prctl" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "arches": [ "amd64", "x32" ] - }, - "excludes": {} + } }, { "names": [ "modify_ldt" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "arches": [ "amd64", "x32", "x86" ] - }, - "excludes": {} + } }, { "names": [ @@ -565,34 +531,29 @@ "s390_runtime_instr" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "arches": [ "s390", "s390x" ] - }, - "excludes": {} + } }, { "names": [ "open_by_handle_at" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_DAC_READ_SEARCH" ] - }, - "excludes": {} + } }, { "names": [ "bpf", "clone", + "clone3", "fanotify_init", "fsconfig", "fsmount", @@ -614,14 +575,11 @@ "unshare" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_ADMIN" ] - }, - "excludes": {} + } }, { "names": [ @@ -635,8 +593,6 @@ "op": "SCMP_CMP_MASKED_EQ" } ], - "comment": "", - "includes": {}, "excludes": { "caps": [ "CAP_SYS_ADMIN" @@ -672,33 +628,39 @@ ] } }, + { + "names": [ + "clone3" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 38, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, { "names": [ "reboot" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_BOOT" ] - }, - "excludes": {} + } }, { "names": [ "chroot" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_CHROOT" ] - }, - "excludes": {} + } }, { "names": [ @@ -707,28 +669,22 @@ "finit_module" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_MODULE" ] - }, - "excludes": {} + } }, { "names": [ "acct" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_PACCT" ] - }, - "excludes": {} + } }, { "names": [ @@ -740,14 +696,11 @@ "ptrace" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_PTRACE" ] - }, - "excludes": {} + } }, { "names": [ @@ -755,14 +708,11 @@ "ioperm" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_RAWIO" ] - }, - "excludes": {} + } }, { "names": [ @@ -771,28 +721,22 @@ "clock_settime" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_TIME" ] - }, - "excludes": {} + } }, { "names": [ "vhangup" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_TTY_CONFIG" ] - }, - "excludes": {} + } }, { "names": [ @@ -801,28 +745,22 @@ "set_mempolicy" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYS_NICE" ] - }, - "excludes": {} + } }, { "names": [ "syslog" ], "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", "includes": { "caps": [ "CAP_SYSLOG" ] - }, - "excludes": {} + } } ] } \ No newline at end of file diff --git a/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go b/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go index 32778e51164e..4c6c6120c896 100644 --- a/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go +++ b/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go @@ -42,664 +42,712 @@ func arches() []Architecture { // DefaultProfile defines the allowed syscalls for the default seccomp profile. func DefaultProfile() *Seccomp { + nosys := uint(unix.ENOSYS) syscalls := []*Syscall{ { - Names: []string{ - "accept", - "accept4", - "access", - "adjtimex", - "alarm", - "bind", - "brk", - "capget", - "capset", - "chdir", - "chmod", - "chown", - "chown32", - "clock_adjtime", - "clock_adjtime64", - "clock_getres", - "clock_getres_time64", - "clock_gettime", - "clock_gettime64", - "clock_nanosleep", - "clock_nanosleep_time64", - "close", - "close_range", - "connect", - "copy_file_range", - "creat", - "dup", - "dup2", - "dup3", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_pwait2", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "execve", - "execveat", - "exit", - "exit_group", - "faccessat", - "faccessat2", - "fadvise64", - "fadvise64_64", - "fallocate", - "fanotify_mark", - "fchdir", - "fchmod", - "fchmodat", - "fchown", - "fchown32", - "fchownat", - "fcntl", - "fcntl64", - "fdatasync", - "fgetxattr", - "flistxattr", - "flock", - "fork", - "fremovexattr", - "fsetxattr", - "fstat", - "fstat64", - "fstatat64", - "fstatfs", - "fstatfs64", - "fsync", - "ftruncate", - "ftruncate64", - "futex", - "futex_time64", - "futimesat", - "getcpu", - "getcwd", - "getdents", - "getdents64", - "getegid", - "getegid32", - "geteuid", - "geteuid32", - "getgid", - "getgid32", - "getgroups", - "getgroups32", - "getitimer", - "getpeername", - "getpgid", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresgid", - "getresgid32", - "getresuid", - "getresuid32", - "getrlimit", - "get_robust_list", - "getrusage", - "getsid", - "getsockname", - "getsockopt", - "get_thread_area", - "gettid", - "gettimeofday", - "getuid", - "getuid32", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "io_cancel", - "ioctl", - "io_destroy", - "io_getevents", - "io_pgetevents", - "io_pgetevents_time64", - "ioprio_get", - "ioprio_set", - "io_setup", - "io_submit", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", - "ipc", - "kill", - "lchown", - "lchown32", - "lgetxattr", - "link", - "linkat", - "listen", - "listxattr", - "llistxattr", - "_llseek", - "lremovexattr", - "lseek", - "lsetxattr", - "lstat", - "lstat64", - "madvise", - "membarrier", - "memfd_create", - "mincore", - "mkdir", - "mkdirat", - "mknod", - "mknodat", - "mlock", - "mlock2", - "mlockall", - "mmap", - "mmap2", - "mprotect", - "mq_getsetattr", - "mq_notify", - "mq_open", - "mq_timedreceive", - "mq_timedreceive_time64", - "mq_timedsend", - "mq_timedsend_time64", - "mq_unlink", - "mremap", - "msgctl", - "msgget", - "msgrcv", - "msgsnd", - "msync", - "munlock", - "munlockall", - "munmap", - "nanosleep", - "newfstatat", - "_newselect", - "open", - "openat", - "openat2", - "pause", - "pidfd_open", - "pidfd_send_signal", - "pipe", - "pipe2", - "poll", - "ppoll", - "ppoll_time64", - "prctl", - "pread64", - "preadv", - "preadv2", - "prlimit64", - "pselect6", - "pselect6_time64", - "pwrite64", - "pwritev", - "pwritev2", - "read", - "readahead", - "readlink", - "readlinkat", - "readv", - "recv", - "recvfrom", - "recvmmsg", - "recvmmsg_time64", - "recvmsg", - "remap_file_pages", - "removexattr", - "rename", - "renameat", - "renameat2", - "restart_syscall", - "rmdir", - "rseq", - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigqueueinfo", - "rt_sigreturn", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_sigtimedwait_time64", - "rt_tgsigqueueinfo", - "sched_getaffinity", - "sched_getattr", - "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", - "sched_getscheduler", - "sched_rr_get_interval", - "sched_rr_get_interval_time64", - "sched_setaffinity", - "sched_setattr", - "sched_setparam", - "sched_setscheduler", - "sched_yield", - "seccomp", - "select", - "semctl", - "semget", - "semop", - "semtimedop", - "semtimedop_time64", - "send", - "sendfile", - "sendfile64", - "sendmmsg", - "sendmsg", - "sendto", - "setfsgid", - "setfsgid32", - "setfsuid", - "setfsuid32", - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setitimer", - "setpgid", - "setpriority", - "setregid", - "setregid32", - "setresgid", - "setresgid32", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", - "setrlimit", - "set_robust_list", - "setsid", - "setsockopt", - "set_thread_area", - "set_tid_address", - "setuid", - "setuid32", - "setxattr", - "shmat", - "shmctl", - "shmdt", - "shmget", - "shutdown", - "sigaltstack", - "signalfd", - "signalfd4", - "sigprocmask", - "sigreturn", - "socket", - "socketcall", - "socketpair", - "splice", - "stat", - "stat64", - "statfs", - "statfs64", - "statx", - "symlink", - "symlinkat", - "sync", - "sync_file_range", - "syncfs", - "sysinfo", - "tee", - "tgkill", - "time", - "timer_create", - "timer_delete", - "timer_getoverrun", - "timer_gettime", - "timer_gettime64", - "timer_settime", - "timer_settime64", - "timerfd_create", - "timerfd_gettime", - "timerfd_gettime64", - "timerfd_settime", - "timerfd_settime64", - "times", - "tkill", - "truncate", - "truncate64", - "ugetrlimit", - "umask", - "uname", - "unlink", - "unlinkat", - "utime", - "utimensat", - "utimensat_time64", - "utimes", - "vfork", - "vmsplice", - "wait4", - "waitid", - "waitpid", - "write", - "writev", - }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - }, - { - Names: []string{ - "process_vm_readv", - "process_vm_writev", - "ptrace", - }, - Action: specs.ActAllow, - Includes: Filter{ + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_adjtime", + "clock_adjtime64", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "clock_nanosleep", + "clock_nanosleep_time64", + "close", + "close_range", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_pwait2", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "faccessat2", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "io_pgetevents", + "io_pgetevents_time64", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "membarrier", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedreceive_time64", + "mq_timedsend", + "mq_timedsend_time64", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "openat2", + "pause", + "pidfd_open", + "pidfd_send_signal", + "pipe", + "pipe2", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pselect6_time64", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev", + }, + Action: specs.ActAllow, + }, + }, + { + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: specs.ActAllow, + }, + Includes: &Filter{ MinKernel: &KernelVersion{4, 8}, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x0, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x0, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x0008, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x0008, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x20000, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x20000, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0x20008, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0x20008, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{"personality"}, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: 0xffffffff, - Op: specs.OpEqualTo, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{"personality"}, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: 0xffffffff, + Op: specs.OpEqualTo, + }, }, }, }, { - Names: []string{ - "sync_file_range2", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "sync_file_range2", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"ppc64le"}, }, }, { - Names: []string{ - "arm_fadvise64_64", - "arm_sync_file_range", - "sync_file_range2", - "breakpoint", - "cacheflush", - "set_tls", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"arm", "arm64"}, }, }, { - Names: []string{ - "arch_prctl", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "arch_prctl", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"amd64", "x32"}, }, }, { - Names: []string{ - "modify_ldt", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "modify_ldt", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"amd64", "x32", "x86"}, }, }, { - Names: []string{ - "s390_pci_mmio_read", - "s390_pci_mmio_write", - "s390_runtime_instr", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Arches: []string{"s390", "s390x"}, }, }, { - Names: []string{ - "open_by_handle_at", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "open_by_handle_at", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_DAC_READ_SEARCH"}, }, }, { - Names: []string{ - "bpf", - "clone", - "fanotify_init", - "fsconfig", - "fsmount", - "fsopen", - "fspick", - "lookup_dcookie", - "mount", - "move_mount", - "name_to_handle_at", - "open_tree", - "perf_event_open", - "quotactl", - "setdomainname", - "sethostname", - "setns", - "syslog", - "umount", - "umount2", - "unshare", - }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "bpf", + "clone", + "clone3", + "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", + "lookup_dcookie", + "mount", + "move_mount", + "name_to_handle_at", + "open_tree", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2", + "unshare", + }, + Action: specs.ActAllow, + }, + Includes: &Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, { - Names: []string{ - "clone", - }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 0, - Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, - ValueTwo: 0, - Op: specs.OpMaskedEqual, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "clone", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 0, + Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, }, }, - Excludes: Filter{ + Excludes: &Filter{ Caps: []string{"CAP_SYS_ADMIN"}, Arches: []string{"s390", "s390x"}, }, }, { - Names: []string{ - "clone", - }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{ - { - Index: 1, - Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, - ValueTwo: 0, - Op: specs.OpMaskedEqual, + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "clone", + }, + Action: specs.ActAllow, + Args: []specs.LinuxSeccompArg{ + { + Index: 1, + Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, }, }, Comment: "s390 parameter ordering for clone is different", - Includes: Filter{ + Includes: &Filter{ Arches: []string{"s390", "s390x"}, }, - Excludes: Filter{ + Excludes: &Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, }, { - Names: []string{ - "reboot", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "clone3", + }, + Action: specs.ActErrno, + ErrnoRet: &nosys, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Excludes: &Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, + }, + { + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "reboot", + }, + Action: specs.ActAllow, + }, + Includes: &Filter{ Caps: []string{"CAP_SYS_BOOT"}, }, }, { - Names: []string{ - "chroot", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "chroot", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_CHROOT"}, }, }, { - Names: []string{ - "delete_module", - "init_module", - "finit_module", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "delete_module", + "init_module", + "finit_module", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_MODULE"}, }, }, { - Names: []string{ - "acct", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "acct", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_PACCT"}, }, }, { - Names: []string{ - "kcmp", - "pidfd_getfd", - "process_madvise", - "process_vm_readv", - "process_vm_writev", - "ptrace", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "kcmp", + "pidfd_getfd", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_PTRACE"}, }, }, { - Names: []string{ - "iopl", - "ioperm", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "iopl", + "ioperm", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_RAWIO"}, }, }, { - Names: []string{ - "settimeofday", - "stime", - "clock_settime", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "settimeofday", + "stime", + "clock_settime", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_TIME"}, }, }, { - Names: []string{ - "vhangup", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "vhangup", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_TTY_CONFIG"}, }, }, { - Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "get_mempolicy", + "mbind", + "set_mempolicy", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYS_NICE"}, }, }, { - Names: []string{ - "syslog", + LinuxSyscall: specs.LinuxSyscall{ + Names: []string{ + "syslog", + }, + Action: specs.ActAllow, }, - Action: specs.ActAllow, - Args: []*specs.LinuxSeccompArg{}, - Includes: Filter{ + Includes: &Filter{ Caps: []string{"CAP_SYSLOG"}, }, }, diff --git a/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go b/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go