Commit Graph

120 Commits

Author SHA1 Message Date
Kir Kolyshkin 55462355d6 Require Go 1.17, bump x/sys and x/net
1. bump golang.org/x/sys to v0.6.0;
2. bump golang.org/x/net to v0.8.0
3. require Go 1.17.

Newer x/sys is needed to fix [1].

Go 1.17 is needed because x/sys/unix is using unsafe.Slice which
requires go1.17 or later.

This reuses parts of main commit a0f8847e2a.

[1] https://github.com/opencontainers/runc/issues/3715

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-05 09:55:25 -07:00
Kir Kolyshkin e4474ef881 [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d
This is the same as commit df2bc1380e
but for release-1.1 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-20 13:25:36 -07:00
dependabot[bot] e155b3322c build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.2.0...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-22 04:18:26 +00:00
dependabot[bot] e9ed200031 build(deps): bump github.com/opencontainers/selinux from 1.9.1 to 1.10.0
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.9.1 to 1.10.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.9.1...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-22 04:21:12 +00:00
Sebastiaan van Stijn 02d527d26d go.mod: github.com/moby/sys/mountinfo v0.5.0
full diff: https://github.com/moby/sys/compare/mountinfo/v0.4.1...mountinfo/v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:10:46 +01:00
dependabot[bot] b2d64fed31 build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-05 04:16:40 +00:00
dependabot[bot] fc658fb611 build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-29 16:55:45 +00:00
dependabot[bot] dc473cad80 build(deps): bump github.com/cilium/ebpf from 0.6.2 to 0.7.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.6.2 to 0.7.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.6.2...v0.7.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-18 17:50:42 +00:00
dependabot[bot] 6eba68deae build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.5 to 1.9.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.5...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-07 04:21:41 +00:00
Adrian Reber 412d68d1bd Vendor in go-criu v5.1.0
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-09-20 10:01:16 +02:00
Shengjing Zhu 163e2523d7 libct/cg: replace bitset with std math/big library
Cut down third party dependency.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2021-09-19 23:38:15 +08:00
Akihiro Suda 7e9fd9941a Merge pull request #3211 from opencontainers/dependabot/go_modules/github.com/bits-and-blooms/bitset-1.2.1
build(deps): bump github.com/bits-and-blooms/bitset from 1.2.0 to 1.2.1
2021-09-10 16:03:40 +09:00
dependabot[bot] 0865908023 build(deps): bump github.com/bits-and-blooms/bitset from 1.2.0 to 1.2.1
Bumps [github.com/bits-and-blooms/bitset](https://github.com/bits-and-blooms/bitset) from 1.2.0 to 1.2.1.
- [Release notes](https://github.com/bits-and-blooms/bitset/releases)
- [Commits](https://github.com/bits-and-blooms/bitset/compare/v1.2.0...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/bits-and-blooms/bitset
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-10 04:22:43 +00:00
dependabot[bot] 622acd24fb build(deps): bump github.com/opencontainers/selinux from 1.8.4 to 1.8.5
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.4 to 1.8.5.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.4...v1.8.5)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-10 04:22:23 +00:00
dependabot[bot] 72b5c3ca18 build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.4...v5.0.5)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-09 04:21:44 +00:00
Alban Crequy c55530bedc vendoring: Use libseccomp with notify support
The notify support has been merged in libseccomp-golang in this PR:
	https://github.com/seccomp/libseccomp-golang/pull/59

Also, we update to new API of libseccomp-golang so code doesn't break.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-07 12:38:12 +02:00
dependabot[bot] 77fb9aff56 build(deps): bump github.com/containerd/console from 1.0.2 to 1.0.3
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.2 to 1.0.3.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.2...v1.0.3)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-12 04:15:47 +00:00
dependabot[bot] bda1bd7a2f build(deps): bump github.com/opencontainers/selinux from 1.8.3 to 1.8.4
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-10 04:22:14 +00:00
dependabot[bot] fc99ab7e65 build(deps): bump github.com/opencontainers/selinux from 1.8.2 to 1.8.3
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-03 04:21:49 +00:00
Aleksa Sarai fe518a0678 vendor: update github.com/cilium/ebpf
We need to update the eBPF library so that we can get the raw syscall
errors from bpf(2) syscalls using errors.Is.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-14 11:17:15 +10:00
Aleksa Sarai 9f2a1f4df1 deps: update to github.com/cyphar/filepath-securejoin@v0.2.3
The main change is the switch to Go 1.13-style "%w" error wrapping,
dropping one of the github.com/pkg/errors dependencies we have left.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-04 21:24:12 +10:00
Akihiro Suda 46940ed80c update cilium/ebpf to fix haveBpfProgReplace() check
The `errors.Is(err, unix.EINVAL)` check in `haveBpfProgReplace()` was
broken because the `cilium/ebpf` library did not "wrap" errors.
https://github.com/cilium/ebpf/blob/v0.6.0/link/program.go#L72

