diff --git a/go.mod b/go.mod index b3fd80e953..a0b65517b2 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace ( github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83 github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601 github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 - github.com/containerd/containerd => github.com/k3s-io/containerd v1.3.10-k3s1 + github.com/containerd/containerd => github.com/k3s-io/containerd v1.3.10-k3s2 github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 github.com/containerd/cri => github.com/k3s-io/cri v1.3.0-k3s.10 // k3s-release/1.3 github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c @@ -86,7 +86,6 @@ require ( github.com/go-bindata/go-bindata v3.1.2+incompatible github.com/go-sql-driver/mysql v1.4.1 github.com/gogo/googleapis v1.3.0 // indirect - github.com/google/go-cmp v0.4.0 // indirect github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2 github.com/gorilla/mux v1.7.3 github.com/gorilla/websocket v1.4.1 @@ -116,6 +115,7 @@ require ( google.golang.org/grpc v1.26.0 gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5 // indirect gopkg.in/yaml.v2 v2.2.8 + gotest.tools/v3 v3.0.3 // indirect k8s.io/api v0.18.0 k8s.io/apimachinery v0.18.0 k8s.io/apiserver v0.0.0 diff --git a/go.sum b/go.sum index f1a1c71f2a..02edeea8ac 100644 --- a/go.sum +++ b/go.sum @@ -452,8 +452,8 @@ github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVE github.com/juju/testing v0.0.0-20180920084828-472a3e8b2073/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA= github.com/juju/testing v0.0.0-20190613124551-e81189438503/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA= github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= -github.com/k3s-io/containerd v1.3.10-k3s1 h1:udmDeUJVbz4zFdN+fCih+GSY35iFpb7Yk0K+ph2oc9c= -github.com/k3s-io/containerd v1.3.10-k3s1/go.mod h1:eMCLnqhZCzg+cZuvfMLStYPsrx5cWGpdZL6krPhK8RI= +github.com/k3s-io/containerd v1.3.10-k3s2 h1:0EaHpgegT7Z7S/JuKgx+/uTI+IzKT8WUNw7gbgsjZ7A= +github.com/k3s-io/containerd v1.3.10-k3s2/go.mod h1:eMCLnqhZCzg+cZuvfMLStYPsrx5cWGpdZL6krPhK8RI= github.com/k3s-io/cri v1.3.0-k3s.10 h1:K4pIza6Fnv9ucC2DigmTDHeW/v7nBT8cF2M3a1N6uHQ= github.com/k3s-io/cri v1.3.0-k3s.10/go.mod h1:fGPUUHMKQik/vIegSe05DtX/m4miovdtvVLqRUFAkK0= github.com/k3s-io/helm-controller v0.8.3 h1:GWxavyMz7Bw2ClxH5okkeOL8o5U6IBK7uauc44SDCjU= @@ -962,6 +962,7 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190909030654-5b82db07426d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191017205301-920acffc3e65 h1:GwXwgmbrvlcHLDsENMqrQTTIC2C0kIPszsq929NruKI= @@ -1036,6 +1037,8 @@ gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/gotestsum v0.3.5/go.mod h1:Mnf3e5FUzXbkCfynWBGOwLssY7gTQgCHObK9tMpAriY= +gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= +gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/vendor/github.com/containerd/containerd/contrib/apparmor/template.go b/vendor/github.com/containerd/containerd/contrib/apparmor/template.go index 34ff99246b..da006957bd 100644 --- a/vendor/github.com/containerd/containerd/contrib/apparmor/template.go +++ b/vendor/github.com/containerd/containerd/contrib/apparmor/template.go @@ -1,6 +1,8 @@ // +build linux /* + Copyright The docker Authors. + Copyright The Moby Authors. Copyright The containerd Authors. Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,6 +24,7 @@ import ( "bufio" "fmt" "io" + "io/ioutil" "os" "os/exec" "path" @@ -32,6 +35,10 @@ import ( "github.com/pkg/errors" ) +// NOTE: This code is copied from . +// If you plan to make any changes, please make sure they are also sent +// upstream. + const dir = "/etc/apparmor.d" const defaultTemplate = ` @@ -48,6 +55,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, +{{if ge .Version 208096}} + # Host (privileged) processes may send signals to container processes. + signal (receive) peer=unconfined, + # Manager may send signals to container processes. + signal (receive) peer={{.DaemonProfile}}, + # Container processes may send signals amongst themselves. + signal (send,receive) peer={{.Name}}, +{{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc//** or /proc/sys/** @@ -76,10 +91,23 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { ` type data struct { - Name string - Imports []string - InnerImports []string - Version int + Name string + Imports []string + InnerImports []string + DaemonProfile string + Version int +} + +func cleanProfileName(profile string) string { + // Normally profiles are suffixed by " (enforce)". AppArmor profiles cannot + // contain spaces so this doesn't restrict daemon profile names. + if parts := strings.SplitN(profile, " ", 2); len(parts) >= 1 { + profile = parts[0] + } + if profile == "" { + profile = "unconfined" + } + return profile } func loadData(name string) (*data, error) { @@ -100,6 +128,16 @@ func loadData(name string) (*data, error) { return nil, errors.Wrap(err, "get apparmor_parser version") } p.Version = ver + + // Figure out the daemon profile. + currentProfile, err := ioutil.ReadFile("/proc/self/attr/current") + if err != nil { + // If we couldn't get the daemon profile, assume we are running + // unconfined which is generally the default. + currentProfile = nil + } + p.DaemonProfile = cleanProfileName(string(currentProfile)) + return &p, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index c44d327a5a..ca12b043fb 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -160,7 +160,7 @@ github.com/container-storage-interface/spec/lib/go/csi github.com/containerd/cgroups # github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 github.com/containerd/console -# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/k3s-io/containerd v1.3.10-k3s1 +# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/k3s-io/containerd v1.3.10-k3s2 github.com/containerd/containerd github.com/containerd/containerd/api/events github.com/containerd/containerd/api/services/containers/v1