Update containerd to fix AppArmor on SLES

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-30 17:01:33 -07:00 · 2021-03-30 17:01:33 -07:00 · 0a8aa154bb
parent be19e07c70
commit 0a8aa154bb
4 changed files with 50 additions and 9 deletions
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ replace (
 	github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83
 	github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601
 	github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
-	github.com/containerd/containerd => github.com/k3s-io/containerd v1.3.10-k3s1
+	github.com/containerd/containerd => github.com/k3s-io/containerd v1.3.10-k3s2
 	github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
 	github.com/containerd/cri => github.com/k3s-io/cri v1.3.0-k3s.10 // k3s-release/1.3
 	github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
@ -86,7 +86,6 @@ require (
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/go-sql-driver/mysql v1.4.1
 	github.com/gogo/googleapis v1.3.0 // indirect
-	github.com/google/go-cmp v0.4.0 // indirect
 	github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/websocket v1.4.1
@ -116,6 +115,7 @@ require (
 	google.golang.org/grpc v1.26.0
 	gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5 // indirect
 	gopkg.in/yaml.v2 v2.2.8
+	gotest.tools/v3 v3.0.3 // indirect
 	k8s.io/api v0.18.0
 	k8s.io/apimachinery v0.18.0
 	k8s.io/apiserver v0.0.0
--- a/go.sum
+++ b/go.sum
@ -452,8 +452,8 @@ github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVE
 github.com/juju/testing v0.0.0-20180920084828-472a3e8b2073/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA=
 github.com/juju/testing v0.0.0-20190613124551-e81189438503/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/k3s-io/containerd v1.3.10-k3s1 h1:udmDeUJVbz4zFdN+fCih+GSY35iFpb7Yk0K+ph2oc9c=
-github.com/k3s-io/containerd v1.3.10-k3s1/go.mod h1:eMCLnqhZCzg+cZuvfMLStYPsrx5cWGpdZL6krPhK8RI=
+github.com/k3s-io/containerd v1.3.10-k3s2 h1:0EaHpgegT7Z7S/JuKgx+/uTI+IzKT8WUNw7gbgsjZ7A=
+github.com/k3s-io/containerd v1.3.10-k3s2/go.mod h1:eMCLnqhZCzg+cZuvfMLStYPsrx5cWGpdZL6krPhK8RI=
 github.com/k3s-io/cri v1.3.0-k3s.10 h1:K4pIza6Fnv9ucC2DigmTDHeW/v7nBT8cF2M3a1N6uHQ=
 github.com/k3s-io/cri v1.3.0-k3s.10/go.mod h1:fGPUUHMKQik/vIegSe05DtX/m4miovdtvVLqRUFAkK0=
 github.com/k3s-io/helm-controller v0.8.3 h1:GWxavyMz7Bw2ClxH5okkeOL8o5U6IBK7uauc44SDCjU=
@ -962,6 +962,7 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190909030654-5b82db07426d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191017205301-920acffc3e65 h1:GwXwgmbrvlcHLDsENMqrQTTIC2C0kIPszsq929NruKI=
@ -1036,6 +1037,8 @@ gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/gotestsum v0.3.5/go.mod h1:Mnf3e5FUzXbkCfynWBGOwLssY7gTQgCHObK9tMpAriY=
+gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/vendor/github.com/containerd/containerd/contrib/apparmor/template.go
+++ b/vendor/github.com/containerd/containerd/contrib/apparmor/template.go
@ -1,6 +1,8 @@
 // +build linux

 /*
+   Copyright The docker Authors.
+   Copyright The Moby Authors.
   Copyright The containerd Authors.

   Licensed under the Apache License, Version 2.0 (the "License");
@ -22,6 +24,7 @@ import (
 	"bufio"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
@ -32,6 +35,10 @@ import (
 	"github.com/pkg/errors"
 )

+// NOTE: This code is copied from <github.com/docker/docker/profiles/apparmor>.
+//       If you plan to make any changes, please make sure they are also sent
+//       upstream.
+
 const dir = "/etc/apparmor.d"

 const defaultTemplate = `
@ -48,6 +55,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  capability,
  file,
  umount,
+{{if ge .Version 208096}}
+  # Host (privileged) processes may send signals to container processes.
+  signal (receive) peer=unconfined,
+  # Manager may send signals to container processes.
+  signal (receive) peer={{.DaemonProfile}},
+  # Container processes may send signals amongst themselves.
+  signal (send,receive) peer={{.Name}},
+{{end}}

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
@ -79,9 +94,22 @@ type data struct {
 	Name          string
 	Imports       []string
 	InnerImports  []string
+	DaemonProfile string
 	Version       int
 }

+func cleanProfileName(profile string) string {
+	// Normally profiles are suffixed by " (enforce)". AppArmor profiles cannot
+	// contain spaces so this doesn't restrict daemon profile names.
+	if parts := strings.SplitN(profile, " ", 2); len(parts) >= 1 {
+		profile = parts[0]
+	}
+	if profile == "" {
+		profile = "unconfined"
+	}
+	return profile
+}
+
 func loadData(name string) (*data, error) {
 	p := data{
 		Name: name,
@ -100,6 +128,16 @@ func loadData(name string) (*data, error) {
 		return nil, errors.Wrap(err, "get apparmor_parser version")
 	}
 	p.Version = ver
+
+	// Figure out the daemon profile.
+	currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
+	if err != nil {
+		// If we couldn't get the daemon profile, assume we are running
+		// unconfined which is generally the default.
+		currentProfile = nil
+	}
+	p.DaemonProfile = cleanProfileName(string(currentProfile))
+
 	return &p, nil
 }

--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -160,7 +160,7 @@ github.com/container-storage-interface/spec/lib/go/csi
 github.com/containerd/cgroups
 # github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 github.com/containerd/console
-# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/k3s-io/containerd v1.3.10-k3s1
+# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/k3s-io/containerd v1.3.10-k3s2
 github.com/containerd/containerd
 github.com/containerd/containerd/api/events
 github.com/containerd/containerd/api/services/containers/v1