So the eBPF support of runc was broken for kernel prior to 5.6.

This commit bumps up cilium/ebpf to contain cilium/ebpf PR 320.

Fix opencontainers/runc issue 3008

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-06-12 02:12:25 +09:00
Kir Kolyshkin a5bd78ef52 vendor: willf/bitset@v1.1.11 -> bits-and-blooms/bitset@v1.2.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 16:28:38 -07:00
Kir Kolyshkin 65cf0e61fb Bump selinux to v1.8.2
This is to include willf/bitset@v1.1.11 ->
bits-and-blooms/bitset@v1.2.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 16:27:27 -07:00
Kir Kolyshkin c1ec39235d Merge pull request #2981 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.8.1
build(deps): bump github.com/opencontainers/selinux from 1.8.0 to 1.8.1
2021-06-02 11:31:14 -07:00
dependabot[bot] 9e964dfc38 build(deps): bump github.com/opencontainers/selinux from 1.8.0 to 1.8.1
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 06:49:52 +00:00
dependabot[bot] 470610d0cc build(deps): bump github.com/cilium/ebpf from 0.5.0 to 0.6.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 06:49:06 +00:00
dependabot[bot] c8ffd8f3bb Merge pull request #2983 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.8.1 2021-06-02 05:52:03 +00:00
Aleksa Sarai c23426457c merge branch 'pr-2984'
dependabot[bot]:
  build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2

LGTMs: AkihiroSuda cyphar
PR #2984
2021-06-02 15:23:00 +10:00
dependabot[bot] 31f5882913 build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.3.1 to 22.3.2.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.3.1...v22.3.2)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 01:57:21 +00:00
dependabot[bot] c836265b58 build(deps): bump github.com/sirupsen/logrus from 1.7.0 to 1.8.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.7.0 to 1.8.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.7.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 01:57:12 +00:00
dependabot[bot] 074aa0448d build(deps): bump google.golang.org/protobuf from 1.25.0 to 1.26.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.25.0 to 1.26.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.25.0...v1.26.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 01:57:04 +00:00
Sascha Grunert 2f1a3ed308 Fix vendored dependencies
The current master branch does not build, running a `make vendor` fixes
this inconsistency.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-04-14 13:30:50 +02:00
Aleksa Sarai b474993b13 merge branch 'pr-2903'
Sebastiaan van Stijn (1):
  ebpf: replace deprecated prog.Attach/prog.Detach

LGTMs: AkihiroSuda kolyshkin cyphar
Closes #2903
2021-04-14 10:36:32 +10:00
Sebastiaan van Stijn d15c7bb0f2 go.mod: github.com/cilium/ebpf v0.5.0
full diff: https://github.com/cilium/ebpf/compare/v0.4.0...v0.5.0

Breaking changes
------------------------------------------

All LoadPinned*() functions now take LoadPinOptions to control loader behaviour.
Simply pass nil to load with default options.

