scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-12-07 08:35:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

vendor: bump runc to 1.0.2

Browse Source 
For the complete release notes, see
 - https://github.com/opencontainers/runc/releases/tag/v1.0.2

In particular, this fixes the check cgroup v1 systemd manager check
if a container needs to be frozen before Set(), and adds a knob to
skip the check/freeze entirely (to be used by the next commit).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin
2021-08-23 13:05:23 -07:00
parent 4a6792dd10
commit 9c0f9b204f
8 changed files with 81 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go generated vendored
View File

@@ -67,7 +67,7 @@ func InitSeccomp(config *configs.Seccomp) error {
if call == nil {
return errors.New("encountered nil syscall while initializing Seccomp")
}
if err := matchCall(filter, call); err != nil {
if err := matchCall(filter, call, defaultAction); err != nil {
return err
}
}
@@ -142,7 +142,7 @@ func getCondition(arg *configs.Arg) (libseccomp.ScmpCondition, error) {
}
// Add a rule to match a single syscall
func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall, defAct libseccomp.ScmpAction) error {
if call == nil || filter == nil {
return errors.New("cannot use nil as syscall to block")
}
@@ -151,6 +151,17 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
return errors.New("empty string is not a valid syscall")
}
// Convert the call's action to the libseccomp equivalent
callAct, err := getAction(call.Action, call.ErrnoRet)
if err != nil {
return fmt.Errorf("action in seccomp profile is invalid: %w", err)
}
if callAct == defAct {
// This rule is redundant, silently skip it
// to avoid error from AddRule.
return nil
}
// If we can't resolve the syscall, assume it's not supported on this kernel
// Ignore it, don't error out
callNum, err := libseccomp.GetSyscallFromName(call.Name)
@@ -158,12 +169,6 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
return nil
}
// Convert the call's action to the libseccomp equivalent
callAct, err := getAction(call.Action, call.ErrnoRet)
if err != nil {
return fmt.Errorf("action in seccomp profile is invalid: %s", err)
}
// Unconditional match - just add the rule
if len(call.Args) == 0 {
if err := filter.AddRule(callNum, callAct); err != nil {