This change is generated by `go1.23rc2 fix ./...`.
Had to use go1.23rc2, since all released go versions have a bug
preventing it from working with `go 1.22.0` in go.mod (opened
https://github.com/golang/go/issues/68825,
https://github.com/golang/go/issues/68824 for awareness).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Pay better attention to dev/nodev/exec/noexec/suid/nosuid/ro/rw flags on
bind, overlay, and tmpfs mounts when any of them are specified. Stop
quietly adding "nodev" when it isn't asked for.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
When we link our test helper statically using the external linker, the
hardwired default seccomp filter we get from the runtime-tools generator
triggers a hang in it at startup.
Rather than switch to the internal linker, which seems to work around
this, start using the same seccomp filter for unit tests that we
actually use in real life, leaving analysis of which difference between
the two is responsible for it for another day.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When converting seccomp rules from the runtime spec to the structure
that we can feed to libseccomp, combine the prescribed errno value with
the action when we're mapping the "return an errno" action from one to
the other.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When a seccomp rule includes multiple equality checks for the same
argument for a syscall, they can never ALL be satisfied. Because that's
how they're supposed to be treated, libseccomp returns an error when we
try to add them as part of the same conditional rule. Try to detect
this exact case, and if we detect it, treat each condition as its own
rule.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2105
Approved by: rhatdan
Make the chroot() call before applying a seccomp filter, which might not
allow us to do it. Add more debugging messages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #979
Approved by: rhatdan
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Kir Kolyshkin
Nalin Dahyabhai
Michal Biesek
Chris Evich
Daniel J Walsh
Giuseppe Scrivano
Sascha Grunert
dependabot[bot]