- LoadPinnedMap()
- LoadPinnedProgram()
- LoadPinnedCgroup()
- LoadPinnedIter()
- LoadPinnedRawLink()
- LoadPinnedNetNs()

Bug fixes
------------------------------------------

- Program.IsPinned() now behaves correctly on maps loaded from bpffs
- Map.Pin() no longer clobbers the destination file if it already exists

Features
------------------------------------------

- Attaching to k(ret)probes and tracepoints can now be done with link.Kprobe(),
  link.Kretprobe() and link.Tracepoint()
- Programs of type Kprobe automatically get their KernelVersion fields populated
  by detecting the kernel version at runtime
- MapOptions now contains a LoadPinOptions
- ProgSpec now contains a Flags field, adding support for BPF_F_SLEEPABLE
- Made BTF map loader more flexible by looping over Vars in a BTF data section
- Pinned Maps and Programs can now be loaded from bpffs in read-or write-only mode
- Added golangci-lint project configuration, running in CI

Examples
------------------------------------------

kprobe and tracepoint examples updated to use the new link.Kprobe() and link.Tracepoint() API
There is now an example for how to attach eBPF programs to uprobes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-13 12:54:47 +02:00
Sebastiaan van Stijn f28a8cc28c ebpf: replace deprecated prog.Attach/prog.Detach
Caught by golangci-lint when enabling golint:

    libcontainer/cgroups/ebpf/ebpf.go:35:12: SA1019: prog.Attach is deprecated: use link.RawAttachProgram instead. (staticcheck)
        if err := prog.Attach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
                  ^
    libcontainer/cgroups/ebpf/ebpf.go:39:13: SA1019: prog.Detach is deprecated: use link.RawDetachProgram instead. (staticcheck)
            if err := prog.Detach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
                      ^

Worth noting that we currently call prog.Detach() with unix.BPF_F_ALLOW_MULTI;
https://github.com/golang/sys/blob/22da62e12c0cd9c1da93581e1113ca4d82a5be14/unix/zerrors_linux.go#L178

    BPF_F_ALLOW_MULTI = 0x2

Looking at the source code for prog.Detach(); https://github.com/cilium/ebpf/blob/v0.4.0/prog.go#L579-L581,
this would _always_ produce an error:

    if flags != 0 {
        return errors.New("flags must be zero")
    }

Note that the flags parameter is not used (except for that validation)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-13 12:27:39 +02:00
Kir Kolyshkin b7c315ad56 vendor: bump containerd/console to 1.0.2
This is to include https://github.com/containerd/console/pull/51.

Fixes: https://github.com/opencontainers/runc/issues/2896

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-12 11:21:07 -07:00
Sebastiaan van Stijn 289a304535 go.mod: github.com/moby/sys/mountinfo v0.4.1
full diff: https://github.com/moby/sys/compare/v0.4.0...v0.4.1

github.com/moby/sys/mountinfo v0.4.1
-----------------------------------------

- Fix PrefixFilter() being too greedy
- TestMountedBy*: add missing pre-checks
- Documentation improvements

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-04 23:24:59 +02:00
Sebastiaan van Stijn 48125179eb go.mod: github.com/cilium/ebpf v0.4.0
full diff: https://github.com/cilium/ebpf/compare/v0.2.0...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 09:58:23 +02:00
Kir Kolyshkin 6538f9f20a Merge pull request #2854 from thaJeztah/runc_warn_unknown_caps
capabilities: WARN, not ERROR, for unknown / unavailable capabilities
2021-04-01 18:27:57 -07:00
Shiming Zhang adf733fa64 vendor: update go-systemd and godbus
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
2021-04-01 20:54:13 +08:00
Kir Kolyshkin bed4d89f57 Merge pull request #2807 from kolyshkin/google-golang-protobuf
go.mod, libct: switch to google.golang.org/protobuf
2021-03-31 20:34:16 -07:00
Sebastiaan van Stijn 5fb831a0fa capabilities: WARN, not ERROR, for unknown / unavailable capabilities
This updates handling of capabilities to match the updated runtime specification,
in https://github.com/opencontainers/runtime-spec/pull/1094.

Prior to that change, the specification required runtimes to produce a (fatal)
error if a container configuration requested capabilities that could not be
granted (either the capability is "unknown" to the runtime, not supported by the
kernel version in use, or not available in the environment that the runtime
operates in).

This caused problems in situations where the runtime was running in a restricted
environment (for example, docker-in-docker), or if there is a mismatch between
the list of capabilities known by higher-level runtimes and the OCI runtime.