index d2a21cddc4b2..94a37367d08f 100644 --- a/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go +++ b/vendor/github.com/docker/docker/profiles/seccomp/seccomp.go @@ -40,15 +40,18 @@ type Filter struct { MinKernel *KernelVersion `json:"minKernel,omitempty"` } -// Syscall is used to match a group of syscalls in Seccomp +// Syscall is used to match a group of syscalls in Seccomp. It extends the +// runtime-spec Syscall type, adding a "Name" field for backward compatibility +// with older JSON representations, additional "Comment" metadata, and conditional +// rules ("Includes", "Excludes") used to generate a runtime-spec Seccomp profile +// based on the container (capabilities) and host's (arch, kernel) configuration. type Syscall struct { - Name string `json:"name,omitempty"` - Names []string `json:"names,omitempty"` - Action specs.LinuxSeccompAction `json:"action"` - Args []*specs.LinuxSeccompArg `json:"args"` - Comment string `json:"comment"` - Includes Filter `json:"includes"` - Excludes Filter `json:"excludes"` + specs.LinuxSyscall + // Deprecated: kept for backward compatibility with old JSON profiles, use Names instead + Name string `json:"name,omitempty"` + Comment string `json:"comment,omitempty"` + Includes *Filter `json:"includes,omitempty"` + Excludes *Filter `json:"excludes,omitempty"` } // KernelVersion holds information about the kernel. diff --git a/vendor/github.com/docker/docker/profiles/seccomp/seccomp_linux.go b/vendor/github.com/docker/docker/profiles/seccomp/seccomp_linux.go index 566f173acd3a..222fec69368a 100644 --- a/vendor/github.com/docker/docker/profiles/seccomp/seccomp_linux.go +++ b/vendor/github.com/docker/docker/profiles/seccomp/seccomp_linux.go @@ -111,68 +111,58 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) Loop: // Loop through all syscall blocks and convert them to libcontainer format after filtering them for _, call := range config.Syscalls { - if len(call.Excludes.Arches) > 0 { - if inSlice(call.Excludes.Arches, arch) { - continue Loop - } - } - if len(call.Excludes.Caps) > 0 { - for _, c := range call.Excludes.Caps { - if inSlice(rs.Process.Capabilities.Bounding, c) { + if call.Excludes != nil { + if len(call.Excludes.Arches) > 0 { + if inSlice(call.Excludes.Arches, arch) { continue Loop } } - } - if call.Excludes.MinKernel != nil { - if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil { - return nil, err - } else if ok { - continue Loop + if len(call.Excludes.Caps) > 0 { + for _, c := range call.Excludes.Caps { + if inSlice(rs.Process.Capabilities.Bounding, c) { + continue Loop + } + } } - } - if len(call.Includes.Arches) > 0 { - if !inSlice(call.Includes.Arches, arch) { - continue Loop + if call.Excludes.MinKernel != nil { + if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil { + return nil, err + } else if ok { + continue Loop + } } } - if len(call.Includes.Caps) > 0 { - for _, c := range call.Includes.Caps { - if !inSlice(rs.Process.Capabilities.Bounding, c) { + if call.Includes != nil { + if len(call.Includes.Arches) > 0 { + if !inSlice(call.Includes.Arches, arch) { continue Loop } } - } - if call.Includes.MinKernel != nil { - if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil { - return nil, err - } else if !ok { - continue Loop + if len(call.Includes.Caps) > 0 { + for _, c := range call.Includes.Caps { + if !inSlice(rs.Process.Capabilities.Bounding, c) { + continue Loop + } + } + } + if call.Includes.MinKernel != nil { + if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil { + return nil, err + } else if !ok { + continue Loop + } } - } - - if call.Name != "" && len(call.Names) != 0 { - return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") } if call.Name != "" { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args)) - } else { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args)) + if len(call.Names) != 0 { + return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") + } + call.Names = append(call.Names, call.Name) } - } - return newConfig, nil -} - -func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall { - newCall := specs.LinuxSyscall{ - Names: names, - Action: action, + newConfig.Syscalls = append(newConfig.Syscalls, call.LinuxSyscall) } - // Loop through all the arguments of the syscall and convert them - for _, arg := range args { - newCall.Args = append(newCall.Args, *arg) - } - return newCall + return newConfig, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index f8d96cab4034..105e21a32573 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -184,7 +184,7 @@ github.com/docker/cli/cli/connhelper/commandconn github.com/docker/distribution/digestset github.com/docker/distribution/reference github.com/docker/distribution/registry/api/errcode -# github.com/docker/docker v20.10.7+incompatible => github.com/docker/docker v20.10.3-0.20210609100121-ef4d47340142+incompatible +# github.com/docker/docker v20.10.7+incompatible => github.com/tonistiigi/docker v0.10.1-0.20210928031959-5fec36db36f9 github.com/docker/docker/api github.com/docker/docker/api/types github.com/docker/docker/api/types/blkiodev