Some examples:

- Kernel 5.8 introduced CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
  capabilities. Docker 20.10.0 ("higher level runtime") shipped with
  an updated list of capabilities, and when creating a "privileged" container,
  would determine what capabilities are known by the kernel in use, and request
  all those capabilities (by including them in the container config).
  However, runc did not yet have an updated list of capabilities, and therefore
  reject the container specification, producing an error because the new
  capabilities were "unknown".
- When running nested containers, for example, when running docker-in-docker,
  the "inner" container may be using a more recent version of docker than the
  "outer" container. In this situation, the "outer" container may be missing
  capabilities that the inner container expects to be supported (based on
  kernel version). However, starting the container would fail, because the OCI
  runtime could not grant those capabilities (them not being available in the
  environment it's running in).

WARN (but otherwise ignore) capabilities that cannot be granted
--------------------------------------------------------------------------------

This patch changes the handling to WARN (but otherwise ignore) capabilities that
are requested in the container config, but cannot be granted, alleviating higher
level runtimes to detect what capabilities are supported (by the kernel, and
in the current environment), as well as avoiding failures in situations where
the higher-level runtime is aware of capabilities that are not (yet) supported
by runc.

Impact on security
--------------------------------------------------------------------------------

Given that `capabilities` is an "allow-list", ignoring unknown capabilities does
not impose a security risk; worst case, a container does not get all requested
capabilities granted and, as a result, some actions may fail.

Backward-compatibility
--------------------------------------------------------------------------------

This change should be fully backward compatible. Higher-level runtimes that
already dynamically adjust the list of requested capabilities can continue to do
so. Runtimes that do not adjust will see an improvement (containers can start
even if some of the requested capabilities are not granted). Container processes
MAY fail (as described in "impact on security"), but users can debug this
situation either by looking at the warnings produces by the OCI runtime, or using
tools such as `capsh` / `libcap` to get the list of actual capabilities in the
container.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-26 21:23:00 +01:00
Sebastiaan van Stijn e49d5da219 go.mod: OCI runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
full diff: https://github.com/opencontainers/runtime-spec/compare/a8c4a9ee0f6b...1c3f411f0417

- Fix seccomp notify inconsistencies
    - seccomp: Add missing const for seccomp notify action
    - schema/defs-linux: Fix inconsistencies with seccomp notify
- Proposal: runtime should ignore capabilities that cannot be granted

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-26 21:22:58 +01:00
Sebastiaan van Stijn dd2caace16 go.mod: runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b
full diff: https://github.com/opencontainers/runtime-spec/compare/e6143ca7d51d...a8c4a9ee0f6b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-16 16:57:38 +01:00
Kir Kolyshkin 97f2e351a8 go.mod, libct: bump go-criu to v5, use google.golang.org/protobuf
Switch from github.com/golang/protobuf (which appears to be obsoleted)
to google.golang.org/protobuf (which appears to be a replacement).

This needs a bump to go-criu v5.

[v2: fix debug print in criuSwrk]
[v3: switch to go-criu v5]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-04 08:59:55 -08:00
Akihiro Suda cb26930680 remove "selinux" build tag (Always compile SELinux support)
The build tag was removed in go-selinux v1.8.0: https://github.com/opencontainers/selinux/pull/132

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-16 17:41:11 +09:00
Sebastiaan van Stijn ee1bdb80af vendor: github.com/cilium/ebpf v0.2.0
full diff: https://github.com/cilium/ebpf/compare/v0.1.0...v0.2.0

- btf: add go-fuzz targets
- btf: avoid Type copy in FuncProto.walk
- btf: check err in loadSpecFromVmlinux
- btf: handle type name flavours
- CI: test on 5.9 kernel
- cmd/bpf2go: output ELF .o next to the .go file
- link: add AttachSkLookup
- Remove two unused functions
- Support LSM attach
- use buffered I/O to cut down on read syscalls
- Various doc link fixes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-11-20 13:56:46 +01:00
Akihiro Suda 4690064f05 update vendor
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-09 15:14:23 +09:00
Kir Kolyshkin 13afa58d0e libct/cg/sd/v2: support cpuset.* / Allowed*
* cpuset.cpus -> AllowedCPUs
 * cpuset.mems -> AllowedMemoryNodes

No test for cgroup v2 resources.unified override, as this requires a
separate test case, and all the unified resources are handled uniformly
so there's little sense to test all parameters.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-05 16:04:57 -